shithub: libvpx

Download patch

ref: 94a65e8fbaa3e50b686147b4dd75c79c2154c2d6
parent: c934d9d65c95c6cc783e20b3289af4608213d03a
author: Wan-Teh Chang <[email protected]>
date: Tue Jul 24 08:14:54 EDT 2018

Check size limit in vpx_realloc_frame_buffer.

If CONFIG_SIZE_LIMIT is defined, vpx_realloc_frame_buffer should fail if
width or height is too big.

This carries over commit ebc2714d71a834fc32a19eef0a81f51fbc47db01 of
libaom: https://aomedia-review.googlesource.com/c/aom/+/65521

Change-Id: Id7645c5cefbe1847714695d41f506ff30ea985f6

--- a/vpx_scale/generic/yv12config.c
+++ b/vpx_scale/generic/yv12config.c
@@ -143,6 +143,10 @@
                              vpx_codec_frame_buffer_t *fb,
                              vpx_get_frame_buffer_cb_fn_t cb, void *cb_priv) {
   if (ybf) {
+#if CONFIG_SIZE_LIMIT
+    if (width > DECODE_WIDTH_LIMIT || height > DECODE_HEIGHT_LIMIT) return -1;
+#endif
+
     const int vp9_byte_align = (byte_alignment == 0) ? 1 : byte_alignment;
     const int aligned_width = (width + 7) & ~7;
     const int aligned_height = (height + 7) & ~7;