diff options
author | John Koleszar <jkoleszar@google.com> | 2010-11-05 16:49:17 -0400 |
---|---|---|
committer | John Koleszar <jkoleszar@google.com> | 2010-11-05 16:49:32 -0400 |
commit | 4d1b0d2a2dff335baedd52bd7de09d55ec10b253 (patch) | |
tree | 36778bd30422c78607e8631ec2dbfb356377cd44 /vp8 | |
parent | 5551ef0ef4fd3271330fa5a2fbdfe70d4d2a1d2e (diff) | |
parent | 9fb80f7170ec48e23c3c7b477149eeb37081c699 (diff) | |
download | libvpx-4d1b0d2a2dff335baedd52bd7de09d55ec10b253.tar libvpx-4d1b0d2a2dff335baedd52bd7de09d55ec10b253.tar.gz libvpx-4d1b0d2a2dff335baedd52bd7de09d55ec10b253.tar.bz2 libvpx-4d1b0d2a2dff335baedd52bd7de09d55ec10b253.zip |
Merge commit 'fix integer promotion bug in partition size check'
Change-Id: I4081917b46013fa8f4218cade8bd12cb2d013aee
Diffstat (limited to 'vp8')
-rw-r--r-- | vp8/decoder/decodframe.c | 6 | ||||
-rw-r--r-- | vp8/vp8_dx_iface.c | 10 |
2 files changed, 12 insertions, 4 deletions
diff --git a/vp8/decoder/decodframe.c b/vp8/decoder/decodframe.c index 1bdc3d946..4702faeed 100644 --- a/vp8/decoder/decodframe.c +++ b/vp8/decoder/decodframe.c @@ -461,7 +461,8 @@ static void setup_token_decoder(VP8D_COMP *pbi, partition_size = user_data_end - partition; } - if (user_data_end - partition < partition_size) + if (partition + partition_size > user_data_end + || partition + partition_size < partition) vpx_internal_error(&pc->error, VPX_CODEC_CORRUPT_FRAME, "Truncated packet or corrupt partition " "%d length", i + 1); @@ -580,7 +581,8 @@ int vp8_decode_frame(VP8D_COMP *pbi) (data[0] | (data[1] << 8) | (data[2] << 16)) >> 5; data += 3; - if (data_end - data < first_partition_length_in_bytes) + if (data + first_partition_length_in_bytes > data_end + || data + first_partition_length_in_bytes < data) vpx_internal_error(&pc->error, VPX_CODEC_CORRUPT_FRAME, "Truncated packet or corrupt partition 0 length"); vp8_setup_version(pc); diff --git a/vp8/vp8_dx_iface.c b/vp8/vp8_dx_iface.c index a85cad1b4..9964124d1 100644 --- a/vp8/vp8_dx_iface.c +++ b/vp8/vp8_dx_iface.c @@ -253,8 +253,11 @@ static vpx_codec_err_t vp8_peek_si(const uint8_t *data, unsigned int data_sz, vpx_codec_stream_info_t *si) { - vpx_codec_err_t res = VPX_CODEC_OK; + + if(data + data_sz <= data) + res = VPX_CODEC_INVALID_PARAM; + else { /* Parse uncompresssed part of key frame header. * 3 bytes:- including version, frame type and an offset @@ -331,7 +334,10 @@ static vpx_codec_err_t vp8_decode(vpx_codec_alg_priv_t *ctx, ctx->img_avail = 0; - /* Determine the stream parameters */ + /* Determine the stream parameters. Note that we rely on peek_si to + * validate that we have a buffer that does not wrap around the top + * of the heap. + */ if (!ctx->si.h) res = ctx->base.iface->dec.peek_si(data, data_sz, &ctx->si); |