diff options
author | Yaowu Xu <yaowu@google.com> | 2016-05-17 17:18:26 -0700 |
---|---|---|
committer | Yaowu Xu <yaowu@google.com> | 2016-05-18 07:40:49 -0700 |
commit | 4f0e4d6cef827bc452848e126a6bedc47424da88 (patch) | |
tree | 9e38aa892b8753d4844560300c601ebc51f9f044 /vp9/decoder | |
parent | 2240d83d7882ce2d5d0826b9ce33b86321d7a724 (diff) | |
download | libvpx-4f0e4d6cef827bc452848e126a6bedc47424da88.tar libvpx-4f0e4d6cef827bc452848e126a6bedc47424da88.tar.gz libvpx-4f0e4d6cef827bc452848e126a6bedc47424da88.tar.bz2 libvpx-4f0e4d6cef827bc452848e126a6bedc47424da88.zip |
Prevent invalid read
This commit adds a check before reading into RefBuffer to prevent OOB
read.
BUG=https://bugs.chromium.org/p/chromium/issues/detail?id=612023
Change-Id: I5b02951932e7f457cfbe6b2e650790496b8577ae
Diffstat (limited to 'vp9/decoder')
-rw-r--r-- | vp9/decoder/vp9_decodeframe.c | 15 |
1 files changed, 10 insertions, 5 deletions
diff --git a/vp9/decoder/vp9_decodeframe.c b/vp9/decoder/vp9_decodeframe.c index 2c2c0ba84..30f8b0eb5 100644 --- a/vp9/decoder/vp9_decodeframe.c +++ b/vp9/decoder/vp9_decodeframe.c @@ -1315,11 +1315,16 @@ static void setup_frame_size_with_refs(VP9_COMMON *cm, BufferPool *const pool = cm->buffer_pool; for (i = 0; i < REFS_PER_FRAME; ++i) { if (vpx_rb_read_bit(rb)) { - YV12_BUFFER_CONFIG *const buf = cm->frame_refs[i].buf; - width = buf->y_crop_width; - height = buf->y_crop_height; - found = 1; - break; + if (cm->frame_refs[i].idx != INVALID_IDX) { + YV12_BUFFER_CONFIG *const buf = cm->frame_refs[i].buf; + width = buf->y_crop_width; + height = buf->y_crop_height; + found = 1; + break; + } else { + vpx_internal_error(&cm->error, VPX_CODEC_CORRUPT_FRAME, + "Failed to decode frame size"); + } } } |