From 6efe45375f3122cc2459e6fa3a874a6dd2023610 Mon Sep 17 00:00:00 2001 From: Brian Foley Date: Thu, 16 Jan 2020 20:33:48 -0800 Subject: Validate data used by vpx_codec_control... ...instead of blindly derefing NULL. Found by some additional fuzzing of the vp8/vp9 decoders to be upstreamed soon. Change-Id: I2ea08c2d15f689f3fac8cc73622056a82d94ec00 --- vp8/vp8_dx_iface.c | 22 ++++++++++++++-------- 1 file changed, 14 insertions(+), 8 deletions(-) (limited to 'vp8/vp8_dx_iface.c') diff --git a/vp8/vp8_dx_iface.c b/vp8/vp8_dx_iface.c index 12e5781f5..82a716254 100644 --- a/vp8/vp8_dx_iface.c +++ b/vp8/vp8_dx_iface.c @@ -591,8 +591,10 @@ static vpx_codec_err_t vp8_get_reference(vpx_codec_alg_priv_t *ctx, static vpx_codec_err_t vp8_get_quantizer(vpx_codec_alg_priv_t *ctx, va_list args) { int *const arg = va_arg(args, int *); + VP8D_COMP *pbi = ctx->yv12_frame_buffers.pbi[0]; if (arg == NULL) return VPX_CODEC_INVALID_PARAM; - *arg = vp8dx_get_quantizer(ctx->yv12_frame_buffers.pbi[0]); + if (pbi == NULL) return VPX_CODEC_CORRUPT_FRAME; + *arg = vp8dx_get_quantizer(pbi); return VPX_CODEC_OK; } @@ -622,6 +624,7 @@ static vpx_codec_err_t vp8_get_last_ref_updates(vpx_codec_alg_priv_t *ctx, if (update_info) { VP8D_COMP *pbi = (VP8D_COMP *)ctx->yv12_frame_buffers.pbi[0]; + if (pbi == NULL) return VPX_CODEC_CORRUPT_FRAME; *update_info = pbi->common.refresh_alt_ref_frame * (int)VP8_ALTR_FRAME + pbi->common.refresh_golden_frame * (int)VP8_GOLD_FRAME + @@ -639,13 +642,16 @@ static vpx_codec_err_t vp8_get_last_ref_frame(vpx_codec_alg_priv_t *ctx, if (ref_info) { VP8D_COMP *pbi = (VP8D_COMP *)ctx->yv12_frame_buffers.pbi[0]; - VP8_COMMON *oci = &pbi->common; - *ref_info = - (vp8dx_references_buffer(oci, ALTREF_FRAME) ? VP8_ALTR_FRAME : 0) | - (vp8dx_references_buffer(oci, GOLDEN_FRAME) ? VP8_GOLD_FRAME : 0) | - (vp8dx_references_buffer(oci, LAST_FRAME) ? VP8_LAST_FRAME : 0); - - return VPX_CODEC_OK; + if (pbi) { + VP8_COMMON *oci = &pbi->common; + *ref_info = + (vp8dx_references_buffer(oci, ALTREF_FRAME) ? VP8_ALTR_FRAME : 0) | + (vp8dx_references_buffer(oci, GOLDEN_FRAME) ? VP8_GOLD_FRAME : 0) | + (vp8dx_references_buffer(oci, LAST_FRAME) ? VP8_LAST_FRAME : 0); + return VPX_CODEC_OK; + } else { + return VPX_CODEC_CORRUPT_FRAME; + } } else { return VPX_CODEC_INVALID_PARAM; } -- cgit v1.2.3