shithub: dav1d

Download patch

ref: f72b1fea02011dcdc36304b4206b9f9c91726c31
parent: 7b454ebb7990c7a54d33b954326af66f7e868548
author: James Almer <[email protected]>
date: Fri Dec 7 12:04:16 EST 2018

annexb: ensure that OBU size <= frame size <= TU size

--- a/tools/input/annexb.c
+++ b/tools/input/annexb.c
@@ -97,11 +97,11 @@
     }
     if (!c->frame_unit_size) {
         res = leb128(c, &c->frame_unit_size);
-        if (res < 0) return -1;
+        if (res < 0 || (c->frame_unit_size + res) > c->temporal_unit_size) return -1;
         c->temporal_unit_size -= res;
     }
     res = leb128(c, &len);
-    if (res < 0) return -1;
+    if (res < 0 || (len + res) > c->frame_unit_size) return -1;
     uint8_t *ptr = dav1d_data_create(data, len);
     if (!ptr) return -1;
     c->temporal_unit_size -= len + res;