vp9_dx_iface: subtract ptrs to validate frame_size

Change-Id: Ic5a6a4a2fec802d9c9c7a71dbae59d5b4d3a8b23

diff --git a/vp9/vp9_dx_iface.c b/vp9/vp9_dx_iface.c
index b5b0340a109ce5617c0790260cb232cb0740a3c4..963c764c03b24a5ff7b8a2f18b7b9a45968a1f1c 100644 (file)
--- a/vp9/vp9_dx_iface.c
+++ b/vp9/vp9_dx_iface.c
@@ -417,7 +417,8 @@ static vpx_codec_err_t decoder_decode(vpx_codec_alg_priv_t *ctx,
 
     for (i = 0; i < frame_count; ++i) {
       const uint32_t frame_size = frame_sizes[i];
-      if (data_start < data || data_start + frame_size >= data_end) {
+      if (data_start < data ||
+          frame_size > (uint32_t)(data_end - data_start)) {
         ctx->base.err_detail = "Invalid frame size in index";
         return VPX_CODEC_CORRUPT_FRAME;
       }