From 0e408ea67cd142a3f27189d7e00cbabea96a28d6 Mon Sep 17 00:00:00 2001 From: Jerome Jiang Date: Fri, 14 Dec 2018 14:39:58 -0800 Subject: [PATCH] vp8: Fix potential use-after-free in mfqe. Similar issue to 842265. The pointer in vp8 postproc refers to show_frame_mi which is only updated on show frame. However, when there is a no-show frame which also changes the size (thus new frame buffers allocated), show_frame_mi is not updated with new frame buffer memory. Change the pointer in postproc to mi which is always updated. BUG=913246 Change-Id: I5159ba7134a06db472c29a1d84b8d39bb60c7254 --- vp8/common/mfqe.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/vp8/common/mfqe.c b/vp8/common/mfqe.c index aad908572..1fe7363f1 100644 --- a/vp8/common/mfqe.c +++ b/vp8/common/mfqe.c @@ -235,7 +235,7 @@ void vp8_multiframe_quality_enhance(VP8_COMMON *cm) { FRAME_TYPE frame_type = cm->frame_type; /* Point at base of Mb MODE_INFO list has motion vectors etc */ - const MODE_INFO *mode_info_context = cm->show_frame_mi; + const MODE_INFO *mode_info_context = cm->mi; int mb_row; int mb_col; int totmap, map[4]; -- 2.40.0