From 54f92068caa25ccf75af52067786caf0415a17e0 Mon Sep 17 00:00:00 2001
From: Wan-Teh Chang <wtc@google.com>
Date: Sat, 20 Jun 2020 02:10:53 +0200
Subject: Simplify checks for leb128() and leb() output overflow

---
 tools/input/parse.h | 18 ++++++++++--------
 1 file changed, 10 insertions(+), 8 deletions(-)

(limited to 'tools')

diff --git a/tools/input/parse.h b/tools/input/parse.h
index bebea21..b10e8b7 100644
--- a/tools/input/parse.h
+++ b/tools/input/parse.h
@@ -29,10 +29,12 @@
 #ifndef DAV1D_INPUT_PARSE_H
 #define DAV1D_INPUT_PARSE_H
 
+#include <limits.h>
+
 #include "dav1d/headers.h"
 
 static int leb128(FILE *const f, size_t *const len) {
-    unsigned i = 0, more;
+    unsigned i = 0, more, max = UINT_MAX;
     *len = 0;
     do {
         uint8_t byte;
@@ -40,9 +42,9 @@ static int leb128(FILE *const f, size_t *const len) {
             return -1;
         more = byte & 0x80;
         const unsigned bits = byte & 0x7f;
-        if (i <= 3 || (i == 4 && bits < (1 << 4)))
-            *len |= bits << (i * 7);
-        else if (bits) return -1;
+        if (bits > max) return -1;
+        *len |= bits << (i * 7);
+        max >>= 7;
         if (++i == 8 && more) return -1;
     } while (more);
     return i;
@@ -52,16 +54,16 @@ static int leb128(FILE *const f, size_t *const len) {
 // with author's permission
 
 static int leb(const uint8_t *ptr, int sz, size_t *const len) {
-    unsigned i = 0, more;
+    unsigned i = 0, more, max = UINT_MAX;
     *len = 0;
     do {
         if (!sz--) return -1;
         const int byte = *ptr++;
         more = byte & 0x80;
         const unsigned bits = byte & 0x7f;
-        if (i <= 3 || (i == 4 && bits < (1 << 4)))
-            *len |= bits << (i * 7);
-        else if (bits) return -1;
+        if (bits > max) return -1;
+        *len |= bits << (i * 7);
+        max >>= 7;
         if (++i == 8 && more) return -1;
     } while (more);
     return i;
-- 
cgit v1.2.3