Skip to content

Fix JVET_AD0140_MVD_PREDICTION buffer overflow

ROBERT Antoine requested to merge antoine/ECM:fix_AD0140_buffer_overflow into master

In Mv.cpp, the function MvdSuffixInfoMv::getBinBudgetForMv(int, RefPicList) can be called by MvdSuffixInfoMv::getMergedBinBudgetForMv with a REF_PIC_LIST_X value (=100). This RefPicList is used to access the class array actualMvCompNum[2] in getBinBudgetForMv. So by using REF_PIC_LIST_X, it will point oustide the array.

Luckily, in ECM-9.0, the badely returned values are always <= 0 which make this function always return false. But if the memory is changed, then you get an error ("rplSelected > 1").

This bug can easily be tested in ECM-9.0 by adding a simple print a the really beginning of getBinBudgetForMv when rplIdx == REF_PIC_LIST_X. For the first chunk RA of D_BasketballPass at QP 37, it occurs more than 900 times at encoding of the POC 32 frame, and more than 50 times at the full chunk decoding.

Merge request reports