[FFmpeg-devel] [PATCH] vp9: fix mix-up of last-frame/cur-frame in frame size checks.
Ronald S. Bultje
rsbultje at gmail.com
Sat Feb 8 02:14:38 CET 2014
Fixes invalid reads in fuzzed7.ivf.
---
libavcodec/vp9.c | 7 +++++--
1 file changed, 5 insertions(+), 2 deletions(-)
diff --git a/libavcodec/vp9.c b/libavcodec/vp9.c
index cec1a67..8b2ed7f 100644
--- a/libavcodec/vp9.c
+++ b/libavcodec/vp9.c
@@ -537,8 +537,11 @@ static int decode_frame_header(AVCodecContext *ctx,
w = get_bits(&s->gb, 16) + 1;
h = get_bits(&s->gb, 16) + 1;
}
- s->use_last_frame_mvs &= s->frames[LAST_FRAME].tf.f->width == w &&
- s->frames[LAST_FRAME].tf.f->height == h;
+ // Note that in this code, "CUR_FRAME" is actually before we
+ // have formally allocated a frame, and thus actually represents
+ // the _last_ frame
+ s->use_last_frame_mvs &= s->frames[CUR_FRAME].tf.f->width == w &&
+ s->frames[CUR_FRAME].tf.f->height == h;
if (get_bits1(&s->gb)) // display size
skip_bits(&s->gb, 32);
s->highprecisionmvs = get_bits1(&s->gb);
--
1.8.4
More information about the ffmpeg-devel
mailing list