From 4c7f0f40c3c3c1c362cef47379220041d61fd2af Mon Sep 17 00:00:00 2001
From: Vignesh Venkat <vigneshv@google.com>
Date: Wed, 1 May 2024 13:45:40 -0700
Subject: [PATCH] obu: Do not parse more than obu_size bytes

When trying to parse a sequence header, parse only obu_size bytes.

The current code ignores obu_size and parses as long as it sees
data and could end up over-reading into other obus.
---
 src/obu.c | 6 ++++--
 1 file changed, 4 insertions(+), 2 deletions(-)

diff --git a/src/obu.c b/src/obu.c
index e05b5ca2d..4641b908a 100644
--- a/src/obu.c
+++ b/src/obu.c
@@ -439,12 +439,14 @@ avifBool avifSequenceHeaderParse(avifSequenceHeader * header, const avifROData *
             return AVIF_FALSE;
 
         if (obu_type == 1) { // Sequence Header
+            avifBits seqHdrBits;
+            avifBitsInit(&seqHdrBits, obus.data + init_byte_pos, obu_size);
             switch (codecType) {
                 case AVIF_CODEC_TYPE_AV1:
-                    return parseAV1SequenceHeader(&bits, header);
+                    return parseAV1SequenceHeader(&seqHdrBits, header);
 #if defined(AVIF_CODEC_AVM)
                 case AVIF_CODEC_TYPE_AV2:
-                    return parseAV2SequenceHeader(&bits, header);
+                    return parseAV2SequenceHeader(&seqHdrBits, header);
 #endif
                 default:
                     return AVIF_FALSE;