configure | 6 0 + 6 - 0 !
1 file changed, 6 deletions(-)

---

vp8/decoder/decodframe.c | 11 8 + 3 - 0 !
vp8/vp8_dx_iface.c | 9 8 + 1 - 0 !
2 files changed, 16 insertions(+), 4 deletions(-)

 improve handling of invalid frames with regression fix
 The code was not checking for frame sizes smaller than 3 bytes, and the
  partition size checks might have failed if the input buffer was within
  16MB of the top of the heap.
 In addition, the reference count on the current frame buffer was not
  being decremented on error, so after a small number of errors, no new
  frame buffer could be found and it would run off the list of them.

 Also fix integer promotion bug in partition size check
  The check '(user_data_end - partition < partition_size)' must be
  evaluated as a signed comparison, but because partition_size was
  unsigned, the LHS was promoted to unsigned, causing an incorrect
  result on 32-bit. Instead, check the upper and lower bounds of
  the segment separately.