Merge "Improve handling of invalid frames."

Change-Id: Icef5226a70260607c190126c1c0cc28b796e759c

Merge "Improve handling of invalid frames."
3b9e72b2 · John Koleszar · 8f75ea6b · 09bcc1f7 · 3b9e72b2 · 3b9e72b2
Commit 3b9e72b2 authored 14 years ago by John Koleszar
--- a/vp8/decoder/decodframe.c
+++ b/vp8/decoder/decodframe.c
@@ -459,7 +459,7 @@ static void setup_token_decoder(VP8D_COMP *pbi,
            partition_size = user_data_end - partition;
        }
-        if (partition + partition_size > user_data_end)
+        if (user_data_end - partition < partition_size)
            vpx_internal_error(&pc->error, VPX_CODEC_CORRUPT_FRAME,
                               "Truncated packet or corrupt partition "
                               "%d length", i + 1);
@@ -561,12 +561,15 @@ int vp8_decode_frame(VP8D_COMP *pbi)
    MACROBLOCKD *const xd  = & pbi->mb;
    const unsigned char *data = (const unsigned char *)pbi->Source;
    const unsigned char *const data_end = data + pbi->source_sz;
-    int first_partition_length_in_bytes;
+    unsigned int first_partition_length_in_bytes;
    int mb_row;
    int i, j, k, l;
    const int *const mb_feature_data_bits = vp8_mb_feature_data_bits;
+    if (data_end - data < 3)
+        vpx_internal_error(&pc->error, VPX_CODEC_CORRUPT_FRAME,
+                           "Truncated packet");
    pc->frame_type = (FRAME_TYPE)(data[0] & 1);
    pc->version = (data[0] >> 1) & 7;
    pc->show_frame = (data[0] >> 4) & 1;
@@ -574,7 +577,7 @@ int vp8_decode_frame(VP8D_COMP *pbi)
        (data[0] | (data[1] << 8) | (data[2] << 16)) >> 5;
    data += 3;
-    if (data + first_partition_length_in_bytes > data_end)
+    if (data_end - data < first_partition_length_in_bytes)
        vpx_internal_error(&pc->error, VPX_CODEC_CORRUPT_FRAME,
                           "Truncated packet or corrupt partition 0 length");
    vp8_setup_version(pc);

--- a/vp8/decoder/onyxd_if.c
+++ b/vp8/decoder/onyxd_if.c
@@ -327,9 +327,13 @@ int vp8dx_receive_compressed_data(VP8D_PTR ptr, unsigned long size, const unsign
    pbi->common.error.error_code = VPX_CODEC_OK;
+    cm->new_fb_idx = get_free_fb (cm);
    if (setjmp(pbi->common.error.jmp))
    {
        pbi->common.error.setjmp = 0;
+        if (cm->fb_idx_ref_cnt[cm->new_fb_idx] > 0)
+          cm->fb_idx_ref_cnt[cm->new_fb_idx]--;
        return -1;
    }
@@ -345,8 +349,6 @@ int vp8dx_receive_compressed_data(VP8D_PTR ptr, unsigned long size, const unsign
    pbi->Source = source;
    pbi->source_sz = size;
-    cm->new_fb_idx = get_free_fb (cm);
    retcode = vp8_decode_frame(pbi);
    if (retcode < 0)
@@ -356,6 +358,8 @@ int vp8dx_receive_compressed_data(VP8D_PTR ptr, unsigned long size, const unsign
 #endif
        pbi->common.error.error_code = VPX_CODEC_ERROR;
        pbi->common.error.setjmp = 0;
+        if (cm->fb_idx_ref_cnt[cm->new_fb_idx] > 0)
+          cm->fb_idx_ref_cnt[cm->new_fb_idx]--;
        return retcode;
    }