diff options
author | Johann <johannkoenig@google.com> | 2018-01-30 11:12:08 -0800 |
---|---|---|
committer | Johann <johannkoenig@google.com> | 2018-01-30 12:20:06 -0800 |
commit | c59c84fc741a59ec8ecad9aec30e4feadb43913f (patch) | |
tree | b63395fe91ec077e334f0b8730f917496f8e7d7a /vp8 | |
parent | 7e75e8a622952422b54ce13a81f82c22d6bf7f2d (diff) | |
download | libvpx-c59c84fc741a59ec8ecad9aec30e4feadb43913f.tar libvpx-c59c84fc741a59ec8ecad9aec30e4feadb43913f.tar.gz libvpx-c59c84fc741a59ec8ecad9aec30e4feadb43913f.tar.bz2 libvpx-c59c84fc741a59ec8ecad9aec30e4feadb43913f.zip |
vp8 bool: verify buffer size
In the process of fixing a ubsan warning:
commit 738b829b8cdf079a5fa48c74a28a177c9567d212
Fix incorrect size reading
the inferred check of start < end was removed. This causes fuzzed files
to get a little further and segfault in vp8dx_start_decode.
Change-Id: I316e23058753ba42dbcc46d27eb575f51c8a9e9a
Diffstat (limited to 'vp8')
-rw-r--r-- | vp8/decoder/decodeframe.c | 2 |
1 files changed, 1 insertions, 1 deletions
diff --git a/vp8/decoder/decodeframe.c b/vp8/decoder/decodeframe.c index c208f6141..8bfd3cea3 100644 --- a/vp8/decoder/decodeframe.c +++ b/vp8/decoder/decodeframe.c @@ -674,7 +674,7 @@ static unsigned int read_partition_size(VP8D_COMP *pbi, static int read_is_valid(const unsigned char *start, size_t len, const unsigned char *end) { - return len != 0 && len <= (size_t)(end - start); + return len != 0 && end > start && len <= (size_t)(end - start); } static unsigned int read_available_partition_size( |