ref: 94a65e8fbaa3e50b686147b4dd75c79c2154c2d6
parent: c934d9d65c95c6cc783e20b3289af4608213d03a
author: Wan-Teh Chang <[email protected]>
date: Tue Jul 24 08:14:54 EDT 2018
Check size limit in vpx_realloc_frame_buffer. If CONFIG_SIZE_LIMIT is defined, vpx_realloc_frame_buffer should fail if width or height is too big. This carries over commit ebc2714d71a834fc32a19eef0a81f51fbc47db01 of libaom: https://aomedia-review.googlesource.com/c/aom/+/65521 Change-Id: Id7645c5cefbe1847714695d41f506ff30ea985f6
--- a/vpx_scale/generic/yv12config.c
+++ b/vpx_scale/generic/yv12config.c
@@ -143,6 +143,10 @@
vpx_codec_frame_buffer_t *fb,
vpx_get_frame_buffer_cb_fn_t cb, void *cb_priv) {
if (ybf) {
+#if CONFIG_SIZE_LIMIT
+ if (width > DECODE_WIDTH_LIMIT || height > DECODE_HEIGHT_LIMIT) return -1;
+#endif
+
const int vp9_byte_align = (byte_alignment == 0) ? 1 : byte_alignment;
const int aligned_width = (width + 7) & ~7;
const int aligned_height = (height + 7) & ~7;