generic-library/vpx
1
0
Fork 0
Code Issues Pull Requests Releases Wiki Activity

Fix incorrect size reading

Browse Source 
Guard against incorrect size values moving *data past data_end.

Check read length against the difference of the buffers.

Change-Id: Ie0b54e2db517fd41a0f3ceb23402ee44839a4739
This commit is contained in:
Johann 2013-12-17 18:29:06 -08:00
parent af416c4daf
commit 85770264ac
1 changed files with 6 additions and 3 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

9
vp9/decoder/vp9_decodeframe.c
View File

@ -76,9 +76,8 @@ static void setup_compound_reference(VP9_COMMON *cm) {
}
}
// len == 0 is not allowed
static int read_is_valid(const uint8_t *start, size_t len, const uint8_t *end) {
return start + len > start && start + len <= end;
return len != 0 && len <= end - start;
}
static int decode_unsigned_max(struct vp9_read_bit_buffer *rb, int max) {
@ -855,10 +854,14 @@ static size_t get_tile(const uint8_t *const data_end,
if (!is_last) {
if (!read_is_valid(*data, 4, data_end))
vpx_internal_error(error_info, VPX_CODEC_CORRUPT_FRAME,
"Truncated packet or corrupt tile length");
"Truncated packet or corrupt tile length");
size = read_be32(*data);
*data += 4;
if (size > data_end - *data)
vpx_internal_error(error_info, VPX_CODEC_CORRUPT_FRAME,
"Truncated packet or corrupt tile size");
} else {
size = data_end - *data;
}