From 068f6771ad3d309bc64a8bde0124da078186e695 Mon Sep 17 00:00:00 2001
From: Tim Ledbetter <timledbetter@gmail.com>
Date: Tue, 10 Oct 2023 21:36:44 +0100
Subject: [PATCH] LibVideo/VP9: Check for invalid subsampled block sizes

Previously, a corrupted block could cause
`Parser::get_subsampled_block_size()` to return an invalid value. We
now return an error in this case.
---
 Userland/Libraries/LibVideo/VP9/Parser.cpp | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/Userland/Libraries/LibVideo/VP9/Parser.cpp b/Userland/Libraries/LibVideo/VP9/Parser.cpp
index ab3910c5d7..90292861ac 100644
--- a/Userland/Libraries/LibVideo/VP9/Parser.cpp
+++ b/Userland/Libraries/LibVideo/VP9/Parser.cpp
@@ -1409,6 +1409,9 @@ DecoderErrorOr<bool> Parser::residual(BlockContext& block_context, bool has_bloc
         auto plane_subsampling_x = (plane > 0) ? block_context.frame_context.color_config.subsampling_x : false;
         auto plane_subsampling_y = (plane > 0) ? block_context.frame_context.color_config.subsampling_y : false;
         auto plane_size = get_subsampled_block_size(block_context.size, plane_subsampling_x, plane_subsampling_y);
+        if (plane_size == Block_Invalid) {
+            return DecoderError::corrupted("Invalid block size"sv);
+        }
         auto transform_size = get_uv_transform_size(block_context.transform_size, plane_size);
         auto transform_size_in_sub_blocks = transform_size_to_sub_blocks(transform_size);
         auto block_size_in_sub_blocks = block_size_to_sub_blocks(plane_size);