Information

File: vp8/common/mfqe.c
Function: vp8_multiframe_quality_enhance()

The pointer in vp8 postproc refers to show_frame_mi which is only
updated on show frame. However, when there is a no-show frame which also
changes the size (thus new frame buffers allocated), show_frame_mi is
not updated with new frame buffer memory.

Background

The vulnerability is similar to CVE-2018-6155 that was discovered by a fuzzer of Project Zero:
https://bugs.chromium.org/p/chromium/issues/detail?id=842265
The fuzzer found only the first vulnerability, and when I looked at it I found an exact vulnerable
code pattern in the MFQE module, and reported it to chromium.



References:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-5764
https://bugs.chromium.org/p/chromium/issues/detail?id=913246