Commit dec4405c authored by Ronald S. Bultje's avatar Ronald S. Bultje
Browse files

vp10: disallow coding zero-sized tiles-in-frame/frames-in-superframe.

See issue 1088.

Change-Id: Icb15d33b4e316add848f210b50cbccd7c7847207
parent 9897e1c2
...@@ -1448,9 +1448,9 @@ static void get_tile_buffer(const uint8_t *const data_end, ...@@ -1448,9 +1448,9 @@ static void get_tile_buffer(const uint8_t *const data_end,
if (decrypt_cb) { if (decrypt_cb) {
uint8_t be_data[4]; uint8_t be_data[4];
decrypt_cb(decrypt_state, *data, be_data, tile_sz_mag + 1); decrypt_cb(decrypt_state, *data, be_data, tile_sz_mag + 1);
size = mem_get_varsize(be_data, tile_sz_mag); size = mem_get_varsize(be_data, tile_sz_mag) + CONFIG_MISC_FIXES;
} else { } else {
size = mem_get_varsize(*data, tile_sz_mag); size = mem_get_varsize(*data, tile_sz_mag) + CONFIG_MISC_FIXES;
} }
*data += tile_sz_mag + 1; *data += tile_sz_mag + 1;
......
...@@ -506,6 +506,7 @@ vpx_codec_err_t vp10_parse_superframe_index(const uint8_t *data, ...@@ -506,6 +506,7 @@ vpx_codec_err_t vp10_parse_superframe_index(const uint8_t *data,
for (j = 0; j < mag; ++j) for (j = 0; j < mag; ++j)
this_sz |= (*x++) << (j * 8); this_sz |= (*x++) << (j * 8);
this_sz += CONFIG_MISC_FIXES;
sizes[i] = this_sz; sizes[i] = this_sz;
#if CONFIG_MISC_FIXES #if CONFIG_MISC_FIXES
frame_sz_sum += this_sz; frame_sz_sum += this_sz;
......
...@@ -1117,9 +1117,13 @@ static size_t encode_tiles(VP10_COMP *cpi, uint8_t *data_ptr, ...@@ -1117,9 +1117,13 @@ static size_t encode_tiles(VP10_COMP *cpi, uint8_t *data_ptr,
assert(tok == tok_end); assert(tok == tok_end);
vpx_stop_encode(&residual_bc); vpx_stop_encode(&residual_bc);
if (tile_col < tile_cols - 1 || tile_row < tile_rows - 1) { if (tile_col < tile_cols - 1 || tile_row < tile_rows - 1) {
unsigned int tile_sz;
// size of this tile // size of this tile
mem_put_le32(data_ptr + total_size, residual_bc.pos); assert(residual_bc.pos > 0);
max_tile = max_tile > residual_bc.pos ? max_tile : residual_bc.pos; tile_sz = residual_bc.pos - CONFIG_MISC_FIXES;
mem_put_le32(data_ptr + total_size, tile_sz);
max_tile = max_tile > tile_sz ? max_tile : tile_sz;
total_size += 4; total_size += 4;
} }
......
...@@ -795,7 +795,7 @@ static int write_superframe_index(vpx_codec_alg_priv_t *ctx) { ...@@ -795,7 +795,7 @@ static int write_superframe_index(vpx_codec_alg_priv_t *ctx) {
marker |= ctx->pending_frame_count - 1; marker |= ctx->pending_frame_count - 1;
#if CONFIG_MISC_FIXES #if CONFIG_MISC_FIXES
for (i = 0; i < ctx->pending_frame_count - 1; i++) { for (i = 0; i < ctx->pending_frame_count - 1; i++) {
const size_t frame_sz = (unsigned int) ctx->pending_frame_sizes[i]; const size_t frame_sz = (unsigned int) ctx->pending_frame_sizes[i] - 1;
max_frame_sz = frame_sz > max_frame_sz ? frame_sz : max_frame_sz; max_frame_sz = frame_sz > max_frame_sz ? frame_sz : max_frame_sz;
} }
#endif #endif
...@@ -836,8 +836,10 @@ static int write_superframe_index(vpx_codec_alg_priv_t *ctx) { ...@@ -836,8 +836,10 @@ static int write_superframe_index(vpx_codec_alg_priv_t *ctx) {
*x++ = marker; *x++ = marker;
for (i = 0; i < ctx->pending_frame_count - CONFIG_MISC_FIXES; i++) { for (i = 0; i < ctx->pending_frame_count - CONFIG_MISC_FIXES; i++) {
unsigned int this_sz = (unsigned int)ctx->pending_frame_sizes[i]; unsigned int this_sz;
assert(ctx->pending_frame_sizes[i] > 0);
this_sz = (unsigned int)ctx->pending_frame_sizes[i] - CONFIG_MISC_FIXES;
for (j = 0; j <= mag; j++) { for (j = 0; j <= mag; j++) {
*x++ = this_sz & 0xff; *x++ = this_sz & 0xff;
this_sz >>= 8; this_sz >>= 8;
......
Markdown is supported
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment