From 85770264ac891505730dcd5092d1993a62c74060 Mon Sep 17 00:00:00 2001 From: Johann Date: Tue, 17 Dec 2013 18:29:06 -0800 Subject: [PATCH] Fix incorrect size reading Guard against incorrect size values moving *data past data_end. Check read length against the difference of the buffers. Change-Id: Ie0b54e2db517fd41a0f3ceb23402ee44839a4739 --- vp9/decoder/vp9_decodeframe.c | 9 ++++++--- 1 file changed, 6 insertions(+), 3 deletions(-) diff --git a/vp9/decoder/vp9_decodeframe.c b/vp9/decoder/vp9_decodeframe.c index c167004..eb2d8b5 100644 --- a/vp9/decoder/vp9_decodeframe.c +++ b/vp9/decoder/vp9_decodeframe.c @@ -76,9 +76,8 @@ static void setup_compound_reference(VP9_COMMON *cm) { } } -// len == 0 is not allowed static int read_is_valid(const uint8_t *start, size_t len, const uint8_t *end) { - return start + len > start && start + len <= end; + return len != 0 && len <= end - start; } static int decode_unsigned_max(struct vp9_read_bit_buffer *rb, int max) { @@ -855,10 +854,14 @@ static size_t get_tile(const uint8_t *const data_end, if (!is_last) { if (!read_is_valid(*data, 4, data_end)) vpx_internal_error(error_info, VPX_CODEC_CORRUPT_FRAME, - "Truncated packet or corrupt tile length"); + "Truncated packet or corrupt tile length"); size = read_be32(*data); *data += 4; + + if (size > data_end - *data) + vpx_internal_error(error_info, VPX_CODEC_CORRUPT_FRAME, + "Truncated packet or corrupt tile size"); } else { size = data_end - *data; } -- 2.7.4