Check trailing bits in padding OBUs.
BUG=aomedia:1904
Change-Id: I12751f6b2c8a55f7fc0d7ed3b59949909379a71c
diff --git a/av1/decoder/obu.c b/av1/decoder/obu.c
index 87927a9..01a72c7 100644
--- a/av1/decoder/obu.c
+++ b/av1/decoder/obu.c
@@ -717,6 +717,24 @@
return type_length + (rb.bit_offset >> 3);
}
+// On success, returns 'sz'. On failure, sets pbi->common.error.error_code and
+// returns 0.
+static size_t read_padding(AV1_COMMON *const cm, const uint8_t *data,
+ size_t sz) {
+ // The spec allows a padding OBU to be header-only (i.e., obu_size = 0). So
+ // check trailing bits only if sz > 0.
+ if (sz > 0) {
+ // The payload of a padding OBU is byte aligned. Therefore the first
+ // trailing byte should be 0x80. See https://crbug.com/aomedia/2393.
+ const uint8_t last_nonzero_byte = get_last_nonzero_byte(data, sz);
+ if (last_nonzero_byte != 0x80) {
+ cm->error.error_code = AOM_CODEC_CORRUPT_FRAME;
+ return 0;
+ }
+ }
+ return sz;
+}
+
// On success, returns a boolean that indicates whether the decoding of the
// current frame is finished. On failure, sets cm->error.error_code and
// returns -1.
@@ -907,8 +925,8 @@
if (cm->error.error_code != AOM_CODEC_OK) return -1;
break;
case OBU_PADDING:
- // TODO(wtc): Check trailing bits.
- decoded_payload_size = payload_size;
+ decoded_payload_size = read_padding(&pbi->common, data, payload_size);
+ if (cm->error.error_code != AOM_CODEC_OK) return -1;
break;
default:
// Skip unrecognized OBUs