From e8c72275a68e5c566bd780097286522a9cd7f906 Mon Sep 17 00:00:00 2001
From: Wim Taymans <wtaymans@redhat.com>
Date: Wed, 25 Mar 2020 12:30:32 +0100
Subject: [PATCH 2/2] CVE-2019-9433: VP8: Fix use-after-free in postproc.

The pointer in vp8 postproc refers to show_frame_mi which is only
updated on show frame. However, when there is a no-show frame which also
changes the size (thus new frame buffers allocated), show_frame_mi is
not updated with new frame buffer memory.

Change the pointer in postproc to mi which is always updated.

Bug: 842265
---
 vp8/common/postproc.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/vp8/common/postproc.c b/vp8/common/postproc.c
index dd998f16e..2693ef017 100644
--- a/vp8/common/postproc.c
+++ b/vp8/common/postproc.c
@@ -334,7 +334,7 @@ void vp8_deblock(VP8_COMMON                 *cm,
     double level = 6.0e-05 * q * q * q - .0067 * q * q + .306 * q + .0065;
     int ppl = (int)(level + .5);
 
-    const MODE_INFO *mode_info_context = cm->show_frame_mi;
+    const MODE_INFO *mode_info_context = cm->mi;
     int mbr, mbc;
 
     /* The pixel thresholds are adjusted according to if or not the macroblock
-- 
2.25.1