shithub: dav1d

Info • Files • Log • Branches

ref: 13389e68a6a6454779356a27ace28183dc30f719
parent: 7d3cebc41913609e33c3ee46e64f6c5a23de2f89
author: Janne Grunau <janne-vlc@jannau.net>
date: Thu Oct 11 17:08:33 EDT 2018

decode: verify inter frame size restrictions

Fixes a heap buffer overflow in
clusterfuzz-testcase-minimized-dav1d_fuzzer-5677513716531200. Credits to
oss-fuzz.

--- a/src/decode.c

+++ b/src/decode.c

@@ -2775,7 +2775,10 @@

         for (int i = 0; i < 7; i++) {

             const int refidx = f->frame_hdr.refidx[i];

-            if (!c->refs[refidx].p.p.data[0]) {

+            if (!c->refs[refidx].p.p.data[0] ||

+                f->frame_hdr.width  != c->refs[refidx].p.p.p.w ||

+                f->frame_hdr.height != c->refs[refidx].p.p.p.h)

+            {

                 for (int j = 0; j < i; j++)

                     dav1d_thread_picture_unref(&f->refp[j]);

                 return -EINVAL;