fix integer promotion bug in partition size check

The check '(user_data_end - partition < partition_size)' must be evaluated as a signed comparison, but because partition_size was unsigned, the LHS was promoted to unsigned, causing an incorrect result on 32-bit. Instead, check the upper and lower bounds of the segment separately. Change-Id: Ia01708be8492e64abb16b8157e816bd59e2472cf
Save XMM registers in asm functions
2010-11-08 16:56:11 -05:00 · 2010-11-08 16:55:44 -05:00
4 changed files with 16 additions and 4 deletions
--- a/vp8/decoder/decodframe.c
+++ b/vp8/decoder/decodframe.c
@ -461,7 +461,8 @@ static void setup_token_decoder(VP8D_COMP *pbi,
            partition_size = user_data_end - partition;
        }

-        if (user_data_end - partition < partition_size)
+        if (partition + partition_size > user_data_end
+            || partition + partition_size < partition)
            vpx_internal_error(&pc->error, VPX_CODEC_CORRUPT_FRAME,
                               "Truncated packet or corrupt partition "
                               "%d length", i + 1);
@ -580,7 +581,8 @@ int vp8_decode_frame(VP8D_COMP *pbi)
        (data[0] | (data[1] << 8) | (data[2] << 16)) >> 5;
    data += 3;

-    if (data_end - data < first_partition_length_in_bytes)
+    if (data + first_partition_length_in_bytes > data_end
+        || data + first_partition_length_in_bytes < data)
        vpx_internal_error(&pc->error, VPX_CODEC_CORRUPT_FRAME,
                           "Truncated packet or corrupt partition 0 length");
    vp8_setup_version(pc);
--- a/vp8/encoder/x86/fwalsh_sse2.asm
+++ b/vp8/encoder/x86/fwalsh_sse2.asm
@ -17,6 +17,7 @@ sym(vp8_short_walsh4x4_sse2):
    push        rbp
    mov         rbp, rsp
    SHADOW_ARGS_TO_STACK 3
+    SAVE_XMM
    GET_GOT     rbx
    push        rsi
    push        rdi
@ -143,6 +144,7 @@ sym(vp8_short_walsh4x4_sse2):
    pop rdi
    pop rsi
    RESTORE_GOT
+    RESTORE_XMM
    UNSHADOW_ARGS
    pop         rbp
    ret
--- a/vp8/encoder/x86/subtract_sse2.asm
+++ b/vp8/encoder/x86/subtract_sse2.asm
@ -77,6 +77,7 @@ sym(vp8_subtract_mby_sse2):
    push        rbp
    mov         rbp, rsp
    SHADOW_ARGS_TO_STACK 4
+    SAVE_XMM
    GET_GOT     rbx
    push rsi
    push rdi
@ -138,6 +139,7 @@ submby_loop:
    pop rsi
    ; begin epilog
    RESTORE_GOT
+    RESTORE_XMM
    UNSHADOW_ARGS
    pop         rbp
    ret
--- a/vp8/vp8_dx_iface.c
+++ b/vp8/vp8_dx_iface.c
@ -253,8 +253,11 @@ static vpx_codec_err_t vp8_peek_si(const uint8_t         *data,
                                   unsigned int           data_sz,
                                   vpx_codec_stream_info_t *si)
 {
-
    vpx_codec_err_t res = VPX_CODEC_OK;
+
+    if(data + data_sz <= data)
+        res = VPX_CODEC_INVALID_PARAM;
+    else
    {
        /* Parse uncompresssed part of key frame header.
         * 3 bytes:- including version, frame type and an offset
@ -331,7 +334,10 @@ static vpx_codec_err_t vp8_decode(vpx_codec_alg_priv_t  *ctx,

    ctx->img_avail = 0;

-    /* Determine the stream parameters */
+    /* Determine the stream parameters. Note that we rely on peek_si to
+     * validate that we have a buffer that does not wrap around the top
+     * of the heap.
+     */
    if (!ctx->si.h)
        res = ctx->base.iface->dec.peek_si(data, data_sz, &ctx->si);