The pointer in vp8 postproc refers to show_frame_mi which is only
updated on show frame. However, when there is a no-show frame which also
changes the size (thus new frame buffers allocated), show_frame_mi is
not updated with new frame buffer memory.
The vulnerability is similar to CVE-2018-6155 that was discovered by a fuzzer of Project Zero:
The fuzzer found only the first vulnerability, and when I looked at it I found an exact vulnerable
code pattern in the MFQE module, and reported it to chromium.