Bug 1063327 - Reject vp9 frames with invalid tiles. r=kinetik, a=sledru
authorRalph Giles <giles@mozilla.com>
Wed, 01 Oct 2014 17:28:03 -0700
changeset 218035 16aa4dfa9001e58810fd65c9fcf609356f492ef4
parent 218034 ff91afbb6355238cf3c0948ec9f45c97dd8101a0
child 218036 fa58aaa6863e1a23b7f640640db2e767cca9ea20
push id515
push userraliiev@mozilla.com
push dateMon, 06 Oct 2014 12:51:51 +0000
treeherdermozilla-release@267c7a481bef [default view] [failures only]
perfherder[talos] [build metrics] [platform microbench] (compared to previous push)
reviewerskinetik, sledru
bugs1063327
milestone33.0
Bug 1063327 - Reject vp9 frames with invalid tiles. r=kinetik, a=sledru
media/libvpx/vp9/decoder/vp9_decodframe.c
--- a/media/libvpx/vp9/decoder/vp9_decodframe.c
+++ b/media/libvpx/vp9/decoder/vp9_decodframe.c
@@ -863,16 +863,21 @@ static size_t get_tile(const uint8_t *co
 
   if (!is_last) {
     if (!read_is_valid(*data, 4, data_end))
       vpx_internal_error(error_info, VPX_CODEC_CORRUPT_FRAME,
           "Truncated packet or corrupt tile length");
 
     size = read_be32(*data);
     *data += 4;
+
+    if (size > data_end - *data) {
+      vpx_internal_error(error_info, VPX_CODEC_CORRUPT_FRAME,
+          "Truncated packet or corrupt tile size");
+    }
   } else {
     size = data_end - *data;
   }
   return size;
 }
 
 typedef struct TileBuffer {
   const uint8_t *data;