36 lines
1005 B
Diff
36 lines
1005 B
Diff
Copied from Debian.
|
|
|
|
# HG changeset patch
|
|
# User Ralph Giles <giles@mozilla.com>
|
|
# Date 1412209683 25200
|
|
# Node ID 6023f0b4f8ba49dd117106cc98cd8007c2142bf6
|
|
# Parent 8c431dcec0ffde13988d47eacf341113ea883245
|
|
Bug 1063327 - Reject vp9 frames with invalid tiles. r=kinetik, a=abillings
|
|
|
|
diff --git a/vp9/decoder/vp9_decodframe.c b/vp9/decoder/vp9_decodframe.c
|
|
--- a/vp9/decoder/vp9_decodframe.c
|
|
+++ b/vp9/decoder/vp9_decodframe.c
|
|
@@ -863,16 +863,21 @@ static size_t get_tile(const uint8_t *co
|
|
|
|
if (!is_last) {
|
|
if (!read_is_valid(*data, 4, data_end))
|
|
vpx_internal_error(error_info, VPX_CODEC_CORRUPT_FRAME,
|
|
"Truncated packet or corrupt tile length");
|
|
|
|
size = read_be32(*data);
|
|
*data += 4;
|
|
+
|
|
+ if (size > data_end - *data) {
|
|
+ vpx_internal_error(error_info, VPX_CODEC_CORRUPT_FRAME,
|
|
+ "Truncated packet or corrupt tile size");
|
|
+ }
|
|
} else {
|
|
size = data_end - *data;
|
|
}
|
|
return size;
|
|
}
|
|
|
|
typedef struct TileBuffer {
|
|
const uint8_t *data;
|
|
|