From: Jerome Jiang <jianj@google.com>
Date: Fri, 14 Dec 2018 22:39:58 +0000 (-0800)
Subject: vp8: Fix potential use-after-free in mfqe.
X-Git-Tag: v1.8.0~69^2
X-Git-Url: https://granicus.if.org/sourcecode?a=commitdiff_plain;h=0e408ea67cd142a3f27189d7e00cbabea96a28d6;p=libvpx

vp8: Fix potential use-after-free in mfqe.

Similar issue to 842265.

The pointer in vp8 postproc refers to show_frame_mi which is only
updated on show frame. However, when there is a no-show frame which also
changes the size (thus new frame buffers allocated), show_frame_mi is
not updated with new frame buffer memory.

Change the pointer in postproc to mi which is always updated.

BUG=913246

Change-Id: I5159ba7134a06db472c29a1d84b8d39bb60c7254
---

diff --git a/vp8/common/mfqe.c b/vp8/common/mfqe.c
index aad908572..1fe7363f1 100644
--- a/vp8/common/mfqe.c
+++ b/vp8/common/mfqe.c
@@ -235,7 +235,7 @@ void vp8_multiframe_quality_enhance(VP8_COMMON *cm) {
 
   FRAME_TYPE frame_type = cm->frame_type;
   /* Point at base of Mb MODE_INFO list has motion vectors etc */
-  const MODE_INFO *mode_info_context = cm->show_frame_mi;
+  const MODE_INFO *mode_info_context = cm->mi;
   int mb_row;
   int mb_col;
   int totmap, map[4];