Avoid OOB memory access in av1_decode_frame_from_obus()
BUG=b/74485092,b/74484982,b/74484124,b/74485020,b/74484940,b/74482858,b/74498858
Change-Id: I32363a7bb05c2e9590a2433a751cda864e881485
diff --git a/av1/decoder/obu.c b/av1/decoder/obu.c
index 644352a..2ab5d35 100644
--- a/av1/decoder/obu.c
+++ b/av1/decoder/obu.c
@@ -363,6 +363,10 @@
}
#endif // CONFIG_OBU_SIZE_AFTER_HEADER
+ if (data_end < data + length_field_size) {
+ cm->error.error_code = AOM_CODEC_CORRUPT_FRAME;
+ return;
+ }
av1_init_read_bit_buffer(pbi, &rb, data + length_field_size, data_end);
if (read_obu_header(&rb, &obu_header) != AOM_CODEC_OK) {
@@ -439,6 +443,11 @@
cm->error.error_code = AOM_CODEC_CORRUPT_FRAME;
return;
}
+ if (data_end < data + obu_payload_offset ||
+ data_end < data + payload_size) {
+ cm->error.error_code = AOM_CODEC_CORRUPT_FRAME;
+ return;
+ }
decoded_payload_size += read_one_tile_group_obu(
pbi, &rb, is_first_tg_obu_received, data + obu_payload_offset,
data + payload_size, p_data_end, &frame_decoding_finished);