Validate payload_size in decoder_peek_si_internal.
If payload_size is greater than data_sz, return an error.
Remove the local variable payload_start. (It is always equal to 'data'.)
BUG=aomedia:2060
BUG=chromium:868651
Change-Id: Id8e0b5a35db3d1ff452507545f47066c52e1388c
(cherry picked from commit bc484c485277bc19c7a1b273c8cf5472f741b73a)
diff --git a/av1/av1_dx_iface.c b/av1/av1_dx_iface.c
index f425720..617573d 100644
--- a/av1/av1_dx_iface.c
+++ b/av1/av1_dx_iface.c
@@ -216,7 +216,7 @@
while (1) {
data += bytes_read;
data_sz -= bytes_read;
- const uint8_t *payload_start = data;
+ if (data_sz < payload_size) return AOM_CODEC_CORRUPT_FRAME;
// Check that the selected OBU is a sequence header
if (obu_header.type == OBU_SEQUENCE_HEADER) {
// Sanity check on sequence header size
@@ -264,9 +264,9 @@
}
}
// skip past any unread OBU header data
- data = payload_start + payload_size;
+ data += payload_size;
data_sz -= payload_size;
- if (data_sz <= 0) break; // exit if we're out of OBUs
+ if (data_sz == 0) break; // exit if we're out of OBUs
status = aom_read_obu_header_and_size(
data, data_sz, si->is_annexb, &obu_header, &payload_size, &bytes_read);
if (status != AOM_CODEC_OK) return status;