ref: 45cf384738ad261de7d00769c19b9b2842af06a7
parent: 47ef72f1e9c0a17cc58b72dfac924cae5537a46d
author: Jerome Jiang <jianj@google.com>
date: Mon Jun 18 13:22:44 EDT 2018
vp8: Fix memory address overflow in decoder. Ref frame buffer is corrupted but it's not checked before it's used to compute the reconstructed previous frame buffer. BUG=webm:1496 Change-Id: Ief0e85b91b19576632685d17c8176c8d29158028
--- a/vp8/decoder/threading.c
+++ b/vp8/decoder/threading.c
@@ -400,15 +400,24 @@
xd->dst.u_buffer = dst_buffer[1] + recon_uvoffset;
xd->dst.v_buffer = dst_buffer[2] + recon_uvoffset;
- xd->pre.y_buffer =
- ref_buffer[xd->mode_info_context->mbmi.ref_frame][0] + recon_yoffset;
- xd->pre.u_buffer =
- ref_buffer[xd->mode_info_context->mbmi.ref_frame][1] + recon_uvoffset;
- xd->pre.v_buffer =
- ref_buffer[xd->mode_info_context->mbmi.ref_frame][2] + recon_uvoffset;
+ if (!ref_fb_corrupted[xd->mode_info_context->mbmi.ref_frame]) {
+ xd->pre.y_buffer =
+ ref_buffer[xd->mode_info_context->mbmi.ref_frame][0] +
+ recon_yoffset;
+ xd->pre.u_buffer =
+ ref_buffer[xd->mode_info_context->mbmi.ref_frame][1] +
+ recon_uvoffset;
+ xd->pre.v_buffer =
+ ref_buffer[xd->mode_info_context->mbmi.ref_frame][2] +
+ recon_uvoffset;
+ }
/* propagate errors from reference frames */
xd->corrupted |= ref_fb_corrupted[xd->mode_info_context->mbmi.ref_frame];
+
+ if (xd->corrupted)
+ vpx_internal_error(&pc->error, VPX_CODEC_CORRUPT_FRAME,
+ "Corrupted reference frame buffer");
mt_decode_macroblock(pbi, xd, 0);