diff options
author | Brian Foley <bpfoley@google.com> | 2020-01-16 20:33:48 -0800 |
---|---|---|
committer | Brian Foley <bpfoley@google.com> | 2020-01-17 11:41:44 -0800 |
commit | 6efe45375f3122cc2459e6fa3a874a6dd2023610 (patch) | |
tree | 8f01790383aa895dd30cfdf15525a223e08a1e0c | |
parent | 18e93be9f2e9c863be573e910ff6940547fa0cad (diff) | |
download | libvpx-6efe45375f3122cc2459e6fa3a874a6dd2023610.tar libvpx-6efe45375f3122cc2459e6fa3a874a6dd2023610.tar.gz libvpx-6efe45375f3122cc2459e6fa3a874a6dd2023610.tar.bz2 libvpx-6efe45375f3122cc2459e6fa3a874a6dd2023610.zip |
Validate data used by vpx_codec_control...
...instead of blindly derefing NULL.
Found by some additional fuzzing of the vp8/vp9 decoders to be
upstreamed soon.
Change-Id: I2ea08c2d15f689f3fac8cc73622056a82d94ec00
-rw-r--r-- | vp8/vp8_dx_iface.c | 22 | ||||
-rw-r--r-- | vp9/vp9_dx_iface.c | 14 |
2 files changed, 23 insertions, 13 deletions
diff --git a/vp8/vp8_dx_iface.c b/vp8/vp8_dx_iface.c index 12e5781f5..82a716254 100644 --- a/vp8/vp8_dx_iface.c +++ b/vp8/vp8_dx_iface.c @@ -591,8 +591,10 @@ static vpx_codec_err_t vp8_get_reference(vpx_codec_alg_priv_t *ctx, static vpx_codec_err_t vp8_get_quantizer(vpx_codec_alg_priv_t *ctx, va_list args) { int *const arg = va_arg(args, int *); + VP8D_COMP *pbi = ctx->yv12_frame_buffers.pbi[0]; if (arg == NULL) return VPX_CODEC_INVALID_PARAM; - *arg = vp8dx_get_quantizer(ctx->yv12_frame_buffers.pbi[0]); + if (pbi == NULL) return VPX_CODEC_CORRUPT_FRAME; + *arg = vp8dx_get_quantizer(pbi); return VPX_CODEC_OK; } @@ -622,6 +624,7 @@ static vpx_codec_err_t vp8_get_last_ref_updates(vpx_codec_alg_priv_t *ctx, if (update_info) { VP8D_COMP *pbi = (VP8D_COMP *)ctx->yv12_frame_buffers.pbi[0]; + if (pbi == NULL) return VPX_CODEC_CORRUPT_FRAME; *update_info = pbi->common.refresh_alt_ref_frame * (int)VP8_ALTR_FRAME + pbi->common.refresh_golden_frame * (int)VP8_GOLD_FRAME + @@ -639,13 +642,16 @@ static vpx_codec_err_t vp8_get_last_ref_frame(vpx_codec_alg_priv_t *ctx, if (ref_info) { VP8D_COMP *pbi = (VP8D_COMP *)ctx->yv12_frame_buffers.pbi[0]; - VP8_COMMON *oci = &pbi->common; - *ref_info = - (vp8dx_references_buffer(oci, ALTREF_FRAME) ? VP8_ALTR_FRAME : 0) | - (vp8dx_references_buffer(oci, GOLDEN_FRAME) ? VP8_GOLD_FRAME : 0) | - (vp8dx_references_buffer(oci, LAST_FRAME) ? VP8_LAST_FRAME : 0); - - return VPX_CODEC_OK; + if (pbi) { + VP8_COMMON *oci = &pbi->common; + *ref_info = + (vp8dx_references_buffer(oci, ALTREF_FRAME) ? VP8_ALTR_FRAME : 0) | + (vp8dx_references_buffer(oci, GOLDEN_FRAME) ? VP8_GOLD_FRAME : 0) | + (vp8dx_references_buffer(oci, LAST_FRAME) ? VP8_LAST_FRAME : 0); + return VPX_CODEC_OK; + } else { + return VPX_CODEC_CORRUPT_FRAME; + } } else { return VPX_CODEC_INVALID_PARAM; } diff --git a/vp9/vp9_dx_iface.c b/vp9/vp9_dx_iface.c index fa79f7aed..35ecbaff3 100644 --- a/vp9/vp9_dx_iface.c +++ b/vp9/vp9_dx_iface.c @@ -474,11 +474,15 @@ static vpx_codec_err_t ctrl_get_reference(vpx_codec_alg_priv_t *ctx, vp9_ref_frame_t *data = va_arg(args, vp9_ref_frame_t *); if (data) { - const int fb_idx = ctx->pbi->common.cur_show_frame_fb_idx; - YV12_BUFFER_CONFIG *fb = get_buf_frame(&ctx->pbi->common, fb_idx); - if (fb == NULL) return VPX_CODEC_ERROR; - yuvconfig2image(&data->img, fb, NULL); - return VPX_CODEC_OK; + if (ctx->pbi) { + const int fb_idx = ctx->pbi->common.cur_show_frame_fb_idx; + YV12_BUFFER_CONFIG *fb = get_buf_frame(&ctx->pbi->common, fb_idx); + if (fb == NULL) return VPX_CODEC_ERROR; + yuvconfig2image(&data->img, fb, NULL); + return VPX_CODEC_OK; + } else { + return VPX_CODEC_ERROR; + } } else { return VPX_CODEC_INVALID_PARAM; } |