diff options
| author | Brian Foley <bpfoley@google.com> | 2020-01-16 20:33:48 -0800 |
|---|---|---|
| committer | Brian Foley <bpfoley@google.com> | 2020-01-17 11:41:44 -0800 |
| commit | 6efe45375f3122cc2459e6fa3a874a6dd2023610 (patch) | |
| tree | 8f01790383aa895dd30cfdf15525a223e08a1e0c /vp8/vp8_dx_iface.c | |
| parent | 18e93be9f2e9c863be573e910ff6940547fa0cad (diff) | |
| download | libvpx-6efe45375f3122cc2459e6fa3a874a6dd2023610.tar libvpx-6efe45375f3122cc2459e6fa3a874a6dd2023610.tar.gz libvpx-6efe45375f3122cc2459e6fa3a874a6dd2023610.tar.bz2 libvpx-6efe45375f3122cc2459e6fa3a874a6dd2023610.zip | |
Validate data used by vpx_codec_control...
...instead of blindly derefing NULL.
Found by some additional fuzzing of the vp8/vp9 decoders to be
upstreamed soon.
Change-Id: I2ea08c2d15f689f3fac8cc73622056a82d94ec00
Diffstat (limited to 'vp8/vp8_dx_iface.c')
| -rw-r--r-- | vp8/vp8_dx_iface.c | 22 |
1 files changed, 14 insertions, 8 deletions
diff --git a/vp8/vp8_dx_iface.c b/vp8/vp8_dx_iface.c index 12e5781f5..82a716254 100644 --- a/vp8/vp8_dx_iface.c +++ b/vp8/vp8_dx_iface.c @@ -591,8 +591,10 @@ static vpx_codec_err_t vp8_get_reference(vpx_codec_alg_priv_t *ctx, static vpx_codec_err_t vp8_get_quantizer(vpx_codec_alg_priv_t *ctx, va_list args) { int *const arg = va_arg(args, int *); + VP8D_COMP *pbi = ctx->yv12_frame_buffers.pbi[0]; if (arg == NULL) return VPX_CODEC_INVALID_PARAM; - *arg = vp8dx_get_quantizer(ctx->yv12_frame_buffers.pbi[0]); + if (pbi == NULL) return VPX_CODEC_CORRUPT_FRAME; + *arg = vp8dx_get_quantizer(pbi); return VPX_CODEC_OK; } @@ -622,6 +624,7 @@ static vpx_codec_err_t vp8_get_last_ref_updates(vpx_codec_alg_priv_t *ctx, if (update_info) { VP8D_COMP *pbi = (VP8D_COMP *)ctx->yv12_frame_buffers.pbi[0]; + if (pbi == NULL) return VPX_CODEC_CORRUPT_FRAME; *update_info = pbi->common.refresh_alt_ref_frame * (int)VP8_ALTR_FRAME + pbi->common.refresh_golden_frame * (int)VP8_GOLD_FRAME + @@ -639,13 +642,16 @@ static vpx_codec_err_t vp8_get_last_ref_frame(vpx_codec_alg_priv_t *ctx, if (ref_info) { VP8D_COMP *pbi = (VP8D_COMP *)ctx->yv12_frame_buffers.pbi[0]; - VP8_COMMON *oci = &pbi->common; - *ref_info = - (vp8dx_references_buffer(oci, ALTREF_FRAME) ? VP8_ALTR_FRAME : 0) | - (vp8dx_references_buffer(oci, GOLDEN_FRAME) ? VP8_GOLD_FRAME : 0) | - (vp8dx_references_buffer(oci, LAST_FRAME) ? VP8_LAST_FRAME : 0); - - return VPX_CODEC_OK; + if (pbi) { + VP8_COMMON *oci = &pbi->common; + *ref_info = + (vp8dx_references_buffer(oci, ALTREF_FRAME) ? VP8_ALTR_FRAME : 0) | + (vp8dx_references_buffer(oci, GOLDEN_FRAME) ? VP8_GOLD_FRAME : 0) | + (vp8dx_references_buffer(oci, LAST_FRAME) ? VP8_LAST_FRAME : 0); + return VPX_CODEC_OK; + } else { + return VPX_CODEC_CORRUPT_FRAME; + } } else { return VPX_CODEC_INVALID_PARAM; } |