From 36f42a3769e6f15ca4b9bd64d1bc26311ef588a5 Mon Sep 17 00:00:00 2001
From: Angie Chiang <angiebird@google.com>
Date: Fri, 8 Feb 2019 10:25:56 -0800
Subject: [PATCH] Fix the bug for feature_score computation

The visited is not set to 1 after an item is pushed into the heap.
This may cause one item being pushed into the heap multiple
times, which may incur buffer overflow and memory corruption.

Change-Id: I443f1e5693856bb4066542403f98492d4daec69d
---
 vp9/encoder/vp9_encoder.c | 3 +--
 1 file changed, 1 insertion(+), 2 deletions(-)

diff --git a/vp9/encoder/vp9_encoder.c b/vp9/encoder/vp9_encoder.c
index 2087adc85..a5da54283 100644
--- a/vp9/encoder/vp9_encoder.c
+++ b/vp9/encoder/vp9_encoder.c
@@ -6477,6 +6477,7 @@ static void max_heap_push(FEATURE_SCORE_LOC **heap, int *size,
                           FEATURE_SCORE_LOC *input) {
   int c, p;
   FEATURE_SCORE_LOC *tmp;
+  input->visited = 1;
   heap[*size] = input;
   ++*size;
   c = *size - 1;
@@ -6581,8 +6582,6 @@ static void build_motion_field(VP9_COMP *cpi, MACROBLOCKD *xd, int frame_idx,
     FEATURE_SCORE_LOC *fs_loc;
     max_heap_pop(cpi->feature_score_loc_heap, &fs_loc_heap_size, &fs_loc);
 
-    fs_loc->visited = 1;
-
     do_motion_search(cpi, td, frame_idx, ref_frame, bsize, fs_loc->mi_row,
                      fs_loc->mi_col);
 
-- 
2.40.0