ref: e975791564d9e478f907d72bcc1d335d8293d9e8
parent: 6d065ba3cb0110dea28661eee1ae2e9457f05cf7
parent: a8cfbbe33f0e43554eef93660610b70b42d1fcf3
author: James Zern <jzern@google.com>
date: Sat May 10 07:05:31 EDT 2014
Merge "vp9_dx_iface: subtract ptrs to validate frame_size"
--- a/vp9/vp9_dx_iface.c
+++ b/vp9/vp9_dx_iface.c
@@ -413,7 +413,8 @@
for (i = 0; i < frame_count; ++i) {const uint32_t frame_size = frame_sizes[i];
- if (data_start < data || data_start + frame_size >= data_end) {+ if (data_start < data ||
+ frame_size > (uint32_t)(data_end - data_start)) {ctx->base.err_detail = "Invalid frame size in index";
return VPX_CODEC_CORRUPT_FRAME;
}