From 3ebe1c0003287e1d9b65d99750f227ca7ed4dffc Mon Sep 17 00:00:00 2001 From: hui su Date: Tue, 13 Dec 2016 17:32:06 -0800 Subject: [PATCH] AnimEncoder: avoid freeing uninitialized memory pointer. In GenerateCandidates(), when candidate_ll->evaluate_ and candidate_lossy->evaluate_ are both true, if lossless encoding exits on error, candidate_ll->evaluate_ would not be correctly reset. This will cause freeing uninitialized memory pointer in SetFrame(). BUG=webp:322 Change-Id: I481b49a186e4fa3607ce71b4543a481083edf444 --- src/mux/anim_encode.c | 24 +++++++++++------------- 1 file changed, 11 insertions(+), 13 deletions(-) diff --git a/src/mux/anim_encode.c b/src/mux/anim_encode.c index bad128c0..7a388ac5 100644 --- a/src/mux/anim_encode.c +++ b/src/mux/anim_encode.c @@ -863,8 +863,8 @@ static WebPEncodingError GenerateCandidates( WebPPicture* const curr_canvas = &enc->curr_canvas_copy_; const WebPPicture* const prev_canvas = is_dispose_none ? &enc->prev_canvas_ : &enc->prev_canvas_disposed_; - int use_blending_ll; - int use_blending_lossy; + int use_blending_ll, use_blending_lossy; + int evaluate_ll, evaluate_lossy; CopyCurrentCanvas(enc); use_blending_ll = @@ -877,19 +877,19 @@ static WebPEncodingError GenerateCandidates( // Pick candidates to be tried. if (!enc->options_.allow_mixed) { - candidate_ll->evaluate_ = is_lossless; - candidate_lossy->evaluate_ = !is_lossless; + evaluate_ll = is_lossless; + evaluate_lossy = !is_lossless; } else if (enc->options_.minimize_size) { - candidate_ll->evaluate_ = 1; - candidate_lossy->evaluate_ = 1; + evaluate_ll = 1; + evaluate_lossy = 1; } else { // Use a heuristic for trying lossless and/or lossy compression. const int num_colors = WebPGetColorPalette(¶ms->sub_frame_ll_, NULL); - candidate_ll->evaluate_ = (num_colors < MAX_COLORS_LOSSLESS); - candidate_lossy->evaluate_ = (num_colors >= MIN_COLORS_LOSSY); + evaluate_ll = (num_colors < MAX_COLORS_LOSSLESS); + evaluate_lossy = (num_colors >= MIN_COLORS_LOSSY); } // Generate candidates. - if (candidate_ll->evaluate_) { + if (evaluate_ll) { CopyCurrentCanvas(enc); if (use_blending_ll) { enc->curr_canvas_copy_modified_ = @@ -899,7 +899,7 @@ static WebPEncodingError GenerateCandidates( config_ll, use_blending_ll, candidate_ll); if (error_code != VP8_ENC_OK) return error_code; } - if (candidate_lossy->evaluate_) { + if (evaluate_lossy) { CopyCurrentCanvas(enc); if (use_blending_lossy) { enc->curr_canvas_copy_modified_ = @@ -1105,9 +1105,7 @@ static WebPEncodingError SetFrame(WebPAnimEncoder* const enc, return VP8_ENC_ERROR_INVALID_CONFIGURATION; } - for (i = 0; i < CANDIDATE_COUNT; ++i) { - candidates[i].evaluate_ = 0; - } + memset(candidates, 0, sizeof(candidates)); // Change-rectangle assuming previous frame was DISPOSE_NONE. if (!GetSubRects(prev_canvas, curr_canvas, is_key_frame, is_first_frame,