Fix incorrect size reading

author Johann <johannkoenig@google.com>

Wed, 18 Dec 2013 02:29:06 +0000 (18:29 -0800)

committer Johann <johannkoenig@google.com>

Wed, 18 Dec 2013 02:48:55 +0000 (18:48 -0800)
author Johann <johannkoenig@google.com>
Wed, 18 Dec 2013 02:29:06 +0000 (18:29 -0800)
committer Johann <johannkoenig@google.com>
Wed, 18 Dec 2013 02:48:55 +0000 (18:48 -0800)
diff --git a/vp9/decoder/vp9_decodeframe.c b/vp9/decoder/vp9_decodeframe.c

index c167004..eb2d8b5 100644 (file)
--- a/vp9/decoder/vp9_decodeframe.c
+++ b/vp9/decoder/vp9_decodeframe.c
@@ -76,9 +76,8 @@ static void setup_compound_reference(VP9_COMMON *cm) {
    }
  }
  
-// len == 0 is not allowed
  static int read_is_valid(const uint8_t *start, size_t len, const uint8_t *end) {
-  return start + len > start && start + len <= end;
+  return len != 0 && len <= end - start;
  }
  
  static int decode_unsigned_max(struct vp9_read_bit_buffer *rb, int max) {
@@ -855,10 +854,14 @@ static size_t get_tile(const uint8_t *const data_end,
    if (!is_last) {
      if (!read_is_valid(*data, 4, data_end))
        vpx_internal_error(error_info, VPX_CODEC_CORRUPT_FRAME,
-          "Truncated packet or corrupt tile length");
+                         "Truncated packet or corrupt tile length");
  
      size = read_be32(*data);
      *data += 4;
+
+    if (size > data_end - *data)
+      vpx_internal_error(error_info, VPX_CODEC_CORRUPT_FRAME,
+                         "Truncated packet or corrupt tile size");
    } else {
      size = data_end - *data;
    }
author	Johann <johannkoenig@google.com>
	Wed, 18 Dec 2013 02:29:06 +0000 (18:29 -0800)
committer	Johann <johannkoenig@google.com>
	Wed, 18 Dec 2013 02:48:55 +0000 (18:48 -0800)