shithub: libvpx

Info  •  Files  •  Log

Validate data used by vpx_codec_control...

...instead of blindly derefing NULL.

Found by some additional fuzzing of the vp8/vp9 decoders to be
upstreamed soon.

Change-Id: I2ea08c2d15f689f3fac8cc73622056a82d94ec00

--- a/vp8/vp8_dx_iface.c

+++ b/vp8/vp8_dx_iface.c

@@ -591,8 +591,10 @@

 static vpx_codec_err_t vp8_get_quantizer(vpx_codec_alg_priv_t *ctx,

                                          va_list args) {

   int *const arg = va_arg(args, int *);

+  VP8D_COMP *pbi = ctx->yv12_frame_buffers.pbi[0];

   if (arg == NULL) return VPX_CODEC_INVALID_PARAM;

-  *arg = vp8dx_get_quantizer(ctx->yv12_frame_buffers.pbi[0]);

+  if (pbi == NULL) return VPX_CODEC_CORRUPT_FRAME;

+  *arg = vp8dx_get_quantizer(pbi);

   return VPX_CODEC_OK;

 }

@@ -622,6 +624,7 @@

   if (update_info) {

     VP8D_COMP *pbi = (VP8D_COMP *)ctx->yv12_frame_buffers.pbi[0];

+    if (pbi == NULL) return VPX_CODEC_CORRUPT_FRAME;

     *update_info = pbi->common.refresh_alt_ref_frame * (int)VP8_ALTR_FRAME +

                    pbi->common.refresh_golden_frame * (int)VP8_GOLD_FRAME +

@@ -639,13 +642,16 @@

   if (ref_info) {

     VP8D_COMP *pbi = (VP8D_COMP *)ctx->yv12_frame_buffers.pbi[0];

-    VP8_COMMON *oci = &pbi->common;

-    *ref_info =

-        (vp8dx_references_buffer(oci, ALTREF_FRAME) ? VP8_ALTR_FRAME : 0) |

-        (vp8dx_references_buffer(oci, GOLDEN_FRAME) ? VP8_GOLD_FRAME : 0) |

-        (vp8dx_references_buffer(oci, LAST_FRAME) ? VP8_LAST_FRAME : 0);

-

-    return VPX_CODEC_OK;

+    if (pbi) {

+      VP8_COMMON *oci = &pbi->common;

+      *ref_info =

+          (vp8dx_references_buffer(oci, ALTREF_FRAME) ? VP8_ALTR_FRAME : 0) |

+          (vp8dx_references_buffer(oci, GOLDEN_FRAME) ? VP8_GOLD_FRAME : 0) |

+          (vp8dx_references_buffer(oci, LAST_FRAME) ? VP8_LAST_FRAME : 0);

+      return VPX_CODEC_OK;

+    } else {

+      return VPX_CODEC_CORRUPT_FRAME;

+    }

   } else {

     return VPX_CODEC_INVALID_PARAM;

   }

--- a/vp9/vp9_dx_iface.c

+++ b/vp9/vp9_dx_iface.c

@@ -474,11 +474,15 @@

   vp9_ref_frame_t *data = va_arg(args, vp9_ref_frame_t *);

   if (data) {

-    const int fb_idx = ctx->pbi->common.cur_show_frame_fb_idx;

-    YV12_BUFFER_CONFIG *fb = get_buf_frame(&ctx->pbi->common, fb_idx);

-    if (fb == NULL) return VPX_CODEC_ERROR;

-    yuvconfig2image(&data->img, fb, NULL);

-    return VPX_CODEC_OK;

+    if (ctx->pbi) {

+      const int fb_idx = ctx->pbi->common.cur_show_frame_fb_idx;

+      YV12_BUFFER_CONFIG *fb = get_buf_frame(&ctx->pbi->common, fb_idx);

+      if (fb == NULL) return VPX_CODEC_ERROR;

+      yuvconfig2image(&data->img, fb, NULL);

+      return VPX_CODEC_OK;

+    } else {

+      return VPX_CODEC_ERROR;

+    }

   } else {

     return VPX_CODEC_INVALID_PARAM;

   }