From: Jerome Jiang <jianj@google.com>
Date: Fri, 21 Sep 2018 18:16:26 +0000 (-0700)
Subject: vp8: exit with bad fragment size in decoder.
X-Git-Tag: v1.8.0~297^2
X-Git-Url: https://granicus.if.org/sourcecode?a=commitdiff_plain;h=e3522e0feba529e0472db404bf1035355dec42fd;p=libvpx

vp8: exit with bad fragment size in decoder.

BUG=webm:1555
Change-Id: Ie024c9f5a21f4ed05ab6b93f1677662eeef9e6d8
---

diff --git a/vp8/decoder/decodeframe.c b/vp8/decoder/decodeframe.c
index 0d54a9442..82b72d21e 100644
--- a/vp8/decoder/decodeframe.c
+++ b/vp8/decoder/decodeframe.c
@@ -756,6 +756,9 @@ static void setup_token_decoder(VP8D_COMP *pbi,
       ptrdiff_t ext_first_part_size = token_part_sizes -
                                       pbi->fragments.ptrs[0] +
                                       3 * (num_token_partitions - 1);
+      if (fragment_size < (unsigned int)ext_first_part_size)
+        vpx_internal_error(&pbi->common.error, VPX_CODEC_CORRUPT_FRAME,
+                           "Corrupted fragment size %d", fragment_size);
       fragment_size -= (unsigned int)ext_first_part_size;
       if (fragment_size > 0) {
         pbi->fragments.sizes[0] = (unsigned int)ext_first_part_size;
@@ -773,6 +776,9 @@ static void setup_token_decoder(VP8D_COMP *pbi,
           first_fragment_end, fragment_end, fragment_idx - 1,
           num_token_partitions);
       pbi->fragments.sizes[fragment_idx] = (unsigned int)partition_size;
+      if (fragment_size < (unsigned int)partition_size)
+        vpx_internal_error(&pbi->common.error, VPX_CODEC_CORRUPT_FRAME,
+                           "Corrupted fragment size %d", fragment_size);
       fragment_size -= (unsigned int)partition_size;
       assert(fragment_idx <= num_token_partitions);
       if (fragment_size > 0) {