From: Alex Converse Date: Sat, 17 Jan 2015 00:02:05 +0000 (-0800) Subject: vp8enc: Prevent out of bounds memory access. X-Git-Tag: v1.4.0~212^2 X-Git-Url: https://granicus.if.org/sourcecode?a=commitdiff_plain;h=581731a95f74d83d4fe3cc466ce502ffb4326e8e;p=libvpx vp8enc: Prevent out of bounds memory access. Prevent out of bounds access when attempting to increase frame size Change-Id: I710c40c692802a72963c9680c2125da17f9060a9 --- diff --git a/vp8/encoder/onyx_if.c b/vp8/encoder/onyx_if.c index 41b30663a..258fa114f 100644 --- a/vp8/encoder/onyx_if.c +++ b/vp8/encoder/onyx_if.c @@ -1760,8 +1760,16 @@ void vp8_change_config(VP8_COMP *cpi, VP8_CONFIG *oxcf) reset_temporal_layer_change(cpi, oxcf, prev_number_of_layers); } + if (!cpi->initial_width) + { + cpi->initial_width = cpi->oxcf.Width; + cpi->initial_height = cpi->oxcf.Height; + } + cm->Width = cpi->oxcf.Width; cm->Height = cpi->oxcf.Height; + assert(cm->Width <= cpi->initial_width); + assert(cm->Height <= cpi->initial_height); /* TODO(jkoleszar): if an internal spatial resampling is active, * and we downsize the input image, maybe we should clear the diff --git a/vp8/encoder/onyx_int.h b/vp8/encoder/onyx_int.h index b1a749c1d..82d745390 100644 --- a/vp8/encoder/onyx_int.h +++ b/vp8/encoder/onyx_int.h @@ -665,6 +665,9 @@ typedef struct VP8_COMP int droppable; + int initial_width; + int initial_height; + #if CONFIG_TEMPORAL_DENOISING VP8_DENOISER denoiser; #endif diff --git a/vp8/vp8_cx_iface.c b/vp8/vp8_cx_iface.c index f81f07821..96b4cb5f2 100644 --- a/vp8/vp8_cx_iface.c +++ b/vp8/vp8_cx_iface.c @@ -447,9 +447,14 @@ static vpx_codec_err_t vp8e_set_config(vpx_codec_alg_priv_t *ctx, { vpx_codec_err_t res; - if (((cfg->g_w != ctx->cfg.g_w) || (cfg->g_h != ctx->cfg.g_h)) - && (cfg->g_lag_in_frames > 1 || cfg->g_pass != VPX_RC_ONE_PASS)) - ERROR("Cannot change width or height after initialization"); + if (cfg->g_w != ctx->cfg.g_w || cfg->g_h != ctx->cfg.g_h) + { + if (cfg->g_lag_in_frames > 1 || cfg->g_pass != VPX_RC_ONE_PASS) + ERROR("Cannot change width or height after initialization"); + if ((ctx->cpi->initial_width && (int)cfg->g_w > ctx->cpi->initial_width) || + (ctx->cpi->initial_height && (int)cfg->g_h > ctx->cpi->initial_height)) + ERROR("Cannot increast width or height larger than their initial values"); + } /* Prevent increasing lag_in_frames. This check is stricter than it needs * to be -- the limit is not increasing past the first lag_in_frames