diff options
| author | Johann <johannkoenig@google.com> | 2018-01-26 15:50:50 -0800 |
|---|---|---|
| committer | Johann <johannkoenig@google.com> | 2018-01-26 15:51:50 -0800 |
| commit | 738b829b8cdf079a5fa48c74a28a177c9567d212 (patch) | |
| tree | c38f1a383b09328ba9efc8c5472e2f6c34ed942a /vp8 | |
| parent | a9bbff1049ea774ed07286d979dbda7e7f2fe430 (diff) | |
| download | libvpx-738b829b8cdf079a5fa48c74a28a177c9567d212.tar libvpx-738b829b8cdf079a5fa48c74a28a177c9567d212.tar.gz libvpx-738b829b8cdf079a5fa48c74a28a177c9567d212.tar.bz2 libvpx-738b829b8cdf079a5fa48c74a28a177c9567d212.zip | |
Fix incorrect size reading
Cherry pick from vp9:
commit 85770264ac891505730dcd5092d1993a62c74060
Guard against incorrect size values moving *data past data_end.
Check read length against the difference of the buffers.
Change-Id: I5e8679ddd447c4d73deb80be5ec94841a92c5fcd
Diffstat (limited to 'vp8')
| -rw-r--r-- | vp8/decoder/decodeframe.c | 2 |
1 files changed, 1 insertions, 1 deletions
diff --git a/vp8/decoder/decodeframe.c b/vp8/decoder/decodeframe.c index 077bd3da2..c208f6141 100644 --- a/vp8/decoder/decodeframe.c +++ b/vp8/decoder/decodeframe.c @@ -674,7 +674,7 @@ static unsigned int read_partition_size(VP8D_COMP *pbi, static int read_is_valid(const unsigned char *start, size_t len, const unsigned char *end) { - return (start + len > start && start + len <= end); + return len != 0 && len <= (size_t)(end - start); } static unsigned int read_available_partition_size( |