LibVideo: Check parsed superframe sizes when decoding VP9 frames

Make sure that the next parsed superframe size will not overflow the chunk data before splitting it out to decode a frame.
author: Andrew Kaster <akaster@serenityos.org> 2022-10-12 22:37:48 -0600
committer: Linus Groh <mail@linusgroh.de> 2022-10-13 11:25:03 +0200
commit: bf014c4d206074e2a4e2499c8b898325c0b8062f (patch)
tree: 15a8dd8e57ff50d582f1eaad1a87f37edec4e63d /Userland
parent: 9d3074f72f51d1ca95d244da72aca5eb0a8890bb (diff)
download: serenity-bf014c4d206074e2a4e2499c8b898325c0b8062f.zip
1 files changed, 5 insertions, 1 deletions
diff --git a/Userland/Libraries/LibVideo/VP9/Decoder.cpp b/Userland/Libraries/LibVideo/VP9/Decoder.cpp
index a61bbaeead..41a2d47f88 100644
--- a/Userland/Libraries/LibVideo/VP9/Decoder.cpp
+++ b/Userland/Libraries/LibVideo/VP9/Decoder.cpp
@@ -29,9 +29,13 @@ DecoderErrorOr<void> Decoder::decode(Span<const u8> chunk_data)
     size_t offset = 0;
 
     for (auto superframe_size : superframe_sizes) {
+        auto checked_size = Checked<size_t>(superframe_size);
+        checked_size += offset;
+        if (checked_size.has_overflow() || checked_size.value() > chunk_data.size())
+            return DecoderError::with_description(DecoderErrorCategory::Corrupted, "Superframe size invalid"sv);
         auto frame_data = chunk_data.slice(offset, superframe_size);
         TRY(decode_frame(frame_data));
-        offset += superframe_size;
+        offset = checked_size.value();
     }
 
     return {};
author	Andrew Kaster <akaster@serenityos.org>	2022-10-12 22:37:48 -0600
committer	Linus Groh <mail@linusgroh.de>	2022-10-13 11:25:03 +0200
commit	bf014c4d206074e2a4e2499c8b898325c0b8062f (patch)
tree	15a8dd8e57ff50d582f1eaad1a87f37edec4e63d /Userland
parent	9d3074f72f51d1ca95d244da72aca5eb0a8890bb (diff)
download	serenity-bf014c4d206074e2a4e2499c8b898325c0b8062f.zip