From: Wan-Teh Chang <wtc@google.com>
Date: Tue, 24 Jul 2018 19:14:54 +0000 (-0700)
Subject: Check size limit in vpx_realloc_frame_buffer.
X-Git-Tag: v1.8.0~497
X-Git-Url: http://review.tizen.org/git/?a=commitdiff_plain;h=94a65e8fbaa3e50b686147b4dd75c79c2154c2d6;p=platform%2Fupstream%2Flibvpx.git

Check size limit in vpx_realloc_frame_buffer.

If CONFIG_SIZE_LIMIT is defined, vpx_realloc_frame_buffer should fail if
width or height is too big.

This carries over commit ebc2714d71a834fc32a19eef0a81f51fbc47db01 of
libaom: https://aomedia-review.googlesource.com/c/aom/+/65521

Change-Id: Id7645c5cefbe1847714695d41f506ff30ea985f6
---

diff --git a/vpx_scale/generic/yv12config.c b/vpx_scale/generic/yv12config.c
index 220b8be..0fdba7b 100644
--- a/vpx_scale/generic/yv12config.c
+++ b/vpx_scale/generic/yv12config.c
@@ -143,6 +143,10 @@ int vpx_realloc_frame_buffer(YV12_BUFFER_CONFIG *ybf, int width, int height,
                              vpx_codec_frame_buffer_t *fb,
                              vpx_get_frame_buffer_cb_fn_t cb, void *cb_priv) {
   if (ybf) {
+#if CONFIG_SIZE_LIMIT
+    if (width > DECODE_WIDTH_LIMIT || height > DECODE_HEIGHT_LIMIT) return -1;
+#endif
+
     const int vp9_byte_align = (byte_alignment == 0) ? 1 : byte_alignment;
     const int aligned_width = (width + 7) & ~7;
     const int aligned_height = (height + 7) & ~7;