From 85f7e2e4280feff1a7d596351d3f5e66f14795cb Mon Sep 17 00:00:00 2001
From: James Zern <jzern@google.com>
Date: Fri, 21 Apr 2017 11:59:44 -0700
Subject: [PATCH] webm_info,PrintVP9Info: validate alt ref sizes

fixes out of bounds reads with corrupted bitstreams

BUG=webm:1416,webm:1417

Change-Id: Ia643708b4b74d153a7b1dee1c4cbcab7f79d7111
---
 common/vp9_header_parser_tests.cc             |  28 ++++++++++++++++++
 .../invalid_vp9_bitstream-bug_1416.webm       | Bin 0 -> 12847 bytes
 .../invalid_vp9_bitstream-bug_1417.webm       | Bin 0 -> 11448 bytes
 webm_info.cc                                  |   6 ++++
 4 files changed, 34 insertions(+)
 create mode 100644 testing/testdata/invalid/invalid_vp9_bitstream-bug_1416.webm
 create mode 100644 testing/testdata/invalid/invalid_vp9_bitstream-bug_1417.webm

diff --git a/common/vp9_header_parser_tests.cc b/common/vp9_header_parser_tests.cc
index e20ad98..1e8eceb 100644
--- a/common/vp9_header_parser_tests.cc
+++ b/common/vp9_header_parser_tests.cc
@@ -59,6 +59,18 @@ class Vp9HeaderParserTests : public ::testing::Test {
     CreateAndLoadSegment(filename, 4);
   }
 
+  // Load a corrupted segment with no expectation of correctness.
+  void CreateAndLoadInvalidSegment(const std::string& filename) {
+    filename_ = test::GetTestFilePath(filename);
+    ASSERT_EQ(0, reader_.Open(filename_.c_str()));
+    is_reader_open_ = true;
+    pos_ = 0;
+    mkvparser::EBMLHeader ebml_header;
+    ebml_header.Parse(&reader_, pos_);
+    ASSERT_EQ(0, mkvparser::Segment::CreateInstance(&reader_, pos_, segment_));
+    ASSERT_GE(0, segment_->Load());
+  }
+
   void ProcessTheFrames(bool invalid_bitstream) {
     unsigned char* data = NULL;
     size_t data_len = 0;
@@ -137,6 +149,22 @@ TEST_F(Vp9HeaderParserTests, Muxed) {
   EXPECT_EQ(1, parser_.frame_parallel_mode());
 }
 
+TEST_F(Vp9HeaderParserTests, Invalid) {
+  const char* files[] = {
+      "invalid/invalid_vp9_bitstream-bug_1416.webm",
+      "invalid/invalid_vp9_bitstream-bug_1417.webm",
+  };
+
+  for (int i = 0; i < static_cast<int>(sizeof(files) / sizeof(files[0])); ++i) {
+    SCOPED_TRACE(files[i]);
+    ASSERT_NO_FATAL_FAILURE(CreateAndLoadInvalidSegment(files[i]));
+    ProcessTheFrames(true);
+    CloseReader();
+    delete segment_;
+    segment_ = NULL;
+  }
+}
+
 }  // namespace
 
 int main(int argc, char* argv[]) {
diff --git a/testing/testdata/invalid/invalid_vp9_bitstream-bug_1416.webm b/testing/testdata/invalid/invalid_vp9_bitstream-bug_1416.webm
new file mode 100644
index 0000000000000000000000000000000000000000..ac76dce86be63a13600d01d598f3dfbf563acfa7
GIT binary patch
literal 12847
zcmeIzF-yZh6u|MO-#|erF8u-yZ*_5K+QC5(EO8VSbZ{*0eN8Pcg1dslxwsS^bnqMa
z3F4+sE`Er<Bo`sYsSvc~e{e_ca`*1tFC<y(yt|;5m1av+N_8+4E5%S_w|`>YZ$JGm
zz4zbC%GUj{&$nZ_##XoGvXu4SRKF)zrTf-t%SAD?+8v+zfRAH;v6*PlGrJqD*|c<z
z(Rs8V?QFyvSSLgL@N<_R1|lz3yHYeon1e*?Q(;E=wow)|$|J>E|MbC@ZdIOsQaiL1
zj^sLD@@v}+pU?88B3~-5-M1Vl2q1vKp9r`_tJ&9u>wMd)p(X0#3Aol9ugl^+R!$`1
z!bU~^7<3VsQ-Rks@2r{A1CTZX2q1s}0tg_000IagfB*srAb<b@2q1s}0tg_000Iag
NfB*srAb`M30u$oSfe!!x

literal 0
HcmV?d00001

diff --git a/testing/testdata/invalid/invalid_vp9_bitstream-bug_1417.webm b/testing/testdata/invalid/invalid_vp9_bitstream-bug_1417.webm
new file mode 100644
index 0000000000000000000000000000000000000000..0cbd724060eb88a30675e20413038c2a5542981e
GIT binary patch
literal 11448
zcmeIuJ!%3`5Ww->Ge|^iJb=w~A(aqU&_W0(rc9?r%Ef-)u8L(2V7F-mBUTpPASXzf
zbZI<<vv1!bfi1KP_#b#*Gs9!})jQv*@7ZWPijhAno{2`0stuxvK98>bJ*)lqxa+OQ
zZr*#HHPO|VMLzX&aS7!u&z$!_mc^qw+`hUmx?6W?eHlMgt(Eb#E&FvbAH9s89unj0
z!?OLj-pVc(IT#sezeY6Fv(es9^Kw&ujiev8l$9@ubaPF68id!hUorqa2q1t!slaEJ
zwOeVKBmxK^fB*srAb<b@2q1s}0tg_000IagfB*srAb<b@2q1s}0tg_000IagfWS=)
FoB+Fwa<%{f

literal 0
HcmV?d00001

diff --git a/webm_info.cc b/webm_info.cc
index 1e7dce3..493b66b 100644
--- a/webm_info.cc
+++ b/webm_info.cc
@@ -709,6 +709,12 @@ void PrintVP9Info(const uint8_t* data, int size, FILE* o, int64_t time_ns,
 
   do {
     const size_t frame_length = (count > 0) ? sizes[i] : size;
+    if (frame_length > std::numeric_limits<int>::max() ||
+        static_cast<int>(frame_length) > size) {
+      fprintf(o, " invalid VP9 frame size (%u)\n",
+              static_cast<uint32_t>(frame_length));
+      return;
+    }
     parser->SetFrame(data, frame_length);
     parser->ParseUncompressedHeader();
     level_stats->AddFrame(*parser, time_ns);