ref: 5d383a88e72d26ab21349dfb0ae28047ec26cc04
parent: 5327ea0698245b78e5a3c4384fbd8f6723a47d5b
parent: 2fa664a4e247f2c717f696f7febecbffbaaf701e
author: John Koleszar <jkoleszar@google.com>
date: Mon Nov 8 03:34:46 EST 2010
Merge remote branch 'internal/upstream-experimental' into HEAD Conflicts: configure Change-Id: I952d3a50ddd243990d37c5f931bd91a4244d6284
--- a/vp8/decoder/decodframe.c
+++ b/vp8/decoder/decodframe.c
@@ -461,7 +461,8 @@
partition_size = user_data_end - partition;
}
- if (user_data_end - partition < partition_size)
+ if (partition + partition_size > user_data_end
+ || partition + partition_size < partition)
vpx_internal_error(&pc->error, VPX_CODEC_CORRUPT_FRAME,
"Truncated packet or corrupt partition "
"%d length", i + 1);
@@ -580,7 +581,8 @@
(data[0] | (data[1] << 8) | (data[2] << 16)) >> 5;
data += 3;
- if (data_end - data < first_partition_length_in_bytes)
+ if (data + first_partition_length_in_bytes > data_end
+ || data + first_partition_length_in_bytes < data)
vpx_internal_error(&pc->error, VPX_CODEC_CORRUPT_FRAME,
"Truncated packet or corrupt partition 0 length");
vp8_setup_version(pc);
--- a/vp8/vp8_dx_iface.c
+++ b/vp8/vp8_dx_iface.c
@@ -253,8 +253,11 @@
unsigned int data_sz,
vpx_codec_stream_info_t *si)
{
-
vpx_codec_err_t res = VPX_CODEC_OK;
+
+ if(data + data_sz <= data)
+ res = VPX_CODEC_INVALID_PARAM;
+ else
{
/* Parse uncompresssed part of key frame header.
* 3 bytes:- including version, frame type and an offset
@@ -331,7 +334,10 @@
ctx->img_avail = 0;
- /* Determine the stream parameters */
+ /* Determine the stream parameters. Note that we rely on peek_si to
+ * validate that we have a buffer that does not wrap around the top
+ * of the heap.
+ */
if (!ctx->si.h)
res = ctx->base.iface->dec.peek_si(data, data_sz, &ctx->si);