diff options
Diffstat (limited to 'gnu/packages/patches/libvpx-vp9-out-of-bounds-access.patch')
| -rw-r--r-- | gnu/packages/patches/libvpx-vp9-out-of-bounds-access.patch | 35 |
1 files changed, 35 insertions, 0 deletions
diff --git a/gnu/packages/patches/libvpx-vp9-out-of-bounds-access.patch b/gnu/packages/patches/libvpx-vp9-out-of-bounds-access.patch new file mode 100644 index 0000000000..6aec8aa2f0 --- /dev/null +++ b/gnu/packages/patches/libvpx-vp9-out-of-bounds-access.patch @@ -0,0 +1,35 @@ +Copied from Debian. + +# HG changeset patch +# User Ralph Giles <giles@mozilla.com> +# Date 1412209683 25200 +# Node ID 6023f0b4f8ba49dd117106cc98cd8007c2142bf6 +# Parent 8c431dcec0ffde13988d47eacf341113ea883245 +Bug 1063327 - Reject vp9 frames with invalid tiles. r=kinetik, a=abillings + +diff --git a/vp9/decoder/vp9_decodframe.c b/vp9/decoder/vp9_decodframe.c +--- a/vp9/decoder/vp9_decodframe.c ++++ b/vp9/decoder/vp9_decodframe.c +@@ -863,16 +863,21 @@ static size_t get_tile(const uint8_t *co + + if (!is_last) { + if (!read_is_valid(*data, 4, data_end)) + vpx_internal_error(error_info, VPX_CODEC_CORRUPT_FRAME, + "Truncated packet or corrupt tile length"); + + size = read_be32(*data); + *data += 4; ++ ++ if (size > data_end - *data) { ++ vpx_internal_error(error_info, VPX_CODEC_CORRUPT_FRAME, ++ "Truncated packet or corrupt tile size"); ++ } + } else { + size = data_end - *data; + } + return size; + } + + typedef struct TileBuffer { + const uint8_t *data; + |