[FFmpeg-devel] [PATCH] vp9: fix mix-up of last-frame/cur-frame in frame size checks.
Clément Bœsch
u at pkh.me
Sat Feb 8 11:21:30 CET 2014
On Fri, Feb 07, 2014 at 08:14:38PM -0500, Ronald S. Bultje wrote:
> Fixes invalid reads in fuzzed7.ivf.
> ---
> libavcodec/vp9.c | 7 +++++--
> 1 file changed, 5 insertions(+), 2 deletions(-)
>
> diff --git a/libavcodec/vp9.c b/libavcodec/vp9.c
> index cec1a67..8b2ed7f 100644
> --- a/libavcodec/vp9.c
> +++ b/libavcodec/vp9.c
> @@ -537,8 +537,11 @@ static int decode_frame_header(AVCodecContext *ctx,
> w = get_bits(&s->gb, 16) + 1;
> h = get_bits(&s->gb, 16) + 1;
> }
> - s->use_last_frame_mvs &= s->frames[LAST_FRAME].tf.f->width == w &&
> - s->frames[LAST_FRAME].tf.f->height == h;
> + // Note that in this code, "CUR_FRAME" is actually before we
> + // have formally allocated a frame, and thus actually represents
> + // the _last_ frame
> + s->use_last_frame_mvs &= s->frames[CUR_FRAME].tf.f->width == w &&
> + s->frames[CUR_FRAME].tf.f->height == h;
> if (get_bits1(&s->gb)) // display size
> skip_bits(&s->gb, 32);
> s->highprecisionmvs = get_bits1(&s->gb);
Applied, thanks
--
Clément B.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 490 bytes
Desc: not available
URL: <http://ffmpeg.org/pipermail/ffmpeg-devel/attachments/20140208/1ac2ce93/attachment.asc>
More information about the ffmpeg-devel
mailing list