]> granicus.if.org Git - libvpx/commitdiff
Fix incorrect size reading
authorJohann <johannkoenig@google.com>
Fri, 26 Jan 2018 23:50:50 +0000 (15:50 -0800)
committerJohann <johannkoenig@google.com>
Fri, 26 Jan 2018 23:51:50 +0000 (15:51 -0800)
Cherry pick from vp9:

commit 85770264ac891505730dcd5092d1993a62c74060
Guard against incorrect size values moving *data past data_end.

Check read length against the difference of the buffers.

Change-Id: I5e8679ddd447c4d73deb80be5ec94841a92c5fcd

vp8/decoder/decodeframe.c

index 077bd3da268dbe8df57459b0390c56a2d88835b3..c208f614119631595c364775b4a499dd5f5e034d 100644 (file)
@@ -674,7 +674,7 @@ static unsigned int read_partition_size(VP8D_COMP *pbi,
 
 static int read_is_valid(const unsigned char *start, size_t len,
                          const unsigned char *end) {
-  return (start + len > start && start + len <= end);
+  return len != 0 && len <= (size_t)(end - start);
 }
 
 static unsigned int read_available_partition_size(