ref: cacfb8d25aee86bbd6828b60cb9b7697d2f2d1a9
parent: ba789ebfb4f6de6f478722d34114a18c8c9bb5c7
author: Janne Grunau <janne-vlc@jannau.net>
date: Sun Oct 28 07:25:06 EDT 2018
parse_obu: reset have_{seq,frame}_hdr on new OBU_{SEQ,FRAME}_HDR
Prevent decoding a frame with inconsistent sequence and frame headers.
Fix #124, #125. Fix negative size param in pixel_copy due to inconsistent
sb128 state between frame header (parsed with sb128 == 0) and sequence
header and frame decoding with sb128 == 1. Fix
clusterfuzz-testcase-minimized-dav1d_fuzzer-5707479116152832. Credits to
oss-fuzz.
--- a/src/obu.c
+++ b/src/obu.c
@@ -1043,11 +1043,12 @@
switch (type) {case OBU_SEQ_HDR:
+ c->have_seq_hdr = 0;
+ c->have_frame_hdr = 0;
if ((res = parse_seq_hdr(c, &gb)) < 0)
return res;
if ((unsigned)res != len) goto error;
c->have_seq_hdr = 1;
- c->have_frame_hdr = 0;
break;
case OBU_REDUNDANT_FRAME_HDR:
if (c->have_frame_hdr) break;
@@ -1054,6 +1055,7 @@
// fall-through
case OBU_FRAME:
case OBU_FRAME_HDR:
+ c->have_frame_hdr = 0;
if (!c->have_seq_hdr) goto error;
if ((res = parse_frame_hdr(c, &gb, type != OBU_FRAME)) < 0)
return res;