shithub: libvpx

Info  •  Files  •  Log  •  Branches

Merge "Fix out of boundary memory read in fuzz test on vpxdec"

--- a/test/test-data.sha1

+++ b/test/test-data.sha1

@@ -638,4 +638,5 @@

 e3ab35d4316c5e81325c50f5236ceca4bc0d35df  vp90-2-15-segkey.webm.md5

 9b7ca2cac09d34c4a5d296c1900f93b1e2f69d0d  vp90-2-15-segkey_adpq.webm

 8f46ba5f785d0c2170591a153e0d0d146a7c8090  vp90-2-15-segkey_adpq.webm.md5

-

+d78e2fceba5ac942246503ec8366f879c4775ca5  vp90-2-15-fuzz-flicker.webm

+bbd7dd15f43a703ff0a332fee4959e7b23bf77dc  vp90-2-15-fuzz-flicker.webm.md5

--- a/test/test.mk

+++ b/test/test.mk

@@ -754,6 +754,8 @@

 LIBVPX_TEST_DATA-$(CONFIG_VP9_DECODER) += vp90-2-15-segkey.webm.md5

 LIBVPX_TEST_DATA-$(CONFIG_VP9_DECODER) += vp90-2-15-segkey_adpq.webm

 LIBVPX_TEST_DATA-$(CONFIG_VP9_DECODER) += vp90-2-15-segkey_adpq.webm.md5

+LIBVPX_TEST_DATA-$(CONFIG_VP9_DECODER) += vp90-2-15-fuzz-flicker.webm

+LIBVPX_TEST_DATA-$(CONFIG_VP9_DECODER) += vp90-2-15-fuzz-flicker.webm.md5

 ifeq ($(CONFIG_DECODE_PERF_TESTS),yes)

 # BBB VP9 streams

--- a/test/test_vectors.cc

+++ b/test/test_vectors.cc

@@ -178,7 +178,8 @@

   "vp90-2-14-resize-fp-tiles-4-2.webm", "vp90-2-14-resize-fp-tiles-4-8.webm",

   "vp90-2-14-resize-fp-tiles-8-16.webm", "vp90-2-14-resize-fp-tiles-8-1.webm",

   "vp90-2-14-resize-fp-tiles-8-2.webm", "vp90-2-14-resize-fp-tiles-8-4.webm",

-  "vp90-2-15-segkey.webm", "vp90-2-15-segkey_adpq.webm"

+  "vp90-2-15-segkey.webm", "vp90-2-15-segkey_adpq.webm",

+  "vp90-2-15-fuzz-flicker.webm"

 };

 const int kNumVP9TestVectors = NELEMENTS(kVP9TestVectors);

 #endif  // CONFIG_VP9_DECODER

--- a/vp9/vp9_dx_iface.c

+++ b/vp9/vp9_dx_iface.c

@@ -321,31 +321,33 @@

     const uint32_t mag = ((marker >> 3) & 0x3) + 1;

     const size_t index_sz = 2 + mag * frames;

-    uint8_t marker2 = read_marker(decrypt_cb, decrypt_state,

-                                  data + data_sz - index_sz);

+    if (data_sz >= index_sz) {

+      uint8_t marker2 = read_marker(decrypt_cb, decrypt_state,

+                                    data + data_sz - index_sz);

-    if (data_sz >= index_sz && marker2 == marker) {

-      // found a valid superframe index

-      uint32_t i, j;

-      const uint8_t *x = &data[data_sz - index_sz + 1];

+      if (marker == marker2) {

+        // Found a valid superframe index.

+        uint32_t i, j;

+        const uint8_t *x = &data[data_sz - index_sz + 1];

-      // frames has a maximum of 8 and mag has a maximum of 4.

-      uint8_t clear_buffer[32];

-      assert(sizeof(clear_buffer) >= frames * mag);

-      if (decrypt_cb) {

-        decrypt_cb(decrypt_state, x, clear_buffer, frames * mag);

-        x = clear_buffer;

-      }

+        // Frames has a maximum of 8 and mag has a maximum of 4.

+        uint8_t clear_buffer[32];

+        assert(sizeof(clear_buffer) >= frames * mag);

+        if (decrypt_cb) {

+          decrypt_cb(decrypt_state, x, clear_buffer, frames * mag);

+          x = clear_buffer;

+        }

-      for (i = 0; i < frames; i++) {

-        uint32_t this_sz = 0;

+        for (i = 0; i < frames; ++i) {

+          uint32_t this_sz = 0;

-        for (j = 0; j < mag; j++)

-          this_sz |= (*x++) << (j * 8);

-        sizes[i] = this_sz;

-      }

+          for (j = 0; j < mag; ++j)

+            this_sz |= (*x++) << (j * 8);

+          sizes[i] = this_sz;

+        }

-      *count = frames;

+        *count = frames;

+      }

     }

   }

 }