shithub: libvpx

Download patch

ref: dec4405cfa2a940fa24972fa1def50d8e02b7cb2
parent: 9897e1c27c664b45b81e60a277df3e8186e03c4d
author: Ronald S. Bultje <rsbultje@gmail.com>
date: Tue Oct 20 08:13:03 EDT 2015 

vp10: disallow coding zero-sized tiles-in-frame/frames-in-superframe.

See issue 1088.

Change-Id: Icb15d33b4e316add848f210b50cbccd7c7847207


--- a/vp10/decoder/decodeframe.c
+++ b/vp10/decoder/decodeframe.c
@@ -1448,9 +1448,9 @@
     if (decrypt_cb) {
       uint8_t be_data[4];
       decrypt_cb(decrypt_state, *data, be_data, tile_sz_mag + 1);
-      size = mem_get_varsize(be_data, tile_sz_mag);
+      size = mem_get_varsize(be_data, tile_sz_mag) + CONFIG_MISC_FIXES;
     } else {
-      size = mem_get_varsize(*data, tile_sz_mag);
+      size = mem_get_varsize(*data, tile_sz_mag) + CONFIG_MISC_FIXES;
     }
     *data += tile_sz_mag + 1;
 
--- a/vp10/decoder/decoder.c
+++ b/vp10/decoder/decoder.c
@@ -506,6 +506,7 @@
 
         for (j = 0; j < mag; ++j)
           this_sz |= (*x++) << (j * 8);
+        this_sz += CONFIG_MISC_FIXES;
         sizes[i] = this_sz;
 #if CONFIG_MISC_FIXES
         frame_sz_sum += this_sz;
--- a/vp10/encoder/bitstream.c
+++ b/vp10/encoder/bitstream.c
@@ -1117,9 +1117,13 @@
       assert(tok == tok_end);
       vpx_stop_encode(&residual_bc);
       if (tile_col < tile_cols - 1 || tile_row < tile_rows - 1) {
+        unsigned int tile_sz;
+
         // size of this tile
-        mem_put_le32(data_ptr + total_size, residual_bc.pos);
-        max_tile = max_tile > residual_bc.pos ? max_tile : residual_bc.pos;
+        assert(residual_bc.pos > 0);
+        tile_sz = residual_bc.pos - CONFIG_MISC_FIXES;
+        mem_put_le32(data_ptr + total_size, tile_sz);
+        max_tile = max_tile > tile_sz ? max_tile : tile_sz;
         total_size += 4;
       }
 
--- a/vp10/vp10_cx_iface.c
+++ b/vp10/vp10_cx_iface.c
@@ -795,7 +795,7 @@
   marker |= ctx->pending_frame_count - 1;
 #if CONFIG_MISC_FIXES
   for (i = 0; i < ctx->pending_frame_count - 1; i++) {
-    const size_t frame_sz = (unsigned int) ctx->pending_frame_sizes[i];
+    const size_t frame_sz = (unsigned int) ctx->pending_frame_sizes[i] - 1;
     max_frame_sz = frame_sz > max_frame_sz ? frame_sz : max_frame_sz;
   }
 #endif
@@ -836,8 +836,10 @@
 
     *x++ = marker;
     for (i = 0; i < ctx->pending_frame_count - CONFIG_MISC_FIXES; i++) {
-      unsigned int this_sz = (unsigned int)ctx->pending_frame_sizes[i];
+      unsigned int this_sz;
 
+      assert(ctx->pending_frame_sizes[i] > 0);
+      this_sz = (unsigned int)ctx->pending_frame_sizes[i] - CONFIG_MISC_FIXES;
       for (j = 0; j <= mag; j++) {
         *x++ = this_sz & 0xff;
         this_sz >>= 8;