Commit 13389e68 authored by Janne Grunau's avatar Janne Grunau Committed by Jean-Baptiste Kempf

decode: verify inter frame size restrictions

Fixes a heap buffer overflow in
clusterfuzz-testcase-minimized-dav1d_fuzzer-5677513716531200. Credits to
oss-fuzz.
parent 7d3cebc4
......@@ -2775,7 +2775,10 @@ int dav1d_submit_frame(Dav1dContext *const c) {
}
for (int i = 0; i < 7; i++) {
const int refidx = f->frame_hdr.refidx[i];
if (!c->refs[refidx].p.p.data[0]) {
if (!c->refs[refidx].p.p.data[0] ||
f->frame_hdr.width != c->refs[refidx].p.p.p.w ||
f->frame_hdr.height != c->refs[refidx].p.p.p.h)
{
for (int j = 0; j < i; j++)
dav1d_thread_picture_unref(&f->refp[j]);
return -EINVAL;
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment