From 1bd69ac57f09c1bafc2629171f53c86bfdb469e2 Mon Sep 17 00:00:00 2001
From: Dmitry Kovalev <dkovalev@google.com>
Date: Wed, 29 Jan 2014 22:02:24 -0800
Subject: [PATCH] Fixing out of bounds access in frame_refs[] array.

Change-Id: I08f45573e0b2195c09fb6aecacb4c57431a711ea
---
 vp9/encoder/vp9_onyx_int.h | 6 ++++--
 1 file changed, 4 insertions(+), 2 deletions(-)

diff --git a/vp9/encoder/vp9_onyx_int.h b/vp9/encoder/vp9_onyx_int.h
index 0a6aab902d..d2f42dd3e4 100644
--- a/vp9/encoder/vp9_onyx_int.h
+++ b/vp9/encoder/vp9_onyx_int.h
@@ -756,8 +756,10 @@ static int get_token_alloc(int mb_rows, int mb_cols) {
 
 static void set_ref_ptrs(VP9_COMMON *cm, MACROBLOCKD *xd,
                          MV_REFERENCE_FRAME ref0, MV_REFERENCE_FRAME ref1) {
-  xd->block_refs[0] = &cm->frame_refs[ref0 - LAST_FRAME];
-  xd->block_refs[1] = &cm->frame_refs[ref1 - LAST_FRAME];
+  xd->block_refs[0] = &cm->frame_refs[ref0 >= LAST_FRAME ? ref0 - LAST_FRAME
+                                                         : 0];
+  xd->block_refs[1] = &cm->frame_refs[ref1 >= LAST_FRAME ? ref1 - LAST_FRAME
+                                                         : 0];
 }
 
 #ifdef __cplusplus
-- 
GitLab