shithub: libvpx

Download patch

ref: 85770264ac891505730dcd5092d1993a62c74060
parent: af416c4daf6681a7ad599d3c1325723ab116b99e
author: Johann <johannkoenig@google.com>
date: Tue Dec 17 13:29:06 EST 2013 

Fix incorrect size reading

Guard against incorrect size values moving *data past data_end.

Check read length against the difference of the buffers.

Change-Id: Ie0b54e2db517fd41a0f3ceb23402ee44839a4739


--- a/vp9/decoder/vp9_decodeframe.c
+++ b/vp9/decoder/vp9_decodeframe.c
@@ -76,9 +76,8 @@
   }
 }
 
-// len == 0 is not allowed
 static int read_is_valid(const uint8_t *start, size_t len, const uint8_t *end) {
-  return start + len > start && start + len <= end;
+  return len != 0 && len <= end - start;
 }
 
 static int decode_unsigned_max(struct vp9_read_bit_buffer *rb, int max) {
@@ -855,10 +854,14 @@
   if (!is_last) {
     if (!read_is_valid(*data, 4, data_end))
       vpx_internal_error(error_info, VPX_CODEC_CORRUPT_FRAME,
-          "Truncated packet or corrupt tile length");
+                         "Truncated packet or corrupt tile length");
 
     size = read_be32(*data);
     *data += 4;
+
+    if (size > data_end - *data)
+      vpx_internal_error(error_info, VPX_CODEC_CORRUPT_FRAME,
+                         "Truncated packet or corrupt tile size");
   } else {
     size = data_end - *data;
   }