shithub: libvpx

Download patch

ref: 59578327a5eb4231786198ee9d35e0f55ff6ec7a
parent: 855a71dfda9fb2620ae5567a5bb0897aa4fc0d47
author: Jerome Jiang <jianj@google.com>
date: Mon Mar 11 11:13:19 EDT 2019 

vp9-decoder: use long int for buffer offset.

integer overflow when frame size too big.

BUG=webm:1603

Change-Id: Ifbb81b5fb6a2043d09d403e7c50ab8d7bf125dca


--- a/vp9/common/vp9_reconinter.c
+++ b/vp9/common/vp9_reconinter.c
@@ -178,7 +178,7 @@
       xs = sf->x_step_q4;
       ys = sf->y_step_q4;
     } else {
-      pre = pre_buf->buf + (y * pre_buf->stride + x);
+      pre = pre_buf->buf + ((int64_t)y * pre_buf->stride + x);
       scaled_mv.row = mv_q4.row;
       scaled_mv.col = mv_q4.col;
       xs = ys = 16;
--- a/vp9/common/vp9_reconinter.h
+++ b/vp9/common/vp9_reconinter.h
@@ -74,11 +74,12 @@
     int bd);
 #endif
 
-static INLINE int scaled_buffer_offset(int x_offset, int y_offset, int stride,
-                                       const struct scale_factors *sf) {
+static INLINE int64_t scaled_buffer_offset(int x_offset, int y_offset,
+                                           int stride,
+                                           const struct scale_factors *sf) {
   const int x = sf ? sf->scale_value_x(x_offset, sf) : x_offset;
   const int y = sf ? sf->scale_value_y(y_offset, sf) : y_offset;
-  return y * stride + x;
+  return (int64_t)y * stride + x;
 }
 
 static INLINE void setup_pred_plane(struct buf_2d *dst, uint8_t *src,