From 738b829b8cdf079a5fa48c74a28a177c9567d212 Mon Sep 17 00:00:00 2001 From: Johann Date: Fri, 26 Jan 2018 15:50:50 -0800 Subject: [PATCH] Fix incorrect size reading Cherry pick from vp9: commit 85770264ac891505730dcd5092d1993a62c74060 Guard against incorrect size values moving *data past data_end. Check read length against the difference of the buffers. Change-Id: I5e8679ddd447c4d73deb80be5ec94841a92c5fcd --- vp8/decoder/decodeframe.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/vp8/decoder/decodeframe.c b/vp8/decoder/decodeframe.c index 077bd3da2..c208f6141 100644 --- a/vp8/decoder/decodeframe.c +++ b/vp8/decoder/decodeframe.c @@ -674,7 +674,7 @@ static unsigned int read_partition_size(VP8D_COMP *pbi, static int read_is_valid(const unsigned char *start, size_t len, const unsigned char *end) { - return (start + len > start && start + len <= end); + return len != 0 && len <= (size_t)(end - start); } static unsigned int read_available_partition_size(