From: Yaowu Xu Date: Wed, 25 May 2016 16:28:36 +0000 (-0700) Subject: Prevent read to invalid RefBuffer X-Git-Tag: v1.6.0~111 X-Git-Url: https://granicus.if.org/sourcecode?a=commitdiff_plain;h=75b6cfe1c50e749a0edb5460a491ca5ac947aff5;p=libvpx Prevent read to invalid RefBuffer This commit adds check to validate RefBuffer before reading into the data structure, to prevent invalid read. BUG=https://bugs.chromium.org/p/chromium/issues/detail?id=614701 Change-Id: Ie111e95bd18e88fa19d8b25e097cdf52b7139cb6 --- diff --git a/vp9/decoder/vp9_decodeframe.c b/vp9/decoder/vp9_decodeframe.c index 6e21bb194..d63912932 100644 --- a/vp9/decoder/vp9_decodeframe.c +++ b/vp9/decoder/vp9_decodeframe.c @@ -1339,22 +1339,23 @@ static void setup_frame_size_with_refs(VP9_COMMON *cm, // has valid dimensions. for (i = 0; i < REFS_PER_FRAME; ++i) { RefBuffer *const ref_frame = &cm->frame_refs[i]; - has_valid_ref_frame |= valid_ref_frame_size(ref_frame->buf->y_crop_width, - ref_frame->buf->y_crop_height, - width, height); + has_valid_ref_frame |= (ref_frame->idx != INVALID_IDX && + valid_ref_frame_size(ref_frame->buf->y_crop_width, + ref_frame->buf->y_crop_height, + width, height)); } if (!has_valid_ref_frame) vpx_internal_error(&cm->error, VPX_CODEC_CORRUPT_FRAME, "Referenced frame has invalid size"); for (i = 0; i < REFS_PER_FRAME; ++i) { RefBuffer *const ref_frame = &cm->frame_refs[i]; - if (!valid_ref_frame_img_fmt( - ref_frame->buf->bit_depth, - ref_frame->buf->subsampling_x, - ref_frame->buf->subsampling_y, - cm->bit_depth, - cm->subsampling_x, - cm->subsampling_y)) + if (ref_frame->idx == INVALID_IDX || + !valid_ref_frame_img_fmt(ref_frame->buf->bit_depth, + ref_frame->buf->subsampling_x, + ref_frame->buf->subsampling_y, + cm->bit_depth, + cm->subsampling_x, + cm->subsampling_y)) vpx_internal_error(&cm->error, VPX_CODEC_CORRUPT_FRAME, "Referenced frame has incompatible color format"); }