diff options
author | Jerome Jiang <jianj@google.com> | 2018-09-21 11:16:26 -0700 |
---|---|---|
committer | Jerome Jiang <jianj@google.com> | 2018-09-21 11:18:17 -0700 |
commit | e3522e0feba529e0472db404bf1035355dec42fd (patch) | |
tree | fbb874da8b65c9bc0255ca92d75070049071f17d | |
parent | e65f9e8bcef72711133b1ef7109856c9de05e8d1 (diff) | |
download | libvpx-e3522e0feba529e0472db404bf1035355dec42fd.tar libvpx-e3522e0feba529e0472db404bf1035355dec42fd.tar.gz libvpx-e3522e0feba529e0472db404bf1035355dec42fd.tar.bz2 libvpx-e3522e0feba529e0472db404bf1035355dec42fd.zip |
vp8: exit with bad fragment size in decoder.
BUG=webm:1555
Change-Id: Ie024c9f5a21f4ed05ab6b93f1677662eeef9e6d8
-rw-r--r-- | vp8/decoder/decodeframe.c | 6 |
1 files changed, 6 insertions, 0 deletions
diff --git a/vp8/decoder/decodeframe.c b/vp8/decoder/decodeframe.c index 0d54a9442..82b72d21e 100644 --- a/vp8/decoder/decodeframe.c +++ b/vp8/decoder/decodeframe.c @@ -756,6 +756,9 @@ static void setup_token_decoder(VP8D_COMP *pbi, ptrdiff_t ext_first_part_size = token_part_sizes - pbi->fragments.ptrs[0] + 3 * (num_token_partitions - 1); + if (fragment_size < (unsigned int)ext_first_part_size) + vpx_internal_error(&pbi->common.error, VPX_CODEC_CORRUPT_FRAME, + "Corrupted fragment size %d", fragment_size); fragment_size -= (unsigned int)ext_first_part_size; if (fragment_size > 0) { pbi->fragments.sizes[0] = (unsigned int)ext_first_part_size; @@ -773,6 +776,9 @@ static void setup_token_decoder(VP8D_COMP *pbi, first_fragment_end, fragment_end, fragment_idx - 1, num_token_partitions); pbi->fragments.sizes[fragment_idx] = (unsigned int)partition_size; + if (fragment_size < (unsigned int)partition_size) + vpx_internal_error(&pbi->common.error, VPX_CODEC_CORRUPT_FRAME, + "Corrupted fragment size %d", fragment_size); fragment_size -= (unsigned int)partition_size; assert(fragment_idx <= num_token_partitions); if (fragment_size > 0) { |