Merge commit 'fix integer promotion bug in partition size check'
Change-Id: I4081917b46013fa8f4218cade8bd12cb2d013aee
This commit is contained in:
commit
4d1b0d2a2d
@ -461,7 +461,8 @@ static void setup_token_decoder(VP8D_COMP *pbi,
|
|||||||
partition_size = user_data_end - partition;
|
partition_size = user_data_end - partition;
|
||||||
}
|
}
|
||||||
|
|
||||||
if (user_data_end - partition < partition_size)
|
if (partition + partition_size > user_data_end
|
||||||
|
|| partition + partition_size < partition)
|
||||||
vpx_internal_error(&pc->error, VPX_CODEC_CORRUPT_FRAME,
|
vpx_internal_error(&pc->error, VPX_CODEC_CORRUPT_FRAME,
|
||||||
"Truncated packet or corrupt partition "
|
"Truncated packet or corrupt partition "
|
||||||
"%d length", i + 1);
|
"%d length", i + 1);
|
||||||
@ -580,7 +581,8 @@ int vp8_decode_frame(VP8D_COMP *pbi)
|
|||||||
(data[0] | (data[1] << 8) | (data[2] << 16)) >> 5;
|
(data[0] | (data[1] << 8) | (data[2] << 16)) >> 5;
|
||||||
data += 3;
|
data += 3;
|
||||||
|
|
||||||
if (data_end - data < first_partition_length_in_bytes)
|
if (data + first_partition_length_in_bytes > data_end
|
||||||
|
|| data + first_partition_length_in_bytes < data)
|
||||||
vpx_internal_error(&pc->error, VPX_CODEC_CORRUPT_FRAME,
|
vpx_internal_error(&pc->error, VPX_CODEC_CORRUPT_FRAME,
|
||||||
"Truncated packet or corrupt partition 0 length");
|
"Truncated packet or corrupt partition 0 length");
|
||||||
vp8_setup_version(pc);
|
vp8_setup_version(pc);
|
||||||
|
@ -253,8 +253,11 @@ static vpx_codec_err_t vp8_peek_si(const uint8_t *data,
|
|||||||
unsigned int data_sz,
|
unsigned int data_sz,
|
||||||
vpx_codec_stream_info_t *si)
|
vpx_codec_stream_info_t *si)
|
||||||
{
|
{
|
||||||
|
|
||||||
vpx_codec_err_t res = VPX_CODEC_OK;
|
vpx_codec_err_t res = VPX_CODEC_OK;
|
||||||
|
|
||||||
|
if(data + data_sz <= data)
|
||||||
|
res = VPX_CODEC_INVALID_PARAM;
|
||||||
|
else
|
||||||
{
|
{
|
||||||
/* Parse uncompresssed part of key frame header.
|
/* Parse uncompresssed part of key frame header.
|
||||||
* 3 bytes:- including version, frame type and an offset
|
* 3 bytes:- including version, frame type and an offset
|
||||||
@ -331,7 +334,10 @@ static vpx_codec_err_t vp8_decode(vpx_codec_alg_priv_t *ctx,
|
|||||||
|
|
||||||
ctx->img_avail = 0;
|
ctx->img_avail = 0;
|
||||||
|
|
||||||
/* Determine the stream parameters */
|
/* Determine the stream parameters. Note that we rely on peek_si to
|
||||||
|
* validate that we have a buffer that does not wrap around the top
|
||||||
|
* of the heap.
|
||||||
|
*/
|
||||||
if (!ctx->si.h)
|
if (!ctx->si.h)
|
||||||
res = ctx->base.iface->dec.peek_si(data, data_sz, &ctx->si);
|
res = ctx->base.iface->dec.peek_si(data, data_sz, &ctx->si);
|
||||||
|
|
||||||
|
Loading…
x
Reference in New Issue
Block a user