ref: 76d588902aaab35c639d9ef376f891af6c7f291a
parent: df1e06ed0bb5ad378dd63c5c12f26ed563ae7aaa
author: Jerome Jiang <jianj@google.com>
date: Tue Mar 20 06:34:26 EDT 2018
Fix vpxdec fuzz failure. BUG=webm:1495 Change-Id: Ibaee35aa5e8e00847c61e707f2c9b4c0cff23673
--- a/test/invalid_file_test.cc
+++ b/test/invalid_file_test.cc
@@ -124,6 +124,7 @@
const DecodeParam kVP8InvalidFileTests[] = { { 1, "invalid-bug-1443.ivf" }, { 1, "invalid-token-partition.ivf" },+ { 1, "invalid-vp80-00-comprehensive-s17661_r01-05_b6-.ivf" },};
VP8_INSTANTIATE_TEST_CASE(InvalidFileTest,
--- a/test/test-data.mk
+++ b/test/test-data.mk
@@ -738,6 +738,8 @@
LIBVPX_TEST_DATA-$(CONFIG_VP8_DECODER) += invalid-token-partition.ivf.res
LIBVPX_TEST_DATA-$(CONFIG_VP8_DECODER) += invalid-vp80-00-comprehensive-018.ivf.2kf_0x6.ivf
LIBVPX_TEST_DATA-$(CONFIG_VP8_DECODER) += invalid-vp80-00-comprehensive-018.ivf.2kf_0x6.ivf.res
+LIBVPX_TEST_DATA-$(CONFIG_VP8_DECODER) += invalid-vp80-00-comprehensive-s17661_r01-05_b6-.ivf
+LIBVPX_TEST_DATA-$(CONFIG_VP8_DECODER) += invalid-vp80-00-comprehensive-s17661_r01-05_b6-.ivf.res
LIBVPX_TEST_DATA-$(CONFIG_VP9_DECODER) += invalid-vp90-01-v3.webm
LIBVPX_TEST_DATA-$(CONFIG_VP9_DECODER) += invalid-vp90-01-v3.webm.res
LIBVPX_TEST_DATA-$(CONFIG_VP9_DECODER) += invalid-vp90-02-v2.webm
--- a/test/test-data.sha1
+++ b/test/test-data.sha1
@@ -856,3 +856,5 @@
90a8a95e7024f015b87f5483a65036609b3d1b74 *invalid-token-partition.ivf.res
17696cd21e875f1d6e5d418cbf89feab02c8850a *vp90-2-22-svc_1280x720_1.webm
e2f9e1e47a791b4e939a9bdc50bf7a25b3761f77 *vp90-2-22-svc_1280x720_1.webm.md5
+a0fbbbc5dd50fd452096f4455a58c1a8c9f66697 *invalid-vp80-00-comprehensive-s17661_r01-05_b6-.ivf
+a61774cf03fc584bd9f0904fc145253bb8ea6c4c *invalid-vp80-00-comprehensive-s17661_r01-05_b6-.ivf.res
--- a/vp8/decoder/decodeframe.c
+++ b/vp8/decoder/decodeframe.c
@@ -686,6 +686,12 @@
const unsigned char *partition_size_ptr = token_part_sizes + i * 3;
unsigned int partition_size = 0;
ptrdiff_t bytes_left = fragment_end - fragment_start;
+ if (bytes_left < 0) {+ vpx_internal_error(
+ &pc->error, VPX_CODEC_CORRUPT_FRAME,
+ "Truncated packet or corrupt partition. No bytes left %d.",
+ (int)bytes_left);
+ }
/* Calculate the length of this partition. The last partition
* size is implicit. If the partition size can't be read, then
* either use the remaining data in the buffer (for EC mode)