Skip a copy of the frame header in the bit buffer.
Move rb.bit_offset for subsequent frame_header_obu's so that 'rb' is
aligned with the beginning of tile_group_obu for a frame_obu.
BUG=oss-fuzz:9482
Change-Id: I691a9640502487bd8c62d385ef616b8c95c27719
(cherry picked from commit 3bffe09a53d3138c13c91d4f73865fd6baf07d5f)
diff --git a/av1/decoder/obu.c b/av1/decoder/obu.c
index 03d43a2..4d33e5a 100644
--- a/av1/decoder/obu.c
+++ b/av1/decoder/obu.c
@@ -780,7 +780,7 @@
AV1_COMMON *const cm = &pbi->common;
int frame_decoding_finished = 0;
int is_first_tg_obu_received = 1;
- int frame_header_size = 0;
+ uint32_t frame_header_size = 0;
int seq_header_received = 0;
size_t seq_header_size = 0;
ObuHeader obu_header;
@@ -878,9 +878,19 @@
pbi->seen_frame_header = 1;
if (!pbi->ext_tile_debug && cm->large_scale_tile)
pbi->camera_frame_header_ready = 1;
+ } else {
+ // TODO(wtc): Verify that the frame_header_obu is identical to the
+ // original frame_header_obu. For now just skip frame_header_size
+ // bytes in the bit buffer.
+ if (frame_header_size > payload_size) {
+ cm->error.error_code = AOM_CODEC_CORRUPT_FRAME;
+ return -1;
+ }
+ assert(rb.bit_offset == 0);
+ rb.bit_offset = 8 * frame_header_size;
}
decoded_payload_size = frame_header_size;
- pbi->frame_header_size = (size_t)frame_header_size;
+ pbi->frame_header_size = frame_header_size;
if (cm->show_existing_frame) {
frame_decoding_finished = 1;
