diff -uNrp libvpx-v1.3.0.orig/build/make/configure.sh libvpx-v1.3.0/build/make/configure.sh --- libvpx-v1.3.0.orig/build/make/configure.sh 2014-01-10 15:12:40.000000000 -0500 +++ libvpx-v1.3.0/build/make/configure.sh 2015-06-13 19:54:28.135278816 -0400 @@ -471,6 +471,7 @@ EOF print_config_h ARCH "${TMP_H}" ${ARCH_LIST} print_config_h HAVE "${TMP_H}" ${HAVE_LIST} print_config_h CONFIG "${TMP_H}" ${CONFIG_LIST} + print_config_vars_h "${TMP_H}" ${VAR_LIST} echo "#endif /* VPX_CONFIG_H */" >> ${TMP_H} mkdir -p `dirname "$1"` cmp "$1" ${TMP_H} >/dev/null 2>&1 || mv ${TMP_H} "$1" @@ -536,6 +537,15 @@ process_common_cmdline() { || die "Must be yasm, nasm or auto: ${optval}" alt_as="${optval}" ;; + --size-limit=*) + w="${optval%%x*}" + h="${optval##*x}" + VAR_LIST="DECODE_WIDTH_LIMIT ${w} DECODE_HEIGHT_LIMIT ${h}" + [ ${w} -gt 0 -a ${h} -gt 0 ] || die "Invalid size-limit: too small." + [ ${w} -lt 65536 -a ${h} -lt 65536 ] \ + || die "Invalid size-limit: too big." + enable_feature size_limit + ;; --prefix=*) prefix="${optval}" ;; @@ -1294,6 +1304,16 @@ print_config_h() { done } +print_config_vars_h() { + local header=$1 + shift + while [ $# -gt 0 ]; do + upname="`toupper $1`" + echo "#define ${upname} $2" >> $header + shift 2 + done +} + print_webm_license() { local destination=$1 local prefix="$2" diff -uNrp libvpx-v1.3.0.orig/configure libvpx-v1.3.0/configure --- libvpx-v1.3.0.orig/configure 2014-01-10 15:12:42.000000000 -0500 +++ libvpx-v1.3.0/configure 2015-06-13 19:57:50.434880696 -0400 @@ -25,6 +25,7 @@ Advanced options: ${toggle_docs} documentation ${toggle_unit_tests} unit tests --libc=PATH path to alternate libc + --size-limit=WxH max size to allow in the decoder --as={yasm|nasm|auto} use specified assembler [auto, yasm preferred] --sdk-path=PATH path to root of sdk (android builds only) ${toggle_fast_unaligned} don't use unaligned accesses, even when @@ -306,6 +307,7 @@ CONFIG_LIST=" temporal_denoising experimental decrypt + size_limit ${EXPERIMENT_LIST} " CMDLINE_SELECT=" @@ -331,6 +333,7 @@ CMDLINE_SELECT=" docs libc as + size_limit fast_unaligned codec_srcs debug_libs diff -uNrp libvpx-v1.3.0.orig/test/encode_test_driver.cc libvpx-v1.3.0/test/encode_test_driver.cc --- libvpx-v1.3.0.orig/test/encode_test_driver.cc 2014-01-10 15:12:40.000000000 -0500 +++ libvpx-v1.3.0/test/encode_test_driver.cc 2015-06-13 19:54:28.135278816 -0400 @@ -177,7 +177,10 @@ void EncoderTest::RunLoop(VideoSource *v if (decoder && DoDecode()) { vpx_codec_err_t res_dec = decoder->DecodeFrame( (const uint8_t*)pkt->data.frame.buf, pkt->data.frame.sz); - ASSERT_EQ(VPX_CODEC_OK, res_dec) << decoder->DecodeError(); + + if (!HandleDecodeResult(res_dec, *video, decoder)) + break; + has_dxdata = true; } ASSERT_GE(pkt->data.frame.pts, last_pts_); diff -uNrp libvpx-v1.3.0.orig/test/encode_test_driver.h libvpx-v1.3.0/test/encode_test_driver.h --- libvpx-v1.3.0.orig/test/encode_test_driver.h 2014-01-10 15:12:40.000000000 -0500 +++ libvpx-v1.3.0/test/encode_test_driver.h 2015-06-13 19:54:28.135278816 -0400 @@ -206,6 +206,14 @@ class EncoderTest { virtual void DecompressedFrameHook(const vpx_image_t& img, vpx_codec_pts_t pts) {} + // Hook to be called to handle decode result. Return true to continue. + virtual bool HandleDecodeResult(const vpx_codec_err_t res_dec, + const VideoSource& /* video */, + Decoder *decoder) { + EXPECT_EQ(VPX_CODEC_OK, res_dec) << decoder->DecodeError(); + return VPX_CODEC_OK == res_dec; + } + // Hook that can modify the encoder's output data virtual const vpx_codec_cx_pkt_t * MutateEncoderOutputHook( const vpx_codec_cx_pkt_t *pkt) { diff -uNrp libvpx-v1.3.0.orig/test/frame_size_tests.cc libvpx-v1.3.0/test/frame_size_tests.cc --- libvpx-v1.3.0.orig/test/frame_size_tests.cc 1969-12-31 19:00:00.000000000 -0500 +++ libvpx-v1.3.0/test/frame_size_tests.cc 2015-06-13 19:54:28.135278816 -0400 @@ -0,0 +1,98 @@ +/* + * Copyright (c) 2014 The WebM project authors. All Rights Reserved. + * + * Use of this source code is governed by a BSD-style license + * that can be found in the LICENSE file in the root of the source + * tree. An additional intellectual property rights grant can be found + * in the file PATENTS. All contributing project authors may + * be found in the AUTHORS file in the root of the source tree. + */ +#include <climits> +#include <vector> +#include "third_party/googletest/src/include/gtest/gtest.h" +#include "test/codec_factory.h" +#include "test/encode_test_driver.h" +#include "test/i420_video_source.h" +#include "test/util.h" + +namespace { + +class VP9FrameSizeTestsLarge + : public ::libvpx_test::EncoderTest, + public ::testing::Test { + protected: + VP9FrameSizeTestsLarge() : EncoderTest(&::libvpx_test::kVP9), + expected_res_(VPX_CODEC_OK) {} + virtual ~VP9FrameSizeTestsLarge() {} + + virtual void SetUp() { + InitializeConfig(); + SetMode(::libvpx_test::kRealTime); + } + + virtual bool HandleDecodeResult(const vpx_codec_err_t res_dec, + const libvpx_test::VideoSource &video, + libvpx_test::Decoder *decoder) { + EXPECT_EQ(expected_res_, res_dec) + << "Expected " << expected_res_ + << "but got " << res_dec; + + return !::testing::Test::HasFailure(); + } + + virtual void PreEncodeFrameHook(::libvpx_test::VideoSource *video, + ::libvpx_test::Encoder *encoder) { + if (video->frame() == 1) { + encoder->Control(VP8E_SET_CPUUSED, 7); + encoder->Control(VP8E_SET_ENABLEAUTOALTREF, 1); + encoder->Control(VP8E_SET_ARNR_MAXFRAMES, 7); + encoder->Control(VP8E_SET_ARNR_STRENGTH, 5); + encoder->Control(VP8E_SET_ARNR_TYPE, 3); + } + } + + int expected_res_; +}; + +TEST_F(VP9FrameSizeTestsLarge, TestInvalidSizes) { + ::libvpx_test::RandomVideoSource video; + +#if CONFIG_SIZE_LIMIT + video.SetSize(DECODE_WIDTH_LIMIT + 16, DECODE_HEIGHT_LIMIT + 16); + video.set_limit(2); + expected_res_ = VPX_CODEC_CORRUPT_FRAME; + ASSERT_NO_FATAL_FAILURE(RunLoop(&video)); +#else + // If we are on a 32 bit platform we can't possibly allocate enough memory + // for the largest video frame size (64kx64k). This test checks that we + // properly return a memory error. + if (sizeof(size_t) == 4) { + video.SetSize(65535, 65535); + video.set_limit(2); + expected_res_ = VPX_CODEC_MEM_ERROR; + ASSERT_NO_FATAL_FAILURE(RunLoop(&video)); + } +#endif +} + +TEST_F(VP9FrameSizeTestsLarge, ValidSizes) { + ::libvpx_test::RandomVideoSource video; + +#if CONFIG_SIZE_LIMIT + video.SetSize(DECODE_WIDTH_LIMIT, DECODE_HEIGHT_LIMIT); + video.set_limit(2); + expected_res_ = VPX_CODEC_OK; + ASSERT_NO_FATAL_FAILURE(RunLoop(&video)); +#else + // This test produces a pretty large single frame allocation, (roughly + // 25 megabits). The encoder allocates a good number of these frames + // one for each lag in frames (for 2 pass), and then one for each possible + // reference buffer (8) - we can end up with up to 30 buffers of roughly this + // size or almost 1 gig of memory. + video.SetSize(4096, 4096); + video.set_limit(2); + expected_res_ = VPX_CODEC_OK; + ASSERT_NO_FATAL_FAILURE(RunLoop(&video)); +#endif +} +} // namespace diff -uNrp libvpx-v1.3.0.orig/test/test.mk libvpx-v1.3.0/test/test.mk --- libvpx-v1.3.0.orig/test/test.mk 2014-01-10 15:12:42.000000000 -0500 +++ libvpx-v1.3.0/test/test.mk 2015-06-13 20:00:00.874624117 -0400 @@ -24,8 +24,9 @@ LIBVPX_TEST_SRCS-$(CONFIG_ENCODERS) + LIBVPX_TEST_SRCS-$(CONFIG_ENCODERS) += i420_video_source.h LIBVPX_TEST_SRCS-$(CONFIG_VP8_ENCODER) += keyframe_test.cc LIBVPX_TEST_SRCS-$(CONFIG_VP9_ENCODER) += borders_test.cc -LIBVPX_TEST_SRCS-$(CONFIG_VP9_ENCODER) += resize_test.cc LIBVPX_TEST_SRCS-$(CONFIG_VP9_ENCODER) += cpu_speed_test.cc +LIBVPX_TEST_SRCS-$(CONFIG_VP9_ENCODER) += frame_size_tests.cc +LIBVPX_TEST_SRCS-$(CONFIG_VP9_ENCODER) += resize_test.cc LIBVPX_TEST_SRCS-$(CONFIG_VP9_ENCODER) += vp9_lossless_test.cc LIBVPX_TEST_SRCS-$(CONFIG_DECODERS) += ../md5_utils.h ../md5_utils.c diff -uNrp libvpx-v1.3.0.orig/test/video_source.h libvpx-v1.3.0/test/video_source.h --- libvpx-v1.3.0.orig/test/video_source.h 2014-01-10 15:12:40.000000000 -0500 +++ libvpx-v1.3.0/test/video_source.h 2015-06-13 19:54:28.135278816 -0400 @@ -118,6 +118,10 @@ class DummyVideoSource : public VideoSou virtual unsigned int limit() const { return limit_; } + void set_limit(unsigned int limit) { + limit_ = limit; + } + void SetSize(unsigned int width, unsigned int height) { if (width != width_ || height != height_) { vpx_img_free(img_); diff -uNrp libvpx-v1.3.0.orig/vp9/decoder/vp9_decodframe.c libvpx-v1.3.0/vp9/decoder/vp9_decodframe.c --- libvpx-v1.3.0.orig/vp9/decoder/vp9_decodframe.c 2014-01-10 15:12:42.000000000 -0500 +++ libvpx-v1.3.0/vp9/decoder/vp9_decodframe.c 2015-06-13 20:03:53.444138820 -0400 @@ -702,6 +702,11 @@ static void setup_display_size(VP9_COMMO static void apply_frame_size(VP9D_COMP *pbi, int width, int height) { VP9_COMMON *cm = &pbi->common; +#if CONFIG_SIZE_LIMIT + if (width > DECODE_WIDTH_LIMIT || height > DECODE_HEIGHT_LIMIT) + vpx_internal_error(&cm->error, VPX_CODEC_CORRUPT_FRAME, + "Width and height beyond allowed size."); +#endif if (cm->width != width || cm->height != height) { // Change in frame size. diff -uNrp libvpx-v1.3.0.orig/vpx/src/vpx_image.c libvpx-v1.3.0/vpx/src/vpx_image.c --- libvpx-v1.3.0.orig/vpx/src/vpx_image.c 2014-01-10 15:12:40.000000000 -0500 +++ libvpx-v1.3.0/vpx/src/vpx_image.c 2015-06-13 19:55:38.485140340 -0400 @@ -12,6 +12,7 @@ #include <stdlib.h> #include <string.h> #include "vpx/vpx_image.h" +#include "vpx/vpx_integer.h" #define ADDRESS_STORAGE_SIZE sizeof(size_t) /*returns an addr aligned to the byte boundary specified by align*/ @@ -147,8 +148,13 @@ static vpx_image_t *img_alloc_helper(vpx img->img_data = img_data; if (!img_data) { - img->img_data = img_buf_memalign(buf_align, ((fmt & VPX_IMG_FMT_PLANAR) ? - h * s * bps / 8 : h * s)); + const uint64_t alloc_size = (fmt & VPX_IMG_FMT_PLANAR) ? + (uint64_t)h * s * bps / 8 : (uint64_t)h * s; + + if (alloc_size != (size_t)alloc_size) + goto fail; + + img->img_data = img_buf_memalign(buf_align, (size_t)alloc_size); img->img_data_owner = 1; }