diff options
author | Jingning Han <jingning@google.com> | 2014-06-16 10:27:30 -0700 |
---|---|---|
committer | Gerrit Code Review <gerrit@gerrit.golo.chromium.org> | 2014-06-16 10:27:30 -0700 |
commit | d203203cc5c2993496f1fbd0163f5335285c9944 (patch) | |
tree | 145cee5b6696c91cf62619b48404d42873994aa7 /vp9 | |
parent | 95fb9008f85a035c35f5bcd3c9278dc1f6a26f66 (diff) | |
parent | 1ba18717861c5da614619428389f29e00b175e8e (diff) | |
download | libvpx-d203203cc5c2993496f1fbd0163f5335285c9944.tar libvpx-d203203cc5c2993496f1fbd0163f5335285c9944.tar.gz libvpx-d203203cc5c2993496f1fbd0163f5335285c9944.tar.bz2 libvpx-d203203cc5c2993496f1fbd0163f5335285c9944.zip |
Merge "Fix out of boundary memory read in fuzz test on vpxdec"
Diffstat (limited to 'vp9')
-rw-r--r-- | vp9/vp9_dx_iface.c | 46 |
1 files changed, 24 insertions, 22 deletions
diff --git a/vp9/vp9_dx_iface.c b/vp9/vp9_dx_iface.c index 07389713a..3b5d4bf71 100644 --- a/vp9/vp9_dx_iface.c +++ b/vp9/vp9_dx_iface.c @@ -321,31 +321,33 @@ static void parse_superframe_index(const uint8_t *data, size_t data_sz, const uint32_t mag = ((marker >> 3) & 0x3) + 1; const size_t index_sz = 2 + mag * frames; - uint8_t marker2 = read_marker(decrypt_cb, decrypt_state, - data + data_sz - index_sz); - - if (data_sz >= index_sz && marker2 == marker) { - // found a valid superframe index - uint32_t i, j; - const uint8_t *x = &data[data_sz - index_sz + 1]; - - // frames has a maximum of 8 and mag has a maximum of 4. - uint8_t clear_buffer[32]; - assert(sizeof(clear_buffer) >= frames * mag); - if (decrypt_cb) { - decrypt_cb(decrypt_state, x, clear_buffer, frames * mag); - x = clear_buffer; - } + if (data_sz >= index_sz) { + uint8_t marker2 = read_marker(decrypt_cb, decrypt_state, + data + data_sz - index_sz); + + if (marker == marker2) { + // Found a valid superframe index. + uint32_t i, j; + const uint8_t *x = &data[data_sz - index_sz + 1]; + + // Frames has a maximum of 8 and mag has a maximum of 4. + uint8_t clear_buffer[32]; + assert(sizeof(clear_buffer) >= frames * mag); + if (decrypt_cb) { + decrypt_cb(decrypt_state, x, clear_buffer, frames * mag); + x = clear_buffer; + } - for (i = 0; i < frames; i++) { - uint32_t this_sz = 0; + for (i = 0; i < frames; ++i) { + uint32_t this_sz = 0; - for (j = 0; j < mag; j++) - this_sz |= (*x++) << (j * 8); - sizes[i] = this_sz; - } + for (j = 0; j < mag; ++j) + this_sz |= (*x++) << (j * 8); + sizes[i] = this_sz; + } - *count = frames; + *count = frames; + } } } } |