From c59c84fc741a59ec8ecad9aec30e4feadb43913f Mon Sep 17 00:00:00 2001 From: Johann Date: Tue, 30 Jan 2018 11:12:08 -0800 Subject: [PATCH] vp8 bool: verify buffer size In the process of fixing a ubsan warning: commit 738b829b8cdf079a5fa48c74a28a177c9567d212 Fix incorrect size reading the inferred check of start < end was removed. This causes fuzzed files to get a little further and segfault in vp8dx_start_decode. Change-Id: I316e23058753ba42dbcc46d27eb575f51c8a9e9a --- test/invalid_file_test.cc | 1 + test/test-data.mk | 2 ++ test/test-data.sha1 | 2 ++ vp8/decoder/decodeframe.c | 2 +- 4 files changed, 6 insertions(+), 1 deletion(-) diff --git a/test/invalid_file_test.cc b/test/invalid_file_test.cc index 79220b0f6..43a4c6929 100644 --- a/test/invalid_file_test.cc +++ b/test/invalid_file_test.cc @@ -123,6 +123,7 @@ TEST_P(InvalidFileTest, ReturnCode) { RunTest(); } #if CONFIG_VP8_DECODER const DecodeParam kVP8InvalidFileTests[] = { { 1, "invalid-bug-1443.ivf" }, + { 1, "invalid-token-partition.ivf" }, }; VP8_INSTANTIATE_TEST_CASE(InvalidFileTest, diff --git a/test/test-data.mk b/test/test-data.mk index f405e4ef1..7ca11bc9c 100644 --- a/test/test-data.mk +++ b/test/test-data.mk @@ -734,6 +734,8 @@ endif # CONFIG_VP9_HIGHBITDEPTH # Invalid files for testing libvpx error checking. LIBVPX_TEST_DATA-$(CONFIG_VP8_DECODER) += invalid-bug-1443.ivf LIBVPX_TEST_DATA-$(CONFIG_VP8_DECODER) += invalid-bug-1443.ivf.res +LIBVPX_TEST_DATA-$(CONFIG_VP8_DECODER) += invalid-token-partition.ivf +LIBVPX_TEST_DATA-$(CONFIG_VP8_DECODER) += invalid-token-partition.ivf.res LIBVPX_TEST_DATA-$(CONFIG_VP8_DECODER) += invalid-vp80-00-comprehensive-018.ivf.2kf_0x6.ivf LIBVPX_TEST_DATA-$(CONFIG_VP8_DECODER) += invalid-vp80-00-comprehensive-018.ivf.2kf_0x6.ivf.res LIBVPX_TEST_DATA-$(CONFIG_VP9_DECODER) += invalid-vp90-01-v3.webm diff --git a/test/test-data.sha1 b/test/test-data.sha1 index 99b4e1e46..3a23ff5db 100644 --- a/test/test-data.sha1 +++ b/test/test-data.sha1 @@ -852,5 +852,7 @@ e402cbbf9e550ae017a1e9f1f73931c1d18474e8 *invalid-crbug-667044.webm d3964f9dad9f60363c81b688324d95b4ec7c8038 *invalid-crbug-667044.webm.res fd9df7f3f6992af1d7a9dde975c9a0d6f28c053d *invalid-bug-1443.ivf fd3020fa6e9ca5966206738654c97dec313b0a95 *invalid-bug-1443.ivf.res +1a0e405606939f2febab1a21b30c37cb8f2c8cb1 *invalid-token-partition.ivf +90a8a95e7024f015b87f5483a65036609b3d1b74 *invalid-token-partition.ivf.res 17696cd21e875f1d6e5d418cbf89feab02c8850a *vp90-2-22-svc_1280x720_1.webm e2f9e1e47a791b4e939a9bdc50bf7a25b3761f77 *vp90-2-22-svc_1280x720_1.webm.md5 diff --git a/vp8/decoder/decodeframe.c b/vp8/decoder/decodeframe.c index c208f6141..8bfd3cea3 100644 --- a/vp8/decoder/decodeframe.c +++ b/vp8/decoder/decodeframe.c @@ -674,7 +674,7 @@ static unsigned int read_partition_size(VP8D_COMP *pbi, static int read_is_valid(const unsigned char *start, size_t len, const unsigned char *end) { - return len != 0 && len <= (size_t)(end - start); + return len != 0 && end > start && len <= (size_t)(end - start); } static unsigned int read_available_partition_size(