From 94a65e8fbaa3e50b686147b4dd75c79c2154c2d6 Mon Sep 17 00:00:00 2001 From: Wan-Teh Chang Date: Tue, 24 Jul 2018 12:14:54 -0700 Subject: [PATCH] Check size limit in vpx_realloc_frame_buffer. If CONFIG_SIZE_LIMIT is defined, vpx_realloc_frame_buffer should fail if width or height is too big. This carries over commit ebc2714d71a834fc32a19eef0a81f51fbc47db01 of libaom: https://aomedia-review.googlesource.com/c/aom/+/65521 Change-Id: Id7645c5cefbe1847714695d41f506ff30ea985f6 --- vpx_scale/generic/yv12config.c | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/vpx_scale/generic/yv12config.c b/vpx_scale/generic/yv12config.c index 220b8be3d..0fdba7b17 100644 --- a/vpx_scale/generic/yv12config.c +++ b/vpx_scale/generic/yv12config.c @@ -143,6 +143,10 @@ int vpx_realloc_frame_buffer(YV12_BUFFER_CONFIG *ybf, int width, int height, vpx_codec_frame_buffer_t *fb, vpx_get_frame_buffer_cb_fn_t cb, void *cb_priv) { if (ybf) { +#if CONFIG_SIZE_LIMIT + if (width > DECODE_WIDTH_LIMIT || height > DECODE_HEIGHT_LIMIT) return -1; +#endif + const int vp9_byte_align = (byte_alignment == 0) ? 1 : byte_alignment; const int aligned_width = (width + 7) & ~7; const int aligned_height = (height + 7) & ~7; -- 2.40.0