From: Jerome Jiang <jianj@google.com>
Date: Tue, 19 Jun 2018 00:22:44 +0000 (-0700)
Subject: vp8: Fix memory address overflow in decoder.
X-Git-Tag: v1.8.0~475^2
X-Git-Url: https://granicus.if.org/sourcecode?a=commitdiff_plain;h=45cf384738ad261de7d00769c19b9b2842af06a7;p=libvpx

vp8: Fix memory address overflow in decoder.

Ref frame buffer is corrupted but it's not checked before it's used to
compute the reconstructed previous frame buffer.

BUG=webm:1496
Change-Id: Ief0e85b91b19576632685d17c8176c8d29158028
---

diff --git a/vp8/decoder/threading.c b/vp8/decoder/threading.c
index aadc8dc71..db17f8d1e 100644
--- a/vp8/decoder/threading.c
+++ b/vp8/decoder/threading.c
@@ -400,16 +400,25 @@ static void mt_decode_mb_rows(VP8D_COMP *pbi, MACROBLOCKD *xd,
       xd->dst.u_buffer = dst_buffer[1] + recon_uvoffset;
       xd->dst.v_buffer = dst_buffer[2] + recon_uvoffset;
 
-      xd->pre.y_buffer =
-          ref_buffer[xd->mode_info_context->mbmi.ref_frame][0] + recon_yoffset;
-      xd->pre.u_buffer =
-          ref_buffer[xd->mode_info_context->mbmi.ref_frame][1] + recon_uvoffset;
-      xd->pre.v_buffer =
-          ref_buffer[xd->mode_info_context->mbmi.ref_frame][2] + recon_uvoffset;
+      if (!ref_fb_corrupted[xd->mode_info_context->mbmi.ref_frame]) {
+        xd->pre.y_buffer =
+            ref_buffer[xd->mode_info_context->mbmi.ref_frame][0] +
+            recon_yoffset;
+        xd->pre.u_buffer =
+            ref_buffer[xd->mode_info_context->mbmi.ref_frame][1] +
+            recon_uvoffset;
+        xd->pre.v_buffer =
+            ref_buffer[xd->mode_info_context->mbmi.ref_frame][2] +
+            recon_uvoffset;
+      }
 
       /* propagate errors from reference frames */
       xd->corrupted |= ref_fb_corrupted[xd->mode_info_context->mbmi.ref_frame];
 
+      if (xd->corrupted)
+        vpx_internal_error(&pc->error, VPX_CODEC_CORRUPT_FRAME,
+                           "Corrupted reference frame buffer");
+
       mt_decode_macroblock(pbi, xd, 0);
 
       xd->left_available = 1;