From 8a800b52eaee33e71aba7fb59118dcf14ac1dd1c Mon Sep 17 00:00:00 2001
From: Jerome Jiang <jianj@google.com>
Date: Wed, 1 May 2019 11:51:26 -0700
Subject: [PATCH] vp8: clamp uv mv after calculation.

BUG=oss-fuzz:14478

Change-Id: Ia978a1e7829bf486681385cd715ed0b50fe3b072
---
 vp8/common/reconinter.c | 7 +++++++
 1 file changed, 7 insertions(+)

diff --git a/vp8/common/reconinter.c b/vp8/common/reconinter.c
index 48892c9b8..2cb070931 100644
--- a/vp8/common/reconinter.c
+++ b/vp8/common/reconinter.c
@@ -333,6 +333,13 @@ void vp8_build_inter16x16_predictors_mb(MACROBLOCKD *x, unsigned char *dst_y,
   _16x16mv.as_mv.row &= x->fullpixel_mask;
   _16x16mv.as_mv.col &= x->fullpixel_mask;
 
+  if (2 * _16x16mv.as_mv.col < (x->mb_to_left_edge - (19 << 3)) ||
+      2 * _16x16mv.as_mv.col > x->mb_to_right_edge + (18 << 3) ||
+      2 * _16x16mv.as_mv.row < (x->mb_to_top_edge - (19 << 3)) ||
+      2 * _16x16mv.as_mv.row > x->mb_to_bottom_edge + (18 << 3)) {
+    return;
+  }
+
   pre_stride >>= 1;
   offset = (_16x16mv.as_mv.row >> 3) * pre_stride + (_16x16mv.as_mv.col >> 3);
   uptr = x->pre.u_buffer + offset;
-- 
2.40.0