Limit dav1d_data_wrap() packet sizes to SIZE_MAX/2

We require the size to be representable as a signed value. This limit already exists in dav1d_data_create().
fbossen · Mar 23, 2024 · 96cd413 · 96cd413
1 parent ee4a83c
commit 96cd413
Show file tree

Hide file tree

Showing 2 changed files with 4 additions and 2 deletions.
diff --git a/src/data.c b/src/data.c
@@ -64,6 +64,7 @@ int dav1d_data_wrap_internal(Dav1dData *const buf, const uint8_t *const ptr,
     validate_input_or_ret(ptr != NULL, DAV1D_ERR(EINVAL));
     validate_input_or_ret(free_callback != NULL, DAV1D_ERR(EINVAL));
 
+    if (sz > SIZE_MAX / 2) return DAV1D_ERR(EINVAL);
     buf->ref = dav1d_ref_wrap(ptr, free_callback, cookie);
     if (!buf->ref) return DAV1D_ERR(ENOMEM);
     buf->data = ptr;

diff --git a/src/lib.c b/src/lib.c
@@ -489,10 +489,11 @@ int dav1d_send_data(Dav1dContext *const c, Dav1dData *const in)
 {
     validate_input_or_ret(c != NULL, DAV1D_ERR(EINVAL));
     validate_input_or_ret(in != NULL, DAV1D_ERR(EINVAL));
-    validate_input_or_ret(in->data == NULL || in->sz, DAV1D_ERR(EINVAL));
 
-    if (in->data)
+    if (in->data) {
+        validate_input_or_ret(in->sz > 0 && in->sz <= SIZE_MAX / 2, DAV1D_ERR(EINVAL));
         c->drain = 0;
+    }
     if (c->in.data)
         return DAV1D_ERR(EAGAIN);
     dav1d_data_ref(&c->in, in);