From: James Zern <jzern@google.com>
Date: Fri, 9 May 2014 03:20:20 +0000 (-0700)
Subject: vp9_dx_iface: subtract ptrs to validate frame_size
X-Git-Tag: v1.4.0~1617^2
X-Git-Url: https://granicus.if.org/sourcecode?a=commitdiff_plain;h=a8cfbbe33f0e43554eef93660610b70b42d1fcf3;p=libvpx

vp9_dx_iface: subtract ptrs to validate frame_size

Change-Id: Ic5a6a4a2fec802d9c9c7a71dbae59d5b4d3a8b23
---

diff --git a/vp9/vp9_dx_iface.c b/vp9/vp9_dx_iface.c
index b5b0340a1..963c764c0 100644
--- a/vp9/vp9_dx_iface.c
+++ b/vp9/vp9_dx_iface.c
@@ -417,7 +417,8 @@ static vpx_codec_err_t decoder_decode(vpx_codec_alg_priv_t *ctx,
 
     for (i = 0; i < frame_count; ++i) {
       const uint32_t frame_size = frame_sizes[i];
-      if (data_start < data || data_start + frame_size >= data_end) {
+      if (data_start < data ||
+          frame_size > (uint32_t)(data_end - data_start)) {
         ctx->base.err_detail = "Invalid frame size in index";
         return VPX_CODEC_CORRUPT_FRAME;
       }