From 69e3fac093855203084ea0f770ffb137989d1621 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Martin=20Storsj=C3=B6?= Date: Thu, 25 Feb 2016 10:31:58 +0200 Subject: [PATCH] Avoid reading iCountMbNumInSlice out of bounds on slice realloc Prior to 7bcb3ba4f4abf18a, pCurLayer->sLayerInfo.pSliceInLayer[uiSliceIdx].iCountMbNumInSlice was read after setting pCurLayer->sLayerInfo.pSliceInLayer to the newly allocated, larger array. After this commit, it is read before the array has been switched, and thus is read from the old array (which only holds elements up to iMaxSliceNumOld, not up to iMaxSliceNum). This fixes reads out of bounds, and crashes in the test suite. --- codec/encoder/core/src/encoder_ext.cpp | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/codec/encoder/core/src/encoder_ext.cpp b/codec/encoder/core/src/encoder_ext.cpp index da41db93..5e3b22ce 100644 --- a/codec/encoder/core/src/encoder_ext.cpp +++ b/codec/encoder/core/src/encoder_ext.cpp @@ -4877,7 +4877,7 @@ int32_t SliceBufferRealloc (sWelsEncCtx* pCtx) { pSliceIdx->sSlicingOverRc.iTotalQpSlice = 0; pSliceIdx->sSlicingOverRc.iTotalMbSlice = 0; pSliceIdx->sSlicingOverRc.iTargetBitsSlice = WELS_DIV_ROUND (kiBitsPerMb * - pCurLayer->sLayerInfo.pSliceInLayer[uiSliceIdx].iCountMbNumInSlice, + pSlice[uiSliceIdx].iCountMbNumInSlice, INT_MULTIPLY); pSliceIdx->sSlicingOverRc.iFrameBitsSlice = 0; pSliceIdx->sSlicingOverRc.iGomBitsSlice = 0;