Commit 85770264 authored by Johann's avatar Johann

Fix incorrect size reading

Guard against incorrect size values moving *data past data_end.

Check read length against the difference of the buffers.

Change-Id: Ie0b54e2db517fd41a0f3ceb23402ee44839a4739
parent af416c4d
...@@ -76,9 +76,8 @@ static void setup_compound_reference(VP9_COMMON *cm) { ...@@ -76,9 +76,8 @@ static void setup_compound_reference(VP9_COMMON *cm) {
} }
} }
// len == 0 is not allowed
static int read_is_valid(const uint8_t *start, size_t len, const uint8_t *end) { static int read_is_valid(const uint8_t *start, size_t len, const uint8_t *end) {
return start + len > start && start + len <= end; return len != 0 && len <= end - start;
} }
static int decode_unsigned_max(struct vp9_read_bit_buffer *rb, int max) { static int decode_unsigned_max(struct vp9_read_bit_buffer *rb, int max) {
...@@ -855,10 +854,14 @@ static size_t get_tile(const uint8_t *const data_end, ...@@ -855,10 +854,14 @@ static size_t get_tile(const uint8_t *const data_end,
if (!is_last) { if (!is_last) {
if (!read_is_valid(*data, 4, data_end)) if (!read_is_valid(*data, 4, data_end))
vpx_internal_error(error_info, VPX_CODEC_CORRUPT_FRAME, vpx_internal_error(error_info, VPX_CODEC_CORRUPT_FRAME,
"Truncated packet or corrupt tile length"); "Truncated packet or corrupt tile length");
size = read_be32(*data); size = read_be32(*data);
*data += 4; *data += 4;
if (size > data_end - *data)
vpx_internal_error(error_info, VPX_CODEC_CORRUPT_FRAME,
"Truncated packet or corrupt tile size");
} else { } else {
size = data_end - *data; size = data_end - *data;
} }
......
Markdown is supported
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment