From 59578327a5eb4231786198ee9d35e0f55ff6ec7a Mon Sep 17 00:00:00 2001 From: Jerome Jiang Date: Mon, 11 Mar 2019 15:13:19 -0700 Subject: [PATCH] vp9-decoder: use long int for buffer offset. integer overflow when frame size too big. BUG=webm:1603 Change-Id: Ifbb81b5fb6a2043d09d403e7c50ab8d7bf125dca --- vp9/common/vp9_reconinter.c | 2 +- vp9/common/vp9_reconinter.h | 7 ++++--- 2 files changed, 5 insertions(+), 4 deletions(-) diff --git a/vp9/common/vp9_reconinter.c b/vp9/common/vp9_reconinter.c index a108a6515..0834c722f 100644 --- a/vp9/common/vp9_reconinter.c +++ b/vp9/common/vp9_reconinter.c @@ -178,7 +178,7 @@ static void build_inter_predictors(MACROBLOCKD *xd, int plane, int block, xs = sf->x_step_q4; ys = sf->y_step_q4; } else { - pre = pre_buf->buf + (y * pre_buf->stride + x); + pre = pre_buf->buf + ((int64_t)y * pre_buf->stride + x); scaled_mv.row = mv_q4.row; scaled_mv.col = mv_q4.col; xs = ys = 16; diff --git a/vp9/common/vp9_reconinter.h b/vp9/common/vp9_reconinter.h index 992e30c34..12b545831 100644 --- a/vp9/common/vp9_reconinter.h +++ b/vp9/common/vp9_reconinter.h @@ -74,11 +74,12 @@ void vp9_highbd_build_inter_predictor( int bd); #endif -static INLINE int scaled_buffer_offset(int x_offset, int y_offset, int stride, - const struct scale_factors *sf) { +static INLINE int64_t scaled_buffer_offset(int x_offset, int y_offset, + int stride, + const struct scale_factors *sf) { const int x = sf ? sf->scale_value_x(x_offset, sf) : x_offset; const int y = sf ? sf->scale_value_y(y_offset, sf) : y_offset; - return y * stride + x; + return (int64_t)y * stride + x; } static INLINE void setup_pred_plane(struct buf_2d *dst, uint8_t *src, -- 2.50.1