ref: d99b6af68ff6b95f577ec9a0899e54ab653064c8
parent: 6a08df3d2a63d5b26041c8410b9bbaf3389c66da
parent: e3522e0feba529e0472db404bf1035355dec42fd
author: Jerome Jiang <jianj@google.com>
date: Sat Sep 22 03:15:21 EDT 2018
Merge "vp8: exit with bad fragment size in decoder."
--- a/vp8/decoder/decodeframe.c
+++ b/vp8/decoder/decodeframe.c
@@ -756,6 +756,9 @@
ptrdiff_t ext_first_part_size = token_part_sizes -
pbi->fragments.ptrs[0] +
3 * (num_token_partitions - 1);
+ if (fragment_size < (unsigned int)ext_first_part_size)
+ vpx_internal_error(&pbi->common.error, VPX_CODEC_CORRUPT_FRAME,
+ "Corrupted fragment size %d", fragment_size);
fragment_size -= (unsigned int)ext_first_part_size;
if (fragment_size > 0) {
pbi->fragments.sizes[0] = (unsigned int)ext_first_part_size;
@@ -773,6 +776,9 @@
first_fragment_end, fragment_end, fragment_idx - 1,
num_token_partitions);
pbi->fragments.sizes[fragment_idx] = (unsigned int)partition_size;
+ if (fragment_size < (unsigned int)partition_size)
+ vpx_internal_error(&pbi->common.error, VPX_CODEC_CORRUPT_FRAME,
+ "Corrupted fragment size %d", fragment_size);
fragment_size -= (unsigned int)partition_size;
assert(fragment_idx <= num_token_partitions);
if (fragment_size > 0) {