From: Adrian Grange <agrange@google.com>
Date: Fri, 9 Dec 2011 20:47:57 +0000 (-0800)
Subject: Fix out of bounds read in update_mbgraph_frame_stats
X-Git-Tag: v1.3.0~1217^2~380^2~117^2
X-Git-Url: https://granicus.if.org/sourcecode?a=commitdiff_plain;h=95b4cf059cc2cb71ff49b818df4d285ced299cfc;p=libvpx

Fix out of bounds read in update_mbgraph_frame_stats

update_mbgraph_frame_stats used xd->mode_info_context
before it had been setup, resulting in potentially
random accesses of uninitialized memory.

This fix allocates a local MODE_INFO structure to hold
the data generated in the function.

Change-Id: Ic9e75610008ce0e2d690e8e583c21582fee6fc45
---

diff --git a/vp8/encoder/mbgraph.c b/vp8/encoder/mbgraph.c
index 3403f1724..100a036fd 100644
--- a/vp8/encoder/mbgraph.c
+++ b/vp8/encoder/mbgraph.c
@@ -331,6 +331,7 @@ static void update_mbgraph_frame_stats
     int mb_col, mb_row, offset = 0;
     int mb_y_offset = 0, arf_y_offset = 0, gld_y_offset = 0;
     int_mv arf_top_mv, gld_top_mv;
+    MODE_INFO mi_local;
 
     // Set up limit values for motion vectors to prevent them extending outside the UMV borders
     arf_top_mv.as_int = 0;
@@ -341,6 +342,7 @@ static void update_mbgraph_frame_stats
     xd->dst.y_stride  = buf->y_stride;
     xd->pre.y_stride  = buf->y_stride;
     xd->dst.uv_stride = buf->uv_stride;
+    xd->mode_info_context = &mi_local;
 
     for (mb_row = 0; mb_row < cm->mb_rows; mb_row++)
     {