Bug 604992 - Improve handling of invalid frames. Mirrors upstream commit 0c60dba6. r=cpearce a=blocking2.0

media/libvpx/frame_buf_ref.patch

@@ -0,0 +1,113 @@
+diff --git a/media/libvpx/vp8/decoder/decodframe.c b/media/libvpx/vp8/decoder/decodframe.c
+--- a/media/libvpx/vp8/decoder/decodframe.c
++++ b/media/libvpx/vp8/decoder/decodframe.c
+@@ -462,17 +462,17 @@ static void setup_token_decoder(VP8D_COM
+         {
+             partition_size = read_partition_size(partition_size_ptr);
+         }
+         else
+         {
+             partition_size = user_data_end - partition;
+         }
+ 
+-        if (partition + partition_size > user_data_end)
++        if (user_data_end - partition < partition_size)
+             vpx_internal_error(&pc->error, VPX_CODEC_CORRUPT_FRAME,
+                                "Truncated packet or corrupt partition "
+                                "%d length", i + 1);
+ 
+         if (vp8dx_start_decode(bool_decoder, IF_RTCD(&pbi->dboolhuff),
+                                partition, partition_size))
+             vpx_internal_error(&pc->error, VPX_CODEC_MEM_ERROR,
+                                "Failed to allocate bool decoder %d", i + 1);
+@@ -564,30 +564,33 @@ static void init_frame(VP8D_COMP *pbi)
+ 
+ int vp8_decode_frame(VP8D_COMP *pbi)
+ {
+     vp8_reader *const bc = & pbi->bc;
+     VP8_COMMON *const pc = & pbi->common;
+     MACROBLOCKD *const xd  = & pbi->mb;
+     const unsigned char *data = (const unsigned char *)pbi->Source;
+     const unsigned char *const data_end = data + pbi->source_sz;
+-    int first_partition_length_in_bytes;
++    unsigned int first_partition_length_in_bytes;
+ 
+     int mb_row;
+     int i, j, k, l;
+     const int *const mb_feature_data_bits = vp8_mb_feature_data_bits;
+ 
++    if (data_end - data < 3)
++        vpx_internal_error(&pc->error, VPX_CODEC_CORRUPT_FRAME,
++                           "Truncated packet");
+     pc->frame_type = (FRAME_TYPE)(data[0] & 1);
+     pc->version = (data[0] >> 1) & 7;
+     pc->show_frame = (data[0] >> 4) & 1;
+     first_partition_length_in_bytes =
+         (data[0] | (data[1] << 8) | (data[2] << 16)) >> 5;
+     data += 3;
+ 
+-    if (data + first_partition_length_in_bytes > data_end)
++    if (data_end - data < first_partition_length_in_bytes)
+         vpx_internal_error(&pc->error, VPX_CODEC_CORRUPT_FRAME,
+                            "Truncated packet or corrupt partition 0 length");
+     vp8_setup_version(pc);
+ 
+     if (pc->frame_type == KEY_FRAME)
+     {
+         const int Width = pc->Width;
+         const int Height = pc->Height;
+diff --git a/media/libvpx/vp8/decoder/onyxd_if.c b/media/libvpx/vp8/decoder/onyxd_if.c
+--- a/media/libvpx/vp8/decoder/onyxd_if.c
++++ b/media/libvpx/vp8/decoder/onyxd_if.c
+@@ -318,45 +318,49 @@ int vp8dx_receive_compressed_data(VP8D_P
+ 
+     if (ptr == 0)
+     {
+         return -1;
+     }
+ 
+     pbi->common.error.error_code = VPX_CODEC_OK;
+ 
++    cm->new_fb_idx = get_free_fb (cm);
++
+     if (setjmp(pbi->common.error.jmp))
+     {
+         pbi->common.error.setjmp = 0;
++        if (cm->fb_idx_ref_cnt[cm->new_fb_idx] > 0)
++          cm->fb_idx_ref_cnt[cm->new_fb_idx]--;
+         return -1;
+     }
+ 
+     pbi->common.error.setjmp = 1;
+ 
+ #if HAVE_ARMV7
+     vp8_push_neon(dx_store_reg);
+ #endif
+ 
+     vpx_usec_timer_start(&timer);
+ 
+     //cm->current_video_frame++;
+     pbi->Source = source;
+     pbi->source_sz = size;
+ 
+-    cm->new_fb_idx = get_free_fb (cm);
+-
+     retcode = vp8_decode_frame(pbi);
+ 
+     if (retcode < 0)
+     {
+ #if HAVE_ARMV7
+         vp8_pop_neon(dx_store_reg);
+ #endif
+         pbi->common.error.error_code = VPX_CODEC_ERROR;
+         pbi->common.error.setjmp = 0;
++        if (cm->fb_idx_ref_cnt[cm->new_fb_idx] > 0)
++          cm->fb_idx_ref_cnt[cm->new_fb_idx]--;
+         return retcode;
+     }
+ 
+     if (pbi->b_multithreaded_lf && pbi->common.filter_level != 0)
+         vp8_stop_lfthread(pbi);
+ 
+     if (swap_frame_buffers (cm))
+     {

media/libvpx/update.sh

@@ -248,3 +248,6 @@ patch -p3 < reduce-warnings-1.patch
 patch -p3 < subpixel-qword.patch
 # Patch to compile with Sun Studio on Solaris
 patch -p3 < solaris.patch
+# Patch to fix frame buffer reference counting and parition length overflow
+#  checks.
+patch -p3 < frame_buf_ref.patch

media/libvpx/vp8/decoder/decodframe.c

@@ -467,7 +467,7 @@ static void setup_token_decoder(VP8D_COMP *pbi,
             partition_size = user_data_end - partition;
         }
 
-        if (partition + partition_size > user_data_end)
+        if (user_data_end - partition < partition_size)
             vpx_internal_error(&pc->error, VPX_CODEC_CORRUPT_FRAME,
                                "Truncated packet or corrupt partition "
                                "%d length", i + 1);
@@ -569,12 +569,15 @@ int vp8_decode_frame(VP8D_COMP *pbi)
     MACROBLOCKD *const xd  = & pbi->mb;
     const unsigned char *data = (const unsigned char *)pbi->Source;
     const unsigned char *const data_end = data + pbi->source_sz;
-    int first_partition_length_in_bytes;
+    unsigned int first_partition_length_in_bytes;
 
     int mb_row;
     int i, j, k, l;
     const int *const mb_feature_data_bits = vp8_mb_feature_data_bits;
 
+    if (data_end - data < 3)
+        vpx_internal_error(&pc->error, VPX_CODEC_CORRUPT_FRAME,
+                           "Truncated packet");
     pc->frame_type = (FRAME_TYPE)(data[0] & 1);
     pc->version = (data[0] >> 1) & 7;
     pc->show_frame = (data[0] >> 4) & 1;
@@ -582,7 +585,7 @@ int vp8_decode_frame(VP8D_COMP *pbi)
         (data[0] | (data[1] << 8) | (data[2] << 16)) >> 5;
     data += 3;
 
-    if (data + first_partition_length_in_bytes > data_end)
+    if (data_end - data < first_partition_length_in_bytes)
         vpx_internal_error(&pc->error, VPX_CODEC_CORRUPT_FRAME,
                            "Truncated packet or corrupt partition 0 length");
     vp8_setup_version(pc);

media/libvpx/vp8/decoder/onyxd_if.c

@@ -323,9 +323,13 @@ int vp8dx_receive_compressed_data(VP8D_PTR ptr, unsigned long size, const unsign
 
     pbi->common.error.error_code = VPX_CODEC_OK;
 
+    cm->new_fb_idx = get_free_fb (cm);
+
     if (setjmp(pbi->common.error.jmp))
     {
         pbi->common.error.setjmp = 0;
+        if (cm->fb_idx_ref_cnt[cm->new_fb_idx] > 0)
+          cm->fb_idx_ref_cnt[cm->new_fb_idx]--;
         return -1;
     }
 
@@ -341,8 +345,6 @@ int vp8dx_receive_compressed_data(VP8D_PTR ptr, unsigned long size, const unsign
     pbi->Source = source;
     pbi->source_sz = size;
 
-    cm->new_fb_idx = get_free_fb (cm);
-
     retcode = vp8_decode_frame(pbi);
 
     if (retcode < 0)
@@ -352,6 +354,8 @@ int vp8dx_receive_compressed_data(VP8D_PTR ptr, unsigned long size, const unsign
 #endif
         pbi->common.error.error_code = VPX_CODEC_ERROR;
         pbi->common.error.setjmp = 0;
+        if (cm->fb_idx_ref_cnt[cm->new_fb_idx] > 0)
+          cm->fb_idx_ref_cnt[cm->new_fb_idx]--;
         return retcode;
     }