From 88ba08818efbfcc9a8a7fa3b998b33dfadc7b9fb Mon Sep 17 00:00:00 2001
From: Jim Bankoski <jimbankoski@google.com>
Date: Thu, 19 Jun 2014 12:10:05 -0700
Subject: [PATCH] Fix bug in error handling that causes segfault

See: https://code.google.com/p/chromium/issues/detail?id=362697

The code properly catches an invalid stream but seg faults instead of
returning an error due to a buffer not having been initialized. This
code fixes that.

Change-Id: I695595e742cb08807e1dfb2f00bc097b3eae3a9b
---
 test/invalid_file_test.cc     | 2 +-
 vp9/decoder/vp9_decodeframe.c | 2 +-
 vp9/decoder/vp9_decoder.c     | 4 ++--
 3 files changed, 4 insertions(+), 4 deletions(-)

diff --git a/test/invalid_file_test.cc b/test/invalid_file_test.cc
index 4c0467568..e7f2a48da 100644
--- a/test/invalid_file_test.cc
+++ b/test/invalid_file_test.cc
@@ -64,7 +64,7 @@ class InvalidFileTest
   FILE *res_file_;
 };
 
-TEST_P(InvalidFileTest, DISABLED_ReturnCode) {
+TEST_P(InvalidFileTest, ReturnCode) {
   const std::string filename = GET_PARAM(1);
   libvpx_test::CompressedVideoSource *video = NULL;
 
diff --git a/vp9/decoder/vp9_decodeframe.c b/vp9/decoder/vp9_decodeframe.c
index fc70035f2..f36105fcf 100644
--- a/vp9/decoder/vp9_decodeframe.c
+++ b/vp9/decoder/vp9_decodeframe.c
@@ -1077,7 +1077,7 @@ static size_t read_uncompressed_header(VP9Decoder *pbi,
     // Show an existing frame directly.
     const int frame_to_show = cm->ref_frame_map[vp9_rb_read_literal(rb, 3)];
 
-    if (cm->frame_bufs[frame_to_show].ref_count < 1)
+    if (frame_to_show < 0 || cm->frame_bufs[frame_to_show].ref_count < 1)
       vpx_internal_error(&cm->error, VPX_CODEC_UNSUP_BITSTREAM,
                          "Buffer %d does not contain a decoded frame",
                          frame_to_show);
diff --git a/vp9/decoder/vp9_decoder.c b/vp9/decoder/vp9_decoder.c
index 5859859fa..f610262fa 100644
--- a/vp9/decoder/vp9_decoder.c
+++ b/vp9/decoder/vp9_decoder.c
@@ -260,10 +260,10 @@ int vp9_receive_compressed_data(VP9Decoder *pbi,
     // TODO(jkoleszar): Error concealment is undefined and non-normative
     // at this point, but if it becomes so, [0] may not always be the correct
     // thing to do here.
-    if (cm->frame_refs[0].idx != INT_MAX)
+    if (cm->frame_refs[0].idx != INT_MAX && cm->frame_refs[0].buf != NULL)
       cm->frame_refs[0].buf->corrupted = 1;
 
-    if (cm->frame_bufs[cm->new_fb_idx].ref_count > 0)
+    if (cm->new_fb_idx > 0 && cm->frame_bufs[cm->new_fb_idx].ref_count > 0)
       cm->frame_bufs[cm->new_fb_idx].ref_count--;
 
     return -1;
-- 
2.40.0