Commit b4d6b1c1 authored by Hui Su's avatar Hui Su

Terminate decoding at corrupted frame data

BUG=aomedia:1154

Change-Id: I0c856564dc1eadd9e22be4de6fca5c2b0344dcb5
parent 48d3e633
......@@ -383,6 +383,8 @@ int av1_receive_compressed_data(AV1Decoder *pbi, size_t size,
av1_decode_frame_from_obus(pbi, source, source + size, psource);
#endif
if (cm->error.error_code != AOM_CODEC_OK) return 1;
#if TXCOEFF_TIMER
cm->cum_txcoeff_timer += cm->txcoeff_timer;
fprintf(stderr,
......
......@@ -162,20 +162,26 @@ void av1_decode_frame_from_obus(struct AV1Decoder *pbi, const uint8_t *data,
int frame_header_received = 0;
int frame_header_size = 0;
if (data_end < data) {
cm->error.error_code = AOM_CODEC_CORRUPT_FRAME;
return;
}
// decode frame as a series of OBUs
while (!frame_decoding_finished && !cm->error.error_code) {
struct aom_read_bit_buffer rb;
size_t obu_header_size, obu_payload_size = 0;
av1_init_read_bit_buffer(pbi, &rb, data + PRE_OBU_SIZE_BYTES, data_end);
// every obu is preceded by PRE_OBU_SIZE_BYTES-byte size of obu (obu header
// + payload size)
// The obu size is only needed for tile group OBUs
const size_t obu_size = mem_get_le32(data);
const OBU_TYPE obu_type = read_obu_header(&rb, &obu_header_size);
data += (PRE_OBU_SIZE_BYTES + obu_header_size);
if (data_end < data) {
cm->error.error_code = AOM_CODEC_CORRUPT_FRAME;
return;
}
switch (obu_type) {
case OBU_TEMPORAL_DELIMITER:
obu_payload_size = read_temporal_delimiter_obu();
......@@ -206,5 +212,9 @@ void av1_decode_frame_from_obus(struct AV1Decoder *pbi, const uint8_t *data,
default: break;
}
data += obu_payload_size;
if (data_end < data) {
cm->error.error_code = AOM_CODEC_CORRUPT_FRAME;
return;
}
}
}
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment