rpms / libvpx

Clone
Source Code
GIT

Blame SOURCES/0001-vp8_decode_frame-fix-oob-read-on-truncated-key-frame.patch

c4 c5 c5-plus c6 c6-plus c7 c7-beta c8 c8-beta c8s c9 c9-beta
  1.   d88f5787614b5b4c17b49ada5076a70be443ddf0
  2.   SOURCES
  3.   0001-vp8_decode_frame-fix-oob-read-on-truncated-key-frame.patch
Blob History Raw
d88f57 
From b6d8f3b4918d9c834cb0a65e1280a473242d99f1 Mon Sep 17 00:00:00 2001
d88f57 
From: Wim Taymans <wtaymans@redhat.com>
d88f57 
Date: Wed, 15 Apr 2020 11:09:35 +0200
d88f57 
Subject: [PATCH] vp8_decode_frame: fix oob read on truncated key frame
d88f57
d88f57 
the check for error correction being disabled was overriding the data
d88f57 
length checks. this avoids returning incorrect information (width /
d88f57 
height) for the decoded frame which could result in inconsistent sizes
d88f57 
returned in to an application causing it to read beyond the bounds of
d88f57 
the frame allocation.
d88f57
d88f57 
BUG=webm:1443
d88f57 
BUG=b/62458770
d88f57
d88f57 
Change-Id: I063459674e01b57c0990cb29372e0eb9a1fbf342
d88f57 
---
d88f57 
 vp8/decoder/decodframe.c | 13 +++++++++----
d88f57 
 1 file changed, 9 insertions(+), 4 deletions(-)
d88f57
d88f57 
diff --git a/vp8/decoder/decodframe.c b/vp8/decoder/decodframe.c
d88f57 
index ee14c3b04..2072fcbdc 100644
d88f57 
--- a/vp8/decoder/decodframe.c
d88f57 
+++ b/vp8/decoder/decodframe.c
d88f57 
@@ -1051,7 +1051,7 @@ int vp8_decode_frame(VP8D_COMP *pbi)
d88f57 
             /* When error concealment is enabled we should only check the sync
d88f57 
              * code if we have enough bits available
d88f57 
              */
d88f57 
-            if (!pbi->ec_active || data + 3 < data_end)
d88f57 
+            if (data + 3 < data_end)
d88f57 
             {
d88f57 
                 if (clear[0] != 0x9d || clear[1] != 0x01 || clear[2] != 0x2a)
d88f57 
                     vpx_internal_error(&pc->error, VPX_CODEC_UNSUP_BITSTREAM,
d88f57 
@@ -1062,15 +1062,20 @@ int vp8_decode_frame(VP8D_COMP *pbi)
d88f57 
              * if we have enough data. Otherwise we will end up with the wrong
d88f57 
              * size.
d88f57 
              */
d88f57 
-            if (!pbi->ec_active || data + 6 < data_end)
d88f57 
+            if (data + 6 < data_end)
d88f57 
             {
d88f57 
                 pc->Width = (clear[3] | (clear[4] << 8)) & 0x3fff;
d88f57 
                 pc->horiz_scale = clear[4] >> 6;
d88f57 
                 pc->Height = (clear[5] | (clear[6] << 8)) & 0x3fff;
d88f57 
                 pc->vert_scale = clear[6] >> 6;
d88f57 
+                data += 7;
d88f57 
+            } else if (!pbi->ec_active) {
d88f57 
+                vpx_internal_error(&pc->error, VPX_CODEC_CORRUPT_FRAME,
d88f57 
+                                   "Truncated key frame header");
d88f57 
+            } else {
d88f57 
+                /* Error concealment is active, clear the frame. */
d88f57 
+                data = data_end;
d88f57 
             }
d88f57 
-            data += 7;
d88f57 
-            clear += 7;
d88f57 
         }
d88f57 
         else
d88f57 
         {
d88f57 
--
d88f57 
2.26.0
d88f57

Powered by Pagure 5.14.1

SSH Hostkey/Fingerprint | Documentation