ref: 5b67e1a2fcf03b6e9bdd088fe50b7bbf981804b4
parent: 43b10aff33d34a158a7a878469f1b5d479db7bb1
author: Janne Grunau <[email protected]>
date: Wed Oct 17 17:44:00 EDT 2018
parse obu_size/leb128 as unsigned 32-bit integer Reject out of range values as errors and avoid undefined shifts. Fixes #67.
--- a/src/obu.c
+++ b/src/obu.c
@@ -997,23 +997,27 @@
}
// obu length field
- int len = 0, more, i = 0;
+ unsigned len = 0, more, i = 0;
do {
more = dav1d_get_bits(&gb, 1);
- len |= dav1d_get_bits(&gb, 7) << (i * 7);
+ unsigned bits = dav1d_get_bits(&gb, 7);
+ if (i <= 3 || (i == 4 && bits < (1 << 4)))
+ len |= bits << (i * 7);
+ else if (bits)
+ goto error;
if (more && ++i == 8) goto error;
} while (more);
if (gb.error) goto error;
- int off = dav1d_flush_get_bits(&gb) - in->data;
- const int init_off = off;
- if (len > (int)in->sz - off) goto error;
+ unsigned off = dav1d_flush_get_bits(&gb) - in->data;
+ const unsigned init_off = off;
+ if (len > in->sz - off) goto error;
switch (type) {
case OBU_SEQ_HDR:
if ((res = parse_seq_hdr(c, &gb)) < 0)
return res;
- if (res != len) goto error;
+ if ((unsigned)res != len) goto error;
c->have_seq_hdr = 1;
c->have_frame_hdr = 0;
break;
@@ -1063,7 +1067,7 @@
// ignore OBUs we don't care about
break;
default:
- fprintf(stderr, "Unknown OBU type %d of size %d\n", type, len);
+ fprintf(stderr, "Unknown OBU type %d of size %u\n", type, len);
return -EINVAL;
}