From b6d8f3b4918d9c834cb0a65e1280a473242d99f1 Mon Sep 17 00:00:00 2001
From: Wim Taymans <wtaymans@redhat.com>
Date: Wed, 15 Apr 2020 11:09:35 +0200
Subject: [PATCH] vp8_decode_frame: fix oob read on truncated key frame
the check for error correction being disabled was overriding the data
length checks. this avoids returning incorrect information (width /
height) for the decoded frame which could result in inconsistent sizes
returned in to an application causing it to read beyond the bounds of
the frame allocation.
BUG=webm:1443
BUG=b/62458770
Change-Id: I063459674e01b57c0990cb29372e0eb9a1fbf342
---
vp8/decoder/decodframe.c | 13 +++++++++----
1 file changed, 9 insertions(+), 4 deletions(-)
diff --git a/vp8/decoder/decodframe.c b/vp8/decoder/decodframe.c
index ee14c3b04..2072fcbdc 100644
--- a/vp8/decoder/decodframe.c
+++ b/vp8/decoder/decodframe.c
@@ -1051,7 +1051,7 @@ int vp8_decode_frame(VP8D_COMP *pbi)
/* When error concealment is enabled we should only check the sync
* code if we have enough bits available
*/
- if (!pbi->ec_active || data + 3 < data_end)
+ if (data + 3 < data_end)
{
if (clear[0] != 0x9d || clear[1] != 0x01 || clear[2] != 0x2a)
vpx_internal_error(&pc->error, VPX_CODEC_UNSUP_BITSTREAM,
@@ -1062,15 +1062,20 @@ int vp8_decode_frame(VP8D_COMP *pbi)
* if we have enough data. Otherwise we will end up with the wrong
* size.
*/
- if (!pbi->ec_active || data + 6 < data_end)
+ if (data + 6 < data_end)
{
pc->Width = (clear[3] | (clear[4] << 8)) & 0x3fff;
pc->horiz_scale = clear[4] >> 6;
pc->Height = (clear[5] | (clear[6] << 8)) & 0x3fff;
pc->vert_scale = clear[6] >> 6;
+ data += 7;
+ } else if (!pbi->ec_active) {
+ vpx_internal_error(&pc->error, VPX_CODEC_CORRUPT_FRAME,
+ "Truncated key frame header");
+ } else {
+ /* Error concealment is active, clear the frame. */
+ data = data_end;
}
- data += 7;
- clear += 7;
}
else
{
--
2.26.0