diff options
| author | Allan Sandfeld Jensen <allan.jensen@qt.io> | 2019-02-01 17:13:55 +0100 |
|---|---|---|
| committer | Allan Sandfeld Jensen <allan.jensen@qt.io> | 2019-03-29 10:13:04 +0000 |
| commit | a66d35344003ee19ac70181b7a2233fd387f9da3 (patch) | |
| tree | 3b1496f51d766e3a874a7c0b7cf32024b9beb0f7 | |
| parent | 514bdd5a4a9a85bc6069e567e12f46f94307a8fd (diff) | |
| download | qtwebengine-chromium-a66d35344003ee19ac70181b7a2233fd387f9da3.tar.gz | |
[Backport] Fix for CVE-2019-5764
vp8: Fix potential use-after-free in mfqe.
Similar issue to 842265.
The pointer in vp8 postproc refers to show_frame_mi which is only
updated on show frame. However, when there is a no-show frame which also
changes the size (thus new frame buffers allocated), show_frame_mi is
not updated with new frame buffer memory.
Change the pointer in postproc to mi which is always updated.
BUG= 913246
(cherry picked from commit 0e408ea67cd142a3f27189d7e00cbabea96a28d6)
[modify] https://crrev.com/be3c1ee28aeb699c508b02cfcccf7f13feaed3eb/vp8/common/mfqe.c
Change-Id: I5159ba7134a06db472c29a1d84b8d39bb60c7254
Reviewed-by: Michael BrĂ¼ning <michael.bruning@qt.io>
| -rw-r--r-- | chromium/third_party/libvpx/source/libvpx/vp8/common/mfqe.c | 2 |
1 files changed, 1 insertions, 1 deletions
diff --git a/chromium/third_party/libvpx/source/libvpx/vp8/common/mfqe.c b/chromium/third_party/libvpx/source/libvpx/vp8/common/mfqe.c index 5aace8c99de..308b421df98 100644 --- a/chromium/third_party/libvpx/source/libvpx/vp8/common/mfqe.c +++ b/chromium/third_party/libvpx/source/libvpx/vp8/common/mfqe.c @@ -237,7 +237,7 @@ void vp8_multiframe_quality_enhance(VP8_COMMON *cm) { FRAME_TYPE frame_type = cm->frame_type; /* Point at base of Mb MODE_INFO list has motion vectors etc */ - const MODE_INFO *mode_info_context = cm->show_frame_mi; + const MODE_INFO *mode_info_context = cm->mi; int mb_row; int mb_col; int totmap, map[4]; |