shithub: libvpx

Download patch

ref: 738b829b8cdf079a5fa48c74a28a177c9567d212
parent: a9bbff1049ea774ed07286d979dbda7e7f2fe430
author: Johann <johannkoenig@google.com>
date: Fri Jan 26 10:50:50 EST 2018

Fix incorrect size reading

Cherry pick from vp9:

commit 85770264ac891505730dcd5092d1993a62c74060
Guard against incorrect size values moving *data past data_end.

Check read length against the difference of the buffers.

Change-Id: I5e8679ddd447c4d73deb80be5ec94841a92c5fcd

--- a/vp8/decoder/decodeframe.c
+++ b/vp8/decoder/decodeframe.c
@@ -674,7 +674,7 @@
 
 static int read_is_valid(const unsigned char *start, size_t len,
                          const unsigned char *end) {
-  return (start + len > start && start + len <= end);
+  return len != 0 && len <= (size_t)(end - start);
 }
 
 static unsigned int read_available_partition_size(