commit d1d392304f6c912b724571e219ff3882afa399d5
author Wan-Teh Chang <wtc@google.com> Thu May 23 18:41:32 2019 -0700
committer Wan-Teh Chang <wtc@google.com> Wed Jun 05 21:39:59 2019 +0000
tree 90de0777c115e8c03680bbbcb890a8ffc44bd2ca
parent eb95be85f1b4a5ba0e694c889dfcbed64d511c3f

Check trailing bits in padding OBUs.

BUG=aomedia:1904

Change-Id: I12751f6b2c8a55f7fc0d7ed3b59949909379a71c

av1/decoder/obu.c

diff --git a/av1/decoder/obu.c b/av1/decoder/obu.c
index 87927a9..01a72c7 100644
--- a/av1/decoder/obu.c
+++ b/av1/decoder/obu.c
@@ -717,6 +717,24 @@
   return type_length + (rb.bit_offset >> 3);
 }
 
+// On success, returns 'sz'. On failure, sets pbi->common.error.error_code and
+// returns 0.
+static size_t read_padding(AV1_COMMON *const cm, const uint8_t *data,
+                           size_t sz) {
+  // The spec allows a padding OBU to be header-only (i.e., obu_size = 0). So
+  // check trailing bits only if sz > 0.
+  if (sz > 0) {
+    // The payload of a padding OBU is byte aligned. Therefore the first
+    // trailing byte should be 0x80. See https://crbug.com/aomedia/2393.
+    const uint8_t last_nonzero_byte = get_last_nonzero_byte(data, sz);
+    if (last_nonzero_byte != 0x80) {
+      cm->error.error_code = AOM_CODEC_CORRUPT_FRAME;
+      return 0;
+    }
+  }
+  return sz;
+}
+
 // On success, returns a boolean that indicates whether the decoding of the
 // current frame is finished. On failure, sets cm->error.error_code and
 // returns -1.
@@ -907,8 +925,8 @@
         if (cm->error.error_code != AOM_CODEC_OK) return -1;
         break;
       case OBU_PADDING:
-        // TODO(wtc): Check trailing bits.
-        decoded_payload_size = payload_size;
+        decoded_payload_size = read_padding(&pbi->common, data, payload_size);
+        if (cm->error.error_code != AOM_CODEC_OK) return -1;
         break;
       default:
         // Skip unrecognized OBUs