Return failure on bad bounds instead of crashing

Fixed: 1090966 Change-Id: I31b89f55341b364ae4a299f56abba3c996246441 Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/2228051Reviewed-by: Dale Curtis <dalecurtis@chromium.org> Commit-Queue: Dale Curtis <dalecurtis@chromium.org> Cr-Commit-Position: refs/heads/master@{#774857}

Return failure on bad bounds instead of crashing
Fixed: 1090966 Change-Id: I31b89f55341b364ae4a299f56abba3c996246441 Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/2228051Reviewed-by: Dale Curtis <dalecurtis@chromium.org> Commit-Queue: Dale Curtis <dalecurtis@chromium.org> Cr-Commit-Position: refs/heads/master@{#774857}
154d61f9 · Ted Meyer · Commit Bot · 0291eb3a · 154d61f9
Commit 154d61f9 authored Jun 03, 2020 by Ted Meyer Committed by Commit Bot Jun 03, 2020
Hide whitespace changes
Inline Side-by-side

Showing with 7 additions and 0 deletions

media/gpu/h264_decoder.cc media/gpu/h264_decoder.cc +7 -0

No files found.
--- a/media/gpu/h264_decoder.cc
+++ b/media/gpu/h264_decoder.cc
@@ -567,6 +567,13 @@ bool H264Decoder::ModifyReferencePicList(const H264SliceHeader* slice_hdr,
          DVLOG(1) << "Malformed stream, no pic num " << pic_num_lx;
          return false;
        }
+
+        if (ref_idx_lx > num_ref_idx_lX_active_minus1) {
+          DVLOG(1) << "Bounds mismatch: expected " << ref_idx_lx
+                   << " <= " << num_ref_idx_lX_active_minus1;
+          return false;
+        }
+
        ShiftRightAndInsert(ref_pic_listx, ref_idx_lx,
                            num_ref_idx_lX_active_minus1, pic);
        ref_idx_lx++;