Commit cacfb8d2 authored by Janne Grunau's avatar Janne Grunau

parse_obu: reset have_{seq,frame}_hdr on new OBU_{SEQ,FRAME}_HDR

Prevent decoding a frame with inconsistent sequence and frame headers.
Fix #124, #125. Fix negative size param in pixel_copy due to inconsistent
sb128 state between frame header (parsed with sb128 == 0) and sequence
header and frame decoding with sb128 == 1. Fix
clusterfuzz-testcase-minimized-dav1d_fuzzer-5707479116152832. Credits to
oss-fuzz.
parent ba789ebf
......@@ -1043,17 +1043,19 @@ int dav1d_parse_obus(Dav1dContext *const c, Dav1dData *const in) {
switch (type) {
case OBU_SEQ_HDR:
c->have_seq_hdr = 0;
c->have_frame_hdr = 0;
if ((res = parse_seq_hdr(c, &gb)) < 0)
return res;
if ((unsigned)res != len) goto error;
c->have_seq_hdr = 1;
c->have_frame_hdr = 0;
break;
case OBU_REDUNDANT_FRAME_HDR:
if (c->have_frame_hdr) break;
// fall-through
case OBU_FRAME:
case OBU_FRAME_HDR:
c->have_frame_hdr = 0;
if (!c->have_seq_hdr) goto error;
if ((res = parse_frame_hdr(c, &gb, type != OBU_FRAME)) < 0)
return res;
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment