}
static void setup_token_decoder(VP9D_COMP *pbi,
- const uint8_t *data,
+ const uint8_t *data, size_t read_size,
vp9_reader *r) {
VP9_COMMON *pc = &pbi->common;
const uint8_t *data_end = pbi->source + pbi->source_sz;
- const size_t partition_size = data_end - data;
// Validate the calculated partition length. If the buffer
// described by the partition can't be fully read, then restrict
// it to the portion that can be (for EC mode) or throw an error.
- if (!read_is_valid(data, partition_size, data_end))
+ if (!read_is_valid(data, read_size, data_end))
vpx_internal_error(&pc->error, VPX_CODEC_CORRUPT_FRAME,
- "Truncated packet or corrupt partition "
- "%d length", 1);
+ "Truncated packet or corrupt tile length");
- if (vp9_reader_init(r, data, partition_size))
+ if (vp9_reader_init(r, data, read_size))
vpx_internal_error(&pc->error, VPX_CODEC_MEM_ERROR,
"Failed to allocate bool decoder %d", 1);
}
VP9_COMMON *const pc = &pbi->common;
const uint8_t *data_ptr = data + first_partition_size;
+ const uint8_t* const data_end = pbi->source + pbi->source_sz;
int tile_row, tile_col;
// Note: this memset assumes above_context[0], [1] and [2]
vp9_get_tile_row_offsets(pc, tile_row);
for (tile_col = n_cols - 1; tile_col >= 0; tile_col--) {
vp9_get_tile_col_offsets(pc, tile_col);
- setup_token_decoder(pbi, data_ptr2[tile_row][tile_col], residual_bc);
+ setup_token_decoder(pbi, data_ptr2[tile_row][tile_col],
+ data_end - data_ptr2[tile_row][tile_col],
+ residual_bc);
decode_tile(pbi, residual_bc);
if (tile_row == pc->tile_rows - 1 && tile_col == n_cols - 1)
bc_bak = *residual_bc;
for (tile_row = 0; tile_row < pc->tile_rows; tile_row++) {
vp9_get_tile_row_offsets(pc, tile_row);
for (tile_col = 0; tile_col < pc->tile_columns; tile_col++) {
+ size_t size;
+
vp9_get_tile_col_offsets(pc, tile_col);
has_more = tile_col < pc->tile_columns - 1 ||
tile_row < pc->tile_rows - 1;
-
- setup_token_decoder(pbi, data_ptr + (has_more ? 4 : 0), residual_bc);
- decode_tile(pbi, residual_bc);
-
if (has_more) {
- const int size = read_be32(data_ptr);
- data_ptr += 4 + size;
+ if (!read_is_valid(data_ptr, 4, data_end))
+ vpx_internal_error(&pc->error, VPX_CODEC_CORRUPT_FRAME,
+ "Truncated packet or corrupt tile length");
+
+ size = read_be32(data_ptr);
+ data_ptr += 4;
+ } else {
+ size = data_end - data_ptr;
}
+
+ setup_token_decoder(pbi, data_ptr, size, residual_bc);
+ decode_tile(pbi, residual_bc);
+ data_ptr += size;
}
}
}
if (!read_is_valid(data, first_partition_size, data_end))
vpx_internal_error(&pc->error, VPX_CODEC_CORRUPT_FRAME,
- "Truncated packet or corrupt partition 0 length");
+ "Truncated packet or corrupt header length");
xd->mode_info_context = pc->mi;
xd->prev_mode_info_context = pc->prev_mi;