diff options
author | Allan Sandfeld Jensen <allan.jensen@qt.io> | 2018-09-06 15:05:15 +0200 |
---|---|---|
committer | Allan Sandfeld Jensen <allan.jensen@qt.io> | 2018-09-14 15:24:44 +0000 |
commit | 3b44cd3d8a9cdd4b387cd14898a43d72bc4ba30d (patch) | |
tree | 58f2ae6a7dfdf7c3ec54d01bbca46b55b59b284a | |
parent | 8ea8f7a2e7cae3446a4b3ffa7ee5f48fa34cd83f (diff) |
[Backport] Security issue 867792
vp9: fix OOB read in decoder_peek_si_internal
Profile 1 or 3 bitstreams may require 11 bytes for the header in the
intra-only case.
Additionally add a check on the bit reader's error handler callback to
ensure it's non-NULL before calling to avoid future regressions.
This has existed since at least (pre-1.4.0):
09bf1d61c Changes hdr for profiles > 1 for intraonly frames
BUG=webm:1543
Change-Id: I9cda3b68c497ebfb8ff752e236380fcba5c38001
Reviewed-by: Michael BrĂ¼ning <michael.bruning@qt.io>
-rw-r--r-- | chromium/third_party/libvpx/source/libvpx/vp9/vp9_dx_iface.c | 5 | ||||
-rw-r--r-- | chromium/third_party/libvpx/source/libvpx/vpx_dsp/bitreader_buffer.c | 2 |
2 files changed, 5 insertions, 2 deletions
diff --git a/chromium/third_party/libvpx/source/libvpx/vp9/vp9_dx_iface.c b/chromium/third_party/libvpx/source/libvpx/vp9/vp9_dx_iface.c index 657490f4bd3..2a5578674fc 100644 --- a/chromium/third_party/libvpx/source/libvpx/vp9/vp9_dx_iface.c +++ b/chromium/third_party/libvpx/source/libvpx/vp9/vp9_dx_iface.c @@ -97,7 +97,7 @@ static vpx_codec_err_t decoder_peek_si_internal( const uint8_t *data, unsigned int data_sz, vpx_codec_stream_info_t *si, int *is_intra_only, vpx_decrypt_cb decrypt_cb, void *decrypt_state) { int intra_only_flag = 0; - uint8_t clear_buffer[10]; + uint8_t clear_buffer[11]; if (data + data_sz <= data) return VPX_CODEC_INVALID_PARAM; @@ -158,6 +158,9 @@ static vpx_codec_err_t decoder_peek_si_internal( if (profile > PROFILE_0) { if (!parse_bitdepth_colorspace_sampling(profile, &rb)) return VPX_CODEC_UNSUP_BITSTREAM; + // The colorspace info may cause vp9_read_frame_size() to need 11 + // bytes. + if (data_sz < 11) return VPX_CODEC_UNSUP_BITSTREAM; } rb.bit_offset += REF_FRAMES; // refresh_frame_flags vp9_read_frame_size(&rb, (int *)&si->w, (int *)&si->h); diff --git a/chromium/third_party/libvpx/source/libvpx/vpx_dsp/bitreader_buffer.c b/chromium/third_party/libvpx/source/libvpx/vpx_dsp/bitreader_buffer.c index 3e16bfa38c2..f59f1f7cb9d 100644 --- a/chromium/third_party/libvpx/source/libvpx/vpx_dsp/bitreader_buffer.c +++ b/chromium/third_party/libvpx/source/libvpx/vpx_dsp/bitreader_buffer.c @@ -23,7 +23,7 @@ int vpx_rb_read_bit(struct vpx_read_bit_buffer *rb) { rb->bit_offset = off + 1; return bit; } else { - rb->error_handler(rb->error_handler_data); + if (rb->error_handler != NULL) rb->error_handler(rb->error_handler_data); return 0; } } |