diff options
author | James Zern <jzern@google.com> | 2017-06-07 20:46:13 -0700 |
---|---|---|
committer | James Zern <jzern@google.com> | 2017-06-08 23:16:04 +0000 |
commit | 45daecb4f73a47ab3236a29a3a48c52324cbf19a (patch) | |
tree | 7140fa811c11246ff7790823f4732c8b0ea3a278 /vp8 | |
parent | 9cea3a3c4efc25e03781c60d34f867ff4f35e73e (diff) | |
download | libvpx-45daecb4f73a47ab3236a29a3a48c52324cbf19a.tar libvpx-45daecb4f73a47ab3236a29a3a48c52324cbf19a.tar.gz libvpx-45daecb4f73a47ab3236a29a3a48c52324cbf19a.tar.bz2 libvpx-45daecb4f73a47ab3236a29a3a48c52324cbf19a.zip |
vp8_decode_frame: fix oob read on truncated key frame
the check for error correction being disabled was overriding the data
length checks. this avoids returning incorrect information (width /
height) for the decoded frame which could result in inconsistent sizes
returned in to an application causing it to read beyond the bounds of
the frame allocation.
BUG=webm:1443
BUG=b/62458770
Change-Id: I063459674e01b57c0990cb29372e0eb9a1fbf342
Diffstat (limited to 'vp8')
-rw-r--r-- | vp8/decoder/decodeframe.c | 12 |
1 files changed, 9 insertions, 3 deletions
diff --git a/vp8/decoder/decodeframe.c b/vp8/decoder/decodeframe.c index 0aec2a01b..d900b670d 100644 --- a/vp8/decoder/decodeframe.c +++ b/vp8/decoder/decodeframe.c @@ -930,7 +930,7 @@ int vp8_decode_frame(VP8D_COMP *pbi) { /* When error concealment is enabled we should only check the sync * code if we have enough bits available */ - if (!pbi->ec_active || data + 3 < data_end) { + if (data + 3 < data_end) { if (clear[0] != 0x9d || clear[1] != 0x01 || clear[2] != 0x2a) { vpx_internal_error(&pc->error, VPX_CODEC_UNSUP_BITSTREAM, "Invalid frame sync code"); @@ -941,13 +941,19 @@ int vp8_decode_frame(VP8D_COMP *pbi) { * if we have enough data. Otherwise we will end up with the wrong * size. */ - if (!pbi->ec_active || data + 6 < data_end) { + if (data + 6 < data_end) { pc->Width = (clear[3] | (clear[4] << 8)) & 0x3fff; pc->horiz_scale = clear[4] >> 6; pc->Height = (clear[5] | (clear[6] << 8)) & 0x3fff; pc->vert_scale = clear[6] >> 6; + data += 7; + } else if (!pbi->ec_active) { + vpx_internal_error(&pc->error, VPX_CODEC_CORRUPT_FRAME, + "Truncated key frame header"); + } else { + /* Error concealment is active, clear the frame. */ + data = data_end; } - data += 7; } else { memcpy(&xd->pre, yv12_fb_new, sizeof(YV12_BUFFER_CONFIG)); memcpy(&xd->dst, yv12_fb_new, sizeof(YV12_BUFFER_CONFIG)); |