|
|
5ee27c |
From b6d8f3b4918d9c834cb0a65e1280a473242d99f1 Mon Sep 17 00:00:00 2001
|
|
|
5ee27c |
From: Wim Taymans <wtaymans@redhat.com>
|
|
|
5ee27c |
Date: Wed, 15 Apr 2020 11:09:35 +0200
|
|
|
5ee27c |
Subject: [PATCH] vp8_decode_frame: fix oob read on truncated key frame
|
|
|
5ee27c |
|
|
|
5ee27c |
the check for error correction being disabled was overriding the data
|
|
|
5ee27c |
length checks. this avoids returning incorrect information (width /
|
|
|
5ee27c |
height) for the decoded frame which could result in inconsistent sizes
|
|
|
5ee27c |
returned in to an application causing it to read beyond the bounds of
|
|
|
5ee27c |
the frame allocation.
|
|
|
5ee27c |
|
|
|
5ee27c |
BUG=webm:1443
|
|
|
5ee27c |
BUG=b/62458770
|
|
|
5ee27c |
|
|
|
5ee27c |
Change-Id: I063459674e01b57c0990cb29372e0eb9a1fbf342
|
|
|
5ee27c |
---
|
|
|
5ee27c |
vp8/decoder/decodframe.c | 13 +++++++++----
|
|
|
5ee27c |
1 file changed, 9 insertions(+), 4 deletions(-)
|
|
|
5ee27c |
|
|
|
5ee27c |
diff --git a/vp8/decoder/decodframe.c b/vp8/decoder/decodframe.c
|
|
|
5ee27c |
index ee14c3b04..2072fcbdc 100644
|
|
|
5ee27c |
--- a/vp8/decoder/decodframe.c
|
|
|
5ee27c |
+++ b/vp8/decoder/decodframe.c
|
|
|
5ee27c |
@@ -1051,7 +1051,7 @@ int vp8_decode_frame(VP8D_COMP *pbi)
|
|
|
5ee27c |
/* When error concealment is enabled we should only check the sync
|
|
|
5ee27c |
* code if we have enough bits available
|
|
|
5ee27c |
*/
|
|
|
5ee27c |
- if (!pbi->ec_active || data + 3 < data_end)
|
|
|
5ee27c |
+ if (data + 3 < data_end)
|
|
|
5ee27c |
{
|
|
|
5ee27c |
if (clear[0] != 0x9d || clear[1] != 0x01 || clear[2] != 0x2a)
|
|
|
5ee27c |
vpx_internal_error(&pc->error, VPX_CODEC_UNSUP_BITSTREAM,
|
|
|
5ee27c |
@@ -1062,15 +1062,20 @@ int vp8_decode_frame(VP8D_COMP *pbi)
|
|
|
5ee27c |
* if we have enough data. Otherwise we will end up with the wrong
|
|
|
5ee27c |
* size.
|
|
|
5ee27c |
*/
|
|
|
5ee27c |
- if (!pbi->ec_active || data + 6 < data_end)
|
|
|
5ee27c |
+ if (data + 6 < data_end)
|
|
|
5ee27c |
{
|
|
|
5ee27c |
pc->Width = (clear[3] | (clear[4] << 8)) & 0x3fff;
|
|
|
5ee27c |
pc->horiz_scale = clear[4] >> 6;
|
|
|
5ee27c |
pc->Height = (clear[5] | (clear[6] << 8)) & 0x3fff;
|
|
|
5ee27c |
pc->vert_scale = clear[6] >> 6;
|
|
|
5ee27c |
+ data += 7;
|
|
|
5ee27c |
+ } else if (!pbi->ec_active) {
|
|
|
5ee27c |
+ vpx_internal_error(&pc->error, VPX_CODEC_CORRUPT_FRAME,
|
|
|
5ee27c |
+ "Truncated key frame header");
|
|
|
5ee27c |
+ } else {
|
|
|
5ee27c |
+ /* Error concealment is active, clear the frame. */
|
|
|
5ee27c |
+ data = data_end;
|
|
|
5ee27c |
}
|
|
|
5ee27c |
- data += 7;
|
|
|
5ee27c |
- clear += 7;
|
|
|
5ee27c |
}
|
|
|
5ee27c |
else
|
|
|
5ee27c |
{
|
|
|
5ee27c |
--
|
|
|
5ee27c |
2.26.0
|
|
|
5ee27c |
|