vp9_dx_iface: subtract ptrs to validate frame_size

Change-Id: Ic5a6a4a2fec802d9c9c7a71dbae59d5b4d3a8b23
2014-05-08 20:20:20 -07:00 · 2014-05-08 20:20:20 -07:00 · a8cfbbe33f
commit a8cfbbe33f
parent 4aa7691225
1 changed files with 2 additions and 1 deletions
--- a/vp9/vp9_dx_iface.c
+++ b/vp9/vp9_dx_iface.c
@ -417,7 +417,8 @@ static vpx_codec_err_t decoder_decode(vpx_codec_alg_priv_t *ctx,

    for (i = 0; i < frame_count; ++i) {
      const uint32_t frame_size = frame_sizes[i];
-      if (data_start < data || data_start + frame_size >= data_end) {
+      if (data_start < data ||
+          frame_size > (uint32_t)(data_end - data_start)) {
        ctx->base.err_detail = "Invalid frame size in index";
        return VPX_CODEC_CORRUPT_FRAME;
      }