shithub: libvpx

Info  •  Files  •  Log  •  Branches

Properly validate data size

With "show_existing_frame" frames:
Minimum data size for profile 0 and 1 is 1 byte (8bits)
Minimum data size for profile 2 and 3 is 2 bytes (9bits)

Otherwise:
Minimum data size is 8 bytes.

This resolves the VP9 failure in fuzzing test build #56.

Change-Id: I146d9d37688f535dd68d24aacc76d464ccffdf04

--- a/vp9/vp9_dx_iface.c

+++ b/vp9/vp9_dx_iface.c

@@ -148,7 +148,11 @@

     if (frame_marker != VP9_FRAME_MARKER)

       return VPX_CODEC_UNSUP_BITSTREAM;

-    if (profile >= MAX_PROFILES) return VPX_CODEC_UNSUP_BITSTREAM;

+    if (profile >= MAX_PROFILES)

+      return VPX_CODEC_UNSUP_BITSTREAM;

+

+    if ((profile >= 2 && data_sz <= 1) || data_sz < 1)

+      return VPX_CODEC_UNSUP_BITSTREAM;

     if (vp9_rb_read_bit(&rb)) {  // show an existing frame

       vp9_rb_read_literal(&rb, 3);  // Frame buffer to show.