vp9: check tile column count
the max is 6. there are assumptions throughout the decode regarding
this; fixes a crash with a fuzzed bitstream
$ zzuf -s 5861 -r 0.01:0.05 -b 6- \
< vp90-2-00-quantizer-00.webm.ivf \
| dd of=invalid-vp90-2-00-quantizer-00.webm.ivf.s5861_r01-05_b6-.ivf \
bs=1 count=81883
Change-Id: I6af41bb34252e88bc156a4c27c80d505d45f5642
This commit is contained in:
James Zern
Родитель
5e7242dfda
Коммит
b2b07755e0
|
|
@ -95,7 +95,8 @@ TEST_P(InvalidFileTest, ReturnCode) {
|
||||||
|
|
||||||
const char *const kVP9InvalidFileTests[] = {
|
const char *const kVP9InvalidFileTests[] = {
|
||||||
"invalid-vp90-01.webm",
|
"invalid-vp90-01.webm",
|
||||||
"invalid-vp90-02.webm"
|
"invalid-vp90-02.webm",
|
||||||
|
"invalid-vp90-2-00-quantizer-00.webm.ivf.s5861_r01-05_b6-.ivf",
|
||||||
};
|
};
|
||||||
|
|
||||||
#define NELEMENTS(x) static_cast<int>(sizeof(x) / sizeof(x[0]))
|
#define NELEMENTS(x) static_cast<int>(sizeof(x) / sizeof(x[0]))
|
||||||
|
|
|
||||||
|
|
@ -644,3 +644,5 @@ e615575ded499ea1d992f3b38e3baa434509cdcd vp90-2-15-segkey.webm
|
||||||
e3ab35d4316c5e81325c50f5236ceca4bc0d35df vp90-2-15-segkey.webm.md5
|
e3ab35d4316c5e81325c50f5236ceca4bc0d35df vp90-2-15-segkey.webm.md5
|
||||||
9b7ca2cac09d34c4a5d296c1900f93b1e2f69d0d vp90-2-15-segkey_adpq.webm
|
9b7ca2cac09d34c4a5d296c1900f93b1e2f69d0d vp90-2-15-segkey_adpq.webm
|
||||||
8f46ba5f785d0c2170591a153e0d0d146a7c8090 vp90-2-15-segkey_adpq.webm.md5
|
8f46ba5f785d0c2170591a153e0d0d146a7c8090 vp90-2-15-segkey_adpq.webm.md5
|
||||||
|
76024eb753cdac6a5e5703aaea189d35c3c30ac7 invalid-vp90-2-00-quantizer-00.webm.ivf.s5861_r01-05_b6-.ivf
|
||||||
|
d3964f9dad9f60363c81b688324d95b4ec7c8038 invalid-vp90-2-00-quantizer-00.webm.ivf.s5861_r01-05_b6-.ivf.res
|
||||||
|
|
|
||||||
|
|
@ -766,6 +766,8 @@ LIBVPX_TEST_DATA-$(CONFIG_VP9_DECODER) += invalid-vp90-01.webm
|
||||||
LIBVPX_TEST_DATA-$(CONFIG_VP9_DECODER) += invalid-vp90-01.webm.res
|
LIBVPX_TEST_DATA-$(CONFIG_VP9_DECODER) += invalid-vp90-01.webm.res
|
||||||
LIBVPX_TEST_DATA-$(CONFIG_VP9_DECODER) += invalid-vp90-02.webm
|
LIBVPX_TEST_DATA-$(CONFIG_VP9_DECODER) += invalid-vp90-02.webm
|
||||||
LIBVPX_TEST_DATA-$(CONFIG_VP9_DECODER) += invalid-vp90-02.webm.res
|
LIBVPX_TEST_DATA-$(CONFIG_VP9_DECODER) += invalid-vp90-02.webm.res
|
||||||
|
LIBVPX_TEST_DATA-$(CONFIG_VP9_DECODER) += invalid-vp90-2-00-quantizer-00.webm.ivf.s5861_r01-05_b6-.ivf
|
||||||
|
LIBVPX_TEST_DATA-$(CONFIG_VP9_DECODER) += invalid-vp90-2-00-quantizer-00.webm.ivf.s5861_r01-05_b6-.ivf.res
|
||||||
|
|
||||||
ifeq ($(CONFIG_DECODE_PERF_TESTS),yes)
|
ifeq ($(CONFIG_DECODE_PERF_TESTS),yes)
|
||||||
# BBB VP9 streams
|
# BBB VP9 streams
|
||||||
|
|
|
||||||
|
|
@ -685,6 +685,10 @@ static void setup_tile_info(VP9_COMMON *cm, struct vp9_read_bit_buffer *rb) {
|
||||||
while (max_ones-- && vp9_rb_read_bit(rb))
|
while (max_ones-- && vp9_rb_read_bit(rb))
|
||||||
cm->log2_tile_cols++;
|
cm->log2_tile_cols++;
|
||||||
|
|
||||||
|
if (cm->log2_tile_cols > 6)
|
||||||
|
vpx_internal_error(&cm->error, VPX_CODEC_CORRUPT_FRAME,
|
||||||
|
"Invalid number of tile columns");
|
||||||
|
|
||||||
// rows
|
// rows
|
||||||
cm->log2_tile_rows = vp9_rb_read_bit(rb);
|
cm->log2_tile_rows = vp9_rb_read_bit(rb);
|
||||||
if (cm->log2_tile_rows)
|
if (cm->log2_tile_rows)
|
||||||
|
|
|
||||||
Загрузка…
Ссылка в новой задаче