Avoid memory OOB access in get_obu_length_field_size()
BUG=b/74489829
Change-Id: I6a49719f264962c1996ce9448a2bdb355916064d
diff --git a/av1/av1_dx_iface.c b/av1/av1_dx_iface.c
index f375922..0d5d388 100644
--- a/av1/av1_dx_iface.c
+++ b/av1/av1_dx_iface.c
@@ -161,9 +161,10 @@
return AOM_CODEC_OK;
}
-static size_t get_obu_length_field_size(const uint8_t *data) {
+static size_t get_obu_length_field_size(const uint8_t *data, size_t data_sz) {
+ const size_t max_bytes = AOMMIN(sizeof(uint64_t), data_sz);
size_t length_field_size = 1;
- for (size_t i = 0; i < sizeof(uint64_t) && (data[i] & 0x80); ++i) {
+ for (size_t i = 0; i < max_bytes && (data[i] & 0x80); ++i) {
++length_field_size;
}
return length_field_size;
@@ -175,7 +176,7 @@
int *is_intra_only) {
int intra_only_flag = 0;
- if (data + data_sz <= data) return AOM_CODEC_INVALID_PARAM;
+ if (data + data_sz <= data || data_sz < 1) return AOM_CODEC_INVALID_PARAM;
si->w = 0;
si->h = 0;
@@ -191,7 +192,7 @@
#if CONFIG_OBU_SIZE_AFTER_HEADER
struct aom_read_bit_buffer rb = { data, data + data_sz, 0, NULL, NULL };
#else
- const size_t length_field_size = get_obu_length_field_size(data);
+ const size_t length_field_size = get_obu_length_field_size(data, data_sz);
struct aom_read_bit_buffer rb = { data + length_field_size, data + data_sz, 0,
NULL, NULL };
#endif // CONFIG_OBU_SIZE_AFTER_HEADER
@@ -204,7 +205,7 @@
#if CONFIG_OBU_SIZE_AFTER_HEADER
// One byte has been consumed by the OBU header.
- rb.bit_offset += get_obu_length_field_size(data + 1);
+ rb.bit_offset += get_obu_length_field_size(data + 1, data_sz - 1);
#endif // CONFIG_OBU_SIZE_AFTER_HEADER
// This check is disabled because existing behavior is depended upon by
