From b3d5f9748a1130f875241a4155bc88963a795346 Mon Sep 17 00:00:00 2001
From: Tim Ledbetter <timledbetter@gmail.com>
Date: Mon, 6 Nov 2023 17:52:13 +0000
Subject: [PATCH] LibVideo/VP9: Ensure range decoder size is within expected
 range

---
 Userland/Libraries/LibVideo/VP9/Context.h | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/Userland/Libraries/LibVideo/VP9/Context.h b/Userland/Libraries/LibVideo/VP9/Context.h
index 051099534f..bc2e6b8606 100644
--- a/Userland/Libraries/LibVideo/VP9/Context.h
+++ b/Userland/Libraries/LibVideo/VP9/Context.h
@@ -61,6 +61,9 @@ public:
 
     DecoderErrorOr<BooleanDecoder> create_range_decoder(size_t size)
     {
+        if (size > stream->remaining())
+            return DecoderError::corrupted("Range decoder size invalid"sv);
+
         auto compressed_header_data = ReadonlyBytes(stream_data.data() + stream->offset(), size);
 
         // 9.2.1: The Boolean decoding process specified in section 9.2.2 is invoked to read a marker syntax element from the