Avoid OOB memory access in av1_decode_frame_from_obus() BUG=b/74485092,b/74484982,b/74484124,b/74485020,b/74484940,b/74482858,b/74498858 Change-Id: I32363a7bb05c2e9590a2433a751cda864e881485

commit: 9c84d4285320e7a5557edcbd5719ee983b254d53 [log] [tgz]
author: Hui Su <huisu@google.com> Sun Mar 11 15:48:09 2018 -0700
committer: Sebastien Alaiwan <sebastien.alaiwan@allegrodvt.com> Mon Mar 12 07:15:58 2018 +0000
tree: a669f4a4c49674c0b2adeccf3227e7d7a4438676
parent: fbb51db949165d22245308feca6283c97e7031f3 [diff]
diff --git a/av1/decoder/obu.c b/av1/decoder/obu.c
index 644352a..2ab5d35 100644
--- a/av1/decoder/obu.c
+++ b/av1/decoder/obu.c

@@ -363,6 +363,10 @@
     }
 #endif  // CONFIG_OBU_SIZE_AFTER_HEADER
 
+    if (data_end < data + length_field_size) {
+      cm->error.error_code = AOM_CODEC_CORRUPT_FRAME;
+      return;
+    }
     av1_init_read_bit_buffer(pbi, &rb, data + length_field_size, data_end);
 
     if (read_obu_header(&rb, &obu_header) != AOM_CODEC_OK) {
@@ -439,6 +443,11 @@
           cm->error.error_code = AOM_CODEC_CORRUPT_FRAME;
           return;
         }
+        if (data_end < data + obu_payload_offset ||
+            data_end < data + payload_size) {
+          cm->error.error_code = AOM_CODEC_CORRUPT_FRAME;
+          return;
+        }
         decoded_payload_size += read_one_tile_group_obu(
             pbi, &rb, is_first_tg_obu_received, data + obu_payload_offset,
             data + payload_size, p_data_end, &frame_decoding_finished);
commit	9c84d4285320e7a5557edcbd5719ee983b254d53	[log] [tgz]
author	Hui Su <huisu@google.com>	Sun Mar 11 15:48:09 2018 -0700
committer	Sebastien Alaiwan <sebastien.alaiwan@allegrodvt.com>	Mon Mar 12 07:15:58 2018 +0000
tree	a669f4a4c49674c0b2adeccf3227e7d7a4438676
parent	fbb51db949165d22245308feca6283c97e7031f3 [diff]