Properly validate data size With "show_existing_frame" frames: Minimum data size for profile 0 and 1 is 1 byte (8bits) Minimum data size for profile 2 and 3 is 2 bytes (9bits) Otherwise: Minimum data size is 8 bytes. This resolves the VP9 failure in fuzzing test build #56. Change-Id: I146d9d37688f535dd68d24aacc76d464ccffdf04
diff --git a/vp9/vp9_dx_iface.c b/vp9/vp9_dx_iface.c index 43bf35f..b917787 100644 --- a/vp9/vp9_dx_iface.c +++ b/vp9/vp9_dx_iface.c
@@ -148,7 +148,11 @@ if (frame_marker != VP9_FRAME_MARKER) return VPX_CODEC_UNSUP_BITSTREAM; - if (profile >= MAX_PROFILES) return VPX_CODEC_UNSUP_BITSTREAM; + if (profile >= MAX_PROFILES) + return VPX_CODEC_UNSUP_BITSTREAM; + + if ((profile >= 2 && data_sz <= 1) || data_sz < 1) + return VPX_CODEC_UNSUP_BITSTREAM; if (vp9_rb_read_bit(&rb)) { // show an existing frame vp9_rb_read_literal(&rb, 3); // Frame buffer to show.