From bf014c4d206074e2a4e2499c8b898325c0b8062f Mon Sep 17 00:00:00 2001
From: Andrew Kaster <akaster@serenityos.org>
Date: Wed, 12 Oct 2022 22:37:48 -0600
Subject: [PATCH] LibVideo: Check parsed superframe sizes when decoding VP9
 frames

Make sure that the next parsed superframe size will not overflow the
chunk data before splitting it out to decode a frame.
---
 Userland/Libraries/LibVideo/VP9/Decoder.cpp | 6 +++++-
 1 file changed, 5 insertions(+), 1 deletion(-)

diff --git a/Userland/Libraries/LibVideo/VP9/Decoder.cpp b/Userland/Libraries/LibVideo/VP9/Decoder.cpp
index a61bbaeead..41a2d47f88 100644
--- a/Userland/Libraries/LibVideo/VP9/Decoder.cpp
+++ b/Userland/Libraries/LibVideo/VP9/Decoder.cpp
@@ -29,9 +29,13 @@ DecoderErrorOr<void> Decoder::decode(Span<const u8> chunk_data)
     size_t offset = 0;
 
     for (auto superframe_size : superframe_sizes) {
+        auto checked_size = Checked<size_t>(superframe_size);
+        checked_size += offset;
+        if (checked_size.has_overflow() || checked_size.value() > chunk_data.size())
+            return DecoderError::with_description(DecoderErrorCategory::Corrupted, "Superframe size invalid"sv);
         auto frame_data = chunk_data.slice(offset, superframe_size);
         TRY(decode_frame(frame_data));
-        offset += superframe_size;
+        offset = checked_size.value();
     }
 
     return {};