Check data_sz before skipping a temporal delimiter. decoder_peek_si_internal should verify data_sz is at least bytes_read + payload_size before subtracting that many bytes from data_sz. The aom_read_obu_header_and_size() call only guarantees that data_sz >= bytes_read. This bug was introduced in https://aomedia-review.googlesource.com/c/aom/+/56004 BUG=aomedia:1814 Change-Id: I2b775e2fb7551a3de163461f21ade6b664f08127

commit: be66804ea05e060a4e550b617c42e7a470649283 [log] [tgz]
author: Wan-Teh Chang <wtc@google.com> Tue Apr 24 11:58:21 2018 -0700
committer: Wan-Teh Chang <wtc@google.com> Wed Apr 25 14:26:42 2018 -0700
tree: 99eded992e32b326ef20df5e9fa2ab9aca7afa61
parent: 5ab25aa7711eeeda3a3d1bc76231abeb611ccf39 [diff]
diff --git a/av1/av1_dx_iface.c b/av1/av1_dx_iface.c
index febb658..e24629c 100644
--- a/av1/av1_dx_iface.c
+++ b/av1/av1_dx_iface.c

@@ -219,6 +219,7 @@
   // OBU in the bitstream
   if (obu_header.type == OBU_TEMPORAL_DELIMITER) {
     // Skip any associated payload (there shouldn't be one, but just in case)
+    if (data_sz < bytes_read + payload_size) return AOM_CODEC_CORRUPT_FRAME;
     data += bytes_read + payload_size;
     data_sz -= bytes_read + payload_size;
commit	be66804ea05e060a4e550b617c42e7a470649283	[log] [tgz]
author	Wan-Teh Chang <wtc@google.com>	Tue Apr 24 11:58:21 2018 -0700
committer	Wan-Teh Chang <wtc@google.com>	Wed Apr 25 14:26:42 2018 -0700
tree	99eded992e32b326ef20df5e9fa2ab9aca7afa61
parent	5ab25aa7711eeeda3a3d1bc76231abeb611ccf39 [diff]