[FFmpeg-cvslog] vp9: fix mix-up of last-frame/cur-frame in frame size checks.
Ronald S. Bultje
git at videolan.org
Sat Feb 8 11:21:04 CET 2014
ffmpeg | branch: master | Ronald S. Bultje <rsbultje at gmail.com> | Fri Feb 7 20:14:38 2014 -0500| [bbc3425fa25ef0ff830f6bb4a290d32ee7ad79f4] | committer: Clément Bœsch
vp9: fix mix-up of last-frame/cur-frame in frame size checks.
Fixes invalid reads in fuzzed7.ivf.
> http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=bbc3425fa25ef0ff830f6bb4a290d32ee7ad79f4
---
libavcodec/vp9.c | 7 +++++--
1 file changed, 5 insertions(+), 2 deletions(-)
diff --git a/libavcodec/vp9.c b/libavcodec/vp9.c
index 6d87b57..3545b32 100644
--- a/libavcodec/vp9.c
+++ b/libavcodec/vp9.c
@@ -525,8 +525,11 @@ static int decode_frame_header(AVCodecContext *ctx,
w = get_bits(&s->gb, 16) + 1;
h = get_bits(&s->gb, 16) + 1;
}
- s->use_last_frame_mvs &= s->frames[LAST_FRAME].tf.f->width == w &&
- s->frames[LAST_FRAME].tf.f->height == h;
+ // Note that in this code, "CUR_FRAME" is actually before we
+ // have formally allocated a frame, and thus actually represents
+ // the _last_ frame
+ s->use_last_frame_mvs &= s->frames[CUR_FRAME].tf.f->width == w &&
+ s->frames[CUR_FRAME].tf.f->height == h;
if (get_bits1(&s->gb)) // display size
skip_bits(&s->gb, 32);
s->highprecisionmvs = get_bits1(&s->gb);
More information about the ffmpeg-cvslog
mailing list