From dec4405cfa2a940fa24972fa1def50d8e02b7cb2 Mon Sep 17 00:00:00 2001 From: "Ronald S. Bultje" Date: Tue, 20 Oct 2015 12:13:03 -0400 Subject: [PATCH] vp10: disallow coding zero-sized tiles-in-frame/frames-in-superframe. See issue 1088. Change-Id: Icb15d33b4e316add848f210b50cbccd7c7847207 --- vp10/decoder/decodeframe.c | 4 ++-- vp10/decoder/decoder.c | 1 + vp10/encoder/bitstream.c | 8 ++++++-- vp10/vp10_cx_iface.c | 6 ++++-- 4 files changed, 13 insertions(+), 6 deletions(-) diff --git a/vp10/decoder/decodeframe.c b/vp10/decoder/decodeframe.c index c3ab3d2bc..fa28e7cf7 100644 --- a/vp10/decoder/decodeframe.c +++ b/vp10/decoder/decodeframe.c @@ -1448,9 +1448,9 @@ static void get_tile_buffer(const uint8_t *const data_end, if (decrypt_cb) { uint8_t be_data[4]; decrypt_cb(decrypt_state, *data, be_data, tile_sz_mag + 1); - size = mem_get_varsize(be_data, tile_sz_mag); + size = mem_get_varsize(be_data, tile_sz_mag) + CONFIG_MISC_FIXES; } else { - size = mem_get_varsize(*data, tile_sz_mag); + size = mem_get_varsize(*data, tile_sz_mag) + CONFIG_MISC_FIXES; } *data += tile_sz_mag + 1; diff --git a/vp10/decoder/decoder.c b/vp10/decoder/decoder.c index 03a81f5d2..d8864d22e 100644 --- a/vp10/decoder/decoder.c +++ b/vp10/decoder/decoder.c @@ -506,6 +506,7 @@ vpx_codec_err_t vp10_parse_superframe_index(const uint8_t *data, for (j = 0; j < mag; ++j) this_sz |= (*x++) << (j * 8); + this_sz += CONFIG_MISC_FIXES; sizes[i] = this_sz; #if CONFIG_MISC_FIXES frame_sz_sum += this_sz; diff --git a/vp10/encoder/bitstream.c b/vp10/encoder/bitstream.c index adc05cce2..2c986fd8c 100644 --- a/vp10/encoder/bitstream.c +++ b/vp10/encoder/bitstream.c @@ -1117,9 +1117,13 @@ static size_t encode_tiles(VP10_COMP *cpi, uint8_t *data_ptr, assert(tok == tok_end); vpx_stop_encode(&residual_bc); if (tile_col < tile_cols - 1 || tile_row < tile_rows - 1) { + unsigned int tile_sz; + // size of this tile - mem_put_le32(data_ptr + total_size, residual_bc.pos); - max_tile = max_tile > residual_bc.pos ? max_tile : residual_bc.pos; + assert(residual_bc.pos > 0); + tile_sz = residual_bc.pos - CONFIG_MISC_FIXES; + mem_put_le32(data_ptr + total_size, tile_sz); + max_tile = max_tile > tile_sz ? max_tile : tile_sz; total_size += 4; } diff --git a/vp10/vp10_cx_iface.c b/vp10/vp10_cx_iface.c index 6227708c4..21c9c0355 100644 --- a/vp10/vp10_cx_iface.c +++ b/vp10/vp10_cx_iface.c @@ -795,7 +795,7 @@ static int write_superframe_index(vpx_codec_alg_priv_t *ctx) { marker |= ctx->pending_frame_count - 1; #if CONFIG_MISC_FIXES for (i = 0; i < ctx->pending_frame_count - 1; i++) { - const size_t frame_sz = (unsigned int) ctx->pending_frame_sizes[i]; + const size_t frame_sz = (unsigned int) ctx->pending_frame_sizes[i] - 1; max_frame_sz = frame_sz > max_frame_sz ? frame_sz : max_frame_sz; } #endif @@ -836,8 +836,10 @@ static int write_superframe_index(vpx_codec_alg_priv_t *ctx) { *x++ = marker; for (i = 0; i < ctx->pending_frame_count - CONFIG_MISC_FIXES; i++) { - unsigned int this_sz = (unsigned int)ctx->pending_frame_sizes[i]; + unsigned int this_sz; + assert(ctx->pending_frame_sizes[i] > 0); + this_sz = (unsigned int)ctx->pending_frame_sizes[i] - CONFIG_MISC_FIXES; for (j = 0; j <= mag; j++) { *x++ = this_sz & 0xff; this_sz >>= 8;