vp8: Fix memory address overflow in decoder.

Ref frame buffer is corrupted but it's not checked before it's used to
compute the reconstructed previous frame buffer.

BUG=webm:1496
Change-Id: Ief0e85b91b19576632685d17c8176c8d29158028

diff --git a/vp8/decoder/threading.c b/vp8/decoder/threading.c
index aadc8dc712f89391b47a74e2b01530db5a3cb32e..db17f8d1eed6d2547e4d292b55fa4f9e264f8ef9 100644 (file)
--- a/vp8/decoder/threading.c
+++ b/vp8/decoder/threading.c
@@ -400,16 +400,25 @@ static void mt_decode_mb_rows(VP8D_COMP *pbi, MACROBLOCKD *xd,
       xd->dst.u_buffer = dst_buffer[1] + recon_uvoffset;
       xd->dst.v_buffer = dst_buffer[2] + recon_uvoffset;
 
-      xd->pre.y_buffer =
-          ref_buffer[xd->mode_info_context->mbmi.ref_frame][0] + recon_yoffset;
-      xd->pre.u_buffer =
-          ref_buffer[xd->mode_info_context->mbmi.ref_frame][1] + recon_uvoffset;
-      xd->pre.v_buffer =
-          ref_buffer[xd->mode_info_context->mbmi.ref_frame][2] + recon_uvoffset;
+      if (!ref_fb_corrupted[xd->mode_info_context->mbmi.ref_frame]) {
+        xd->pre.y_buffer =
+            ref_buffer[xd->mode_info_context->mbmi.ref_frame][0] +
+            recon_yoffset;
+        xd->pre.u_buffer =
+            ref_buffer[xd->mode_info_context->mbmi.ref_frame][1] +
+            recon_uvoffset;
+        xd->pre.v_buffer =
+            ref_buffer[xd->mode_info_context->mbmi.ref_frame][2] +
+            recon_uvoffset;
+      }
 
       /* propagate errors from reference frames */
       xd->corrupted |= ref_fb_corrupted[xd->mode_info_context->mbmi.ref_frame];
 
+      if (xd->corrupted)
+        vpx_internal_error(&pc->error, VPX_CODEC_CORRUPT_FRAME,
+                           "Corrupted reference frame buffer");
+
       mt_decode_macroblock(pbi, xd, 0);
 
       xd->left_available = 1;