From 76d588902aaab35c639d9ef376f891af6c7f291a Mon Sep 17 00:00:00 2001
From: Jerome Jiang <jianj@google.com>
Date: Tue, 20 Mar 2018 10:34:26 -0700
Subject: [PATCH] Fix vpxdec fuzz failure.

BUG=webm:1495

Change-Id: Ibaee35aa5e8e00847c61e707f2c9b4c0cff23673
---
 test/invalid_file_test.cc | 1 +
 test/test-data.mk         | 2 ++
 test/test-data.sha1       | 2 ++
 vp8/decoder/decodeframe.c | 6 ++++++
 4 files changed, 11 insertions(+)

diff --git a/test/invalid_file_test.cc b/test/invalid_file_test.cc
index 43a4c69..9cfaa1f 100644
--- a/test/invalid_file_test.cc
+++ b/test/invalid_file_test.cc
@@ -124,6 +124,7 @@ TEST_P(InvalidFileTest, ReturnCode) { RunTest(); }
 const DecodeParam kVP8InvalidFileTests[] = {
   { 1, "invalid-bug-1443.ivf" },
   { 1, "invalid-token-partition.ivf" },
+  { 1, "invalid-vp80-00-comprehensive-s17661_r01-05_b6-.ivf" },
 };
 
 VP8_INSTANTIATE_TEST_CASE(InvalidFileTest,
diff --git a/test/test-data.mk b/test/test-data.mk
index 7ca11bc..4be6c66 100644
--- a/test/test-data.mk
+++ b/test/test-data.mk
@@ -738,6 +738,8 @@ LIBVPX_TEST_DATA-$(CONFIG_VP8_DECODER) += invalid-token-partition.ivf
 LIBVPX_TEST_DATA-$(CONFIG_VP8_DECODER) += invalid-token-partition.ivf.res
 LIBVPX_TEST_DATA-$(CONFIG_VP8_DECODER) += invalid-vp80-00-comprehensive-018.ivf.2kf_0x6.ivf
 LIBVPX_TEST_DATA-$(CONFIG_VP8_DECODER) += invalid-vp80-00-comprehensive-018.ivf.2kf_0x6.ivf.res
+LIBVPX_TEST_DATA-$(CONFIG_VP8_DECODER) += invalid-vp80-00-comprehensive-s17661_r01-05_b6-.ivf
+LIBVPX_TEST_DATA-$(CONFIG_VP8_DECODER) += invalid-vp80-00-comprehensive-s17661_r01-05_b6-.ivf.res
 LIBVPX_TEST_DATA-$(CONFIG_VP9_DECODER) += invalid-vp90-01-v3.webm
 LIBVPX_TEST_DATA-$(CONFIG_VP9_DECODER) += invalid-vp90-01-v3.webm.res
 LIBVPX_TEST_DATA-$(CONFIG_VP9_DECODER) += invalid-vp90-02-v2.webm
diff --git a/test/test-data.sha1 b/test/test-data.sha1
index 3a23ff5..9cb9d58 100644
--- a/test/test-data.sha1
+++ b/test/test-data.sha1
@@ -856,3 +856,5 @@ fd3020fa6e9ca5966206738654c97dec313b0a95 *invalid-bug-1443.ivf.res
 90a8a95e7024f015b87f5483a65036609b3d1b74 *invalid-token-partition.ivf.res
 17696cd21e875f1d6e5d418cbf89feab02c8850a *vp90-2-22-svc_1280x720_1.webm
 e2f9e1e47a791b4e939a9bdc50bf7a25b3761f77 *vp90-2-22-svc_1280x720_1.webm.md5
+a0fbbbc5dd50fd452096f4455a58c1a8c9f66697 *invalid-vp80-00-comprehensive-s17661_r01-05_b6-.ivf
+a61774cf03fc584bd9f0904fc145253bb8ea6c4c *invalid-vp80-00-comprehensive-s17661_r01-05_b6-.ivf.res
diff --git a/vp8/decoder/decodeframe.c b/vp8/decoder/decodeframe.c
index 8bfd3ce..0d54a94 100644
--- a/vp8/decoder/decodeframe.c
+++ b/vp8/decoder/decodeframe.c
@@ -686,6 +686,12 @@ static unsigned int read_available_partition_size(
   const unsigned char *partition_size_ptr = token_part_sizes + i * 3;
   unsigned int partition_size = 0;
   ptrdiff_t bytes_left = fragment_end - fragment_start;
+  if (bytes_left < 0) {
+    vpx_internal_error(
+        &pc->error, VPX_CODEC_CORRUPT_FRAME,
+        "Truncated packet or corrupt partition. No bytes left %d.",
+        (int)bytes_left);
+  }
   /* Calculate the length of this partition. The last partition
    * size is implicit. If the partition size can't be read, then
    * either use the remaining data in the buffer (for EC mode)
-- 
2.7.4