vp8 bool: verify buffer size

In the process of fixing a ubsan warning: commit 738b829b8cdf079a5fa48c74a28a177c9567d212 Fix incorrect size reading the inferred check of start < end was removed. This causes fuzzed files to get a little further and segfault in vp8dx_start_decode. Change-Id: I316e23058753ba42dbcc46d27eb575f51c8a9e9a
author: Johann <johannkoenig@google.com> 2018-01-30 11:12:08 -0800
committer: Johann <johannkoenig@google.com> 2018-01-30 12:20:06 -0800
commit: c59c84fc741a59ec8ecad9aec30e4feadb43913f (patch)
tree: b63395fe91ec077e334f0b8730f917496f8e7d7a /vp8
parent: 7e75e8a622952422b54ce13a81f82c22d6bf7f2d (diff)
download: libvpx-c59c84fc741a59ec8ecad9aec30e4feadb43913f.tar
libvpx-c59c84fc741a59ec8ecad9aec30e4feadb43913f.tar.gz
libvpx-c59c84fc741a59ec8ecad9aec30e4feadb43913f.tar.bz2
libvpx-c59c84fc741a59ec8ecad9aec30e4feadb43913f.zip
1 files changed, 1 insertions, 1 deletions
diff --git a/vp8/decoder/decodeframe.c b/vp8/decoder/decodeframe.c
index c208f6141..8bfd3cea3 100644
--- a/vp8/decoder/decodeframe.c
+++ b/vp8/decoder/decodeframe.c
@@ -674,7 +674,7 @@ static unsigned int read_partition_size(VP8D_COMP *pbi,
 
 static int read_is_valid(const unsigned char *start, size_t len,
                          const unsigned char *end) {
-  return len != 0 && len <= (size_t)(end - start);
+  return len != 0 && end > start && len <= (size_t)(end - start);
 }
 
 static unsigned int read_available_partition_size(
author	Johann <johannkoenig@google.com>	2018-01-30 11:12:08 -0800
committer	Johann <johannkoenig@google.com>	2018-01-30 12:20:06 -0800
commit	c59c84fc741a59ec8ecad9aec30e4feadb43913f (patch)
tree	b63395fe91ec077e334f0b8730f917496f8e7d7a /vp8
parent	7e75e8a622952422b54ce13a81f82c22d6bf7f2d (diff)
download	libvpx-c59c84fc741a59ec8ecad9aec30e4feadb43913f.tar libvpx-c59c84fc741a59ec8ecad9aec30e4feadb43913f.tar.gz libvpx-c59c84fc741a59ec8ecad9aec30e4feadb43913f.tar.bz2 libvpx-c59c84fc741a59ec8ecad9aec30e4feadb43913f.zip