shithub: libvpx

Download patch

ref: bb12bbaefb07deafad8a95f0e4f3017f45414676
parent: b46da98f3a101571b02d8aa7f1f80358463318cc
parent: 85770264ac891505730dcd5092d1993a62c74060
author: Johann <johannkoenig@google.com>
date: Tue Dec 17 16:26:50 EST 2013 

Merge "Fix incorrect size reading"


--- a/vp9/decoder/vp9_decodeframe.c
+++ b/vp9/decoder/vp9_decodeframe.c
@@ -76,9 +76,8 @@
   }
 }
 
-// len == 0 is not allowed
 static int read_is_valid(const uint8_t *start, size_t len, const uint8_t *end) {
-  return start + len > start && start + len <= end;
+  return len != 0 && len <= end - start;
 }
 
 static int decode_unsigned_max(struct vp9_read_bit_buffer *rb, int max) {
@@ -855,10 +854,14 @@
   if (!is_last) {
     if (!read_is_valid(*data, 4, data_end))
       vpx_internal_error(error_info, VPX_CODEC_CORRUPT_FRAME,
-          "Truncated packet or corrupt tile length");
+                         "Truncated packet or corrupt tile length");
 
     size = read_be32(*data);
     *data += 4;
+
+    if (size > data_end - *data)
+      vpx_internal_error(error_info, VPX_CODEC_CORRUPT_FRAME,
+                         "Truncated packet or corrupt tile size");
   } else {
     size = data_end - *data;
   }