Bug 604992 - Improve handling of invalid frames. Mirrors upstream commit 0c60dba6. r=cpearce a=blocking2.0

This commit is contained in:
Timothy B. Terriberry 2010-10-27 12:36:58 +13:00
parent 40d7f401ae
commit 1b3273dc6c
4 changed files with 128 additions and 5 deletions

View File

@ -0,0 +1,113 @@
diff --git a/media/libvpx/vp8/decoder/decodframe.c b/media/libvpx/vp8/decoder/decodframe.c
--- a/media/libvpx/vp8/decoder/decodframe.c
+++ b/media/libvpx/vp8/decoder/decodframe.c
@@ -462,17 +462,17 @@ static void setup_token_decoder(VP8D_COM
{
partition_size = read_partition_size(partition_size_ptr);
}
else
{
partition_size = user_data_end - partition;
}
- if (partition + partition_size > user_data_end)
+ if (user_data_end - partition < partition_size)
vpx_internal_error(&pc->error, VPX_CODEC_CORRUPT_FRAME,
"Truncated packet or corrupt partition "
"%d length", i + 1);
if (vp8dx_start_decode(bool_decoder, IF_RTCD(&pbi->dboolhuff),
partition, partition_size))
vpx_internal_error(&pc->error, VPX_CODEC_MEM_ERROR,
"Failed to allocate bool decoder %d", i + 1);
@@ -564,30 +564,33 @@ static void init_frame(VP8D_COMP *pbi)
int vp8_decode_frame(VP8D_COMP *pbi)
{
vp8_reader *const bc = & pbi->bc;
VP8_COMMON *const pc = & pbi->common;
MACROBLOCKD *const xd = & pbi->mb;
const unsigned char *data = (const unsigned char *)pbi->Source;
const unsigned char *const data_end = data + pbi->source_sz;
- int first_partition_length_in_bytes;
+ unsigned int first_partition_length_in_bytes;
int mb_row;
int i, j, k, l;
const int *const mb_feature_data_bits = vp8_mb_feature_data_bits;
+ if (data_end - data < 3)
+ vpx_internal_error(&pc->error, VPX_CODEC_CORRUPT_FRAME,
+ "Truncated packet");
pc->frame_type = (FRAME_TYPE)(data[0] & 1);
pc->version = (data[0] >> 1) & 7;
pc->show_frame = (data[0] >> 4) & 1;
first_partition_length_in_bytes =
(data[0] | (data[1] << 8) | (data[2] << 16)) >> 5;
data += 3;
- if (data + first_partition_length_in_bytes > data_end)
+ if (data_end - data < first_partition_length_in_bytes)
vpx_internal_error(&pc->error, VPX_CODEC_CORRUPT_FRAME,
"Truncated packet or corrupt partition 0 length");
vp8_setup_version(pc);
if (pc->frame_type == KEY_FRAME)
{
const int Width = pc->Width;
const int Height = pc->Height;
diff --git a/media/libvpx/vp8/decoder/onyxd_if.c b/media/libvpx/vp8/decoder/onyxd_if.c
--- a/media/libvpx/vp8/decoder/onyxd_if.c
+++ b/media/libvpx/vp8/decoder/onyxd_if.c
@@ -318,45 +318,49 @@ int vp8dx_receive_compressed_data(VP8D_P
if (ptr == 0)
{
return -1;
}
pbi->common.error.error_code = VPX_CODEC_OK;
+ cm->new_fb_idx = get_free_fb (cm);
+
if (setjmp(pbi->common.error.jmp))
{
pbi->common.error.setjmp = 0;
+ if (cm->fb_idx_ref_cnt[cm->new_fb_idx] > 0)
+ cm->fb_idx_ref_cnt[cm->new_fb_idx]--;
return -1;
}
pbi->common.error.setjmp = 1;
#if HAVE_ARMV7
vp8_push_neon(dx_store_reg);
#endif
vpx_usec_timer_start(&timer);
//cm->current_video_frame++;
pbi->Source = source;
pbi->source_sz = size;
- cm->new_fb_idx = get_free_fb (cm);
-
retcode = vp8_decode_frame(pbi);
if (retcode < 0)
{
#if HAVE_ARMV7
vp8_pop_neon(dx_store_reg);
#endif
pbi->common.error.error_code = VPX_CODEC_ERROR;
pbi->common.error.setjmp = 0;
+ if (cm->fb_idx_ref_cnt[cm->new_fb_idx] > 0)
+ cm->fb_idx_ref_cnt[cm->new_fb_idx]--;
return retcode;
}
if (pbi->b_multithreaded_lf && pbi->common.filter_level != 0)
vp8_stop_lfthread(pbi);
if (swap_frame_buffers (cm))
{

View File

@ -248,3 +248,6 @@ patch -p3 < reduce-warnings-1.patch
patch -p3 < subpixel-qword.patch
# Patch to compile with Sun Studio on Solaris
patch -p3 < solaris.patch
# Patch to fix frame buffer reference counting and parition length overflow
# checks.
patch -p3 < frame_buf_ref.patch

View File

@ -467,7 +467,7 @@ static void setup_token_decoder(VP8D_COMP *pbi,
partition_size = user_data_end - partition;
}
if (partition + partition_size > user_data_end)
if (user_data_end - partition < partition_size)
vpx_internal_error(&pc->error, VPX_CODEC_CORRUPT_FRAME,
"Truncated packet or corrupt partition "
"%d length", i + 1);
@ -569,12 +569,15 @@ int vp8_decode_frame(VP8D_COMP *pbi)
MACROBLOCKD *const xd = & pbi->mb;
const unsigned char *data = (const unsigned char *)pbi->Source;
const unsigned char *const data_end = data + pbi->source_sz;
int first_partition_length_in_bytes;
unsigned int first_partition_length_in_bytes;
int mb_row;
int i, j, k, l;
const int *const mb_feature_data_bits = vp8_mb_feature_data_bits;
if (data_end - data < 3)
vpx_internal_error(&pc->error, VPX_CODEC_CORRUPT_FRAME,
"Truncated packet");
pc->frame_type = (FRAME_TYPE)(data[0] & 1);
pc->version = (data[0] >> 1) & 7;
pc->show_frame = (data[0] >> 4) & 1;
@ -582,7 +585,7 @@ int vp8_decode_frame(VP8D_COMP *pbi)
(data[0] | (data[1] << 8) | (data[2] << 16)) >> 5;
data += 3;
if (data + first_partition_length_in_bytes > data_end)
if (data_end - data < first_partition_length_in_bytes)
vpx_internal_error(&pc->error, VPX_CODEC_CORRUPT_FRAME,
"Truncated packet or corrupt partition 0 length");
vp8_setup_version(pc);

View File

@ -323,9 +323,13 @@ int vp8dx_receive_compressed_data(VP8D_PTR ptr, unsigned long size, const unsign
pbi->common.error.error_code = VPX_CODEC_OK;
cm->new_fb_idx = get_free_fb (cm);
if (setjmp(pbi->common.error.jmp))
{
pbi->common.error.setjmp = 0;
if (cm->fb_idx_ref_cnt[cm->new_fb_idx] > 0)
cm->fb_idx_ref_cnt[cm->new_fb_idx]--;
return -1;
}
@ -341,8 +345,6 @@ int vp8dx_receive_compressed_data(VP8D_PTR ptr, unsigned long size, const unsign
pbi->Source = source;
pbi->source_sz = size;
cm->new_fb_idx = get_free_fb (cm);
retcode = vp8_decode_frame(pbi);
if (retcode < 0)
@ -352,6 +354,8 @@ int vp8dx_receive_compressed_data(VP8D_PTR ptr, unsigned long size, const unsign
#endif
pbi->common.error.error_code = VPX_CODEC_ERROR;
pbi->common.error.setjmp = 0;
if (cm->fb_idx_ref_cnt[cm->new_fb_idx] > 0)
cm->fb_idx_ref_cnt[cm->new_fb_idx]--;
return retcode;
}