commit 5c9751e1e22eaa6f13cf9baa108edf2b47f23b21
author Hui Su <huisu@google.com> Fri Apr 06 14:08:22 2018 -0700
committer Hui Su <huisu@google.com> Tue Apr 10 02:59:24 2018 +0000
tree b3d9fc85dae57b84609433b8d6361857742fbbbb
parent 9713ccbf6c75d6f4e3638eeda60fef814e8fef37

Fix OOB memory access in av1_decode_frame_from_obus()

BUG=aomedia:1720

Change-Id: Iab6931f1aff229f007569150c2f14a3ce5301f16

av1/decoder/obu.c

diff --git a/av1/decoder/obu.c b/av1/decoder/obu.c
index 156bd26..d558e8a 100644
--- a/av1/decoder/obu.c
+++ b/av1/decoder/obu.c
@@ -413,6 +413,10 @@
     }
 
     if (!cm->is_annexb) {
+      if (data_end < data + obu_header.size) {
+        cm->error.error_code = AOM_CODEC_CORRUPT_FRAME;
+        return;
+      }
       if (read_obu_size(data + obu_header.size,
                         bytes_available - obu_header.size, &payload_size,
                         &length_field_size) != AOM_CODEC_OK) {
@@ -501,6 +505,10 @@
           decoded_payload_size = payload_size;
           break;
         }
+        if (data_end < data + payload_size) {
+          cm->error.error_code = AOM_CODEC_CORRUPT_FRAME;
+          return;
+        }
         decoded_payload_size = read_metadata(data, payload_size);
         break;
       case OBU_PADDING:
@@ -516,6 +524,11 @@
       return;
     }
 
+    if (data_end < data + payload_size) {
+      cm->error.error_code = AOM_CODEC_CORRUPT_FRAME;
+      return;
+    }
+
     // If there are extra padding bytes, they should all be zero
     while (decoded_payload_size < payload_size) {
       uint8_t padding_byte = data[decoded_payload_size++];
@@ -526,9 +539,5 @@
     }
 
     data += payload_size;
-    if (data_end < data) {
-      cm->error.error_code = AOM_CODEC_CORRUPT_FRAME;
-      return;
-    }
   }
 }