From e1f1bce9dc757040722aed87d7808c5a22f6bcd2 Mon Sep 17 00:00:00 2001 From: Vincent Rabaud Date: Tue, 3 Oct 2023 14:44:39 +0200 Subject: [PATCH] Fix invalid incremental decoding check. (cherry picked from commit 95ea5226c870449522240ccff26f0b006037c520) Change-Id: I80c2165aa9fdf43077db155d2d00e0e99db73eab --- src/dec/vp8l.c | 16 ++++++++++++++-- 1 file changed, 14 insertions(+), 2 deletions(-) diff --git a/src/dec/vp8l.c b/src/dec/vp8l.c index c45d2a73..9af23221 100644 --- a/src/dec/vp8l.c +++ b/src/dec/vp8l.c @@ -1213,9 +1213,21 @@ static int DecodeImageData(VP8LDecoder* const dec, uint32_t* const data, assert(br->eos_ == VP8LIsEndOfStream(br)); } - if (dec->incremental_ && br->eos_ && src < src_end) { + br->eos_ = VP8LIsEndOfStream(br); + // In incremental decoding: + // br->eos_ && src < src_last: if 'br' reached the end of the buffer and + // 'src_last' has not been reached yet, there is not enough data. 'dec' has to + // be reset until there is more data. + // !br->eos_ && src < src_last: this cannot happen as either the buffer is + // fully read, either enough has been read to reach 'src_last'. + // src >= src_last: 'src_last' is reached, all is fine. 'src' can actually go + // beyond 'src_last' in case the image is cropped and an LZ77 goes further. + // The buffer might have been enough or there is some left. 'br->eos_' does + // not matter. + assert(!dec->incremental_ || (br->eos_ && src < src_last) || src >= src_last); + if (dec->incremental_ && br->eos_ && src < src_last) { RestoreState(dec); - } else if (!br->eos_) { + } else if ((dec->incremental_ && src >= src_last) || !br->eos_) { // Process the remaining rows corresponding to last row-block. if (process_func != NULL) { process_func(dec, row > last_row ? last_row : row);