diff options
| author | Hamsalekha S <hamsalekha.s@ittiam.com> | 2017-02-10 14:44:43 +0530 |
|---|---|---|
| committer | MSe <mse1969@posteo.de> | 2017-07-07 00:16:09 +0200 |
| commit | 86d5e685a4e32f1d146f10e29f818bd27fc04b3d (patch) | |
| tree | 39eeffd887248caee58b973ffa6b71ba82550eb3 | |
| parent | 1b9810f04c902c70193cd770647b7c7efd471482 (diff) | |
| download | android_external_libavc-86d5e685a4e32f1d146f10e29f818bd27fc04b3d.tar.gz android_external_libavc-86d5e685a4e32f1d146f10e29f818bd27fc04b3d.tar.bz2 android_external_libavc-86d5e685a4e32f1d146f10e29f818bd27fc04b3d.zip | |
Decoder: Fix end of bitstream error.
The end of bistream error check was fixed for
odd number of macroblocks in Mbaff frames.
Bug: 37008096
Test: Ittiam-verified
AOSP-Change-Id: I058d74a3c1d1511968c2b36802dfc5c102947919
(cherry picked from commit 2e01924cd692191c970c64ec3f358e53dccb9e54)
CVE-2017-0680
Change-Id: I4472f827796093e932d9853d45f21a4a16d92928
| -rw-r--r-- | decoder/ih264d_parse_islice.c | 17 | ||||
| -rw-r--r-- | decoder/ih264d_parse_pslice.c | 12 |
2 files changed, 24 insertions, 5 deletions
diff --git a/decoder/ih264d_parse_islice.c b/decoder/ih264d_parse_islice.c index 0312060..504b775 100644 --- a/decoder/ih264d_parse_islice.c +++ b/decoder/ih264d_parse_islice.c @@ -866,6 +866,8 @@ WORD32 ih264d_parse_islice_data_cavlc(dec_struct_t * ps_dec, ps_cur_deblk_mb->u1_mb_qp = ps_dec->u1_qp; } + uc_more_data_flag = MORE_RBSP_DATA(ps_bitstrm); + if(u1_mbaff) { ih264d_update_mbaff_left_nnz(ps_dec, ps_cur_mb_info); @@ -879,7 +881,7 @@ WORD32 ih264d_parse_islice_data_cavlc(dec_struct_t * ps_dec, /**************************************************************/ i2_cur_mb_addr++; - uc_more_data_flag = MORE_RBSP_DATA(ps_bitstrm); + /* Store the colocated information */ { @@ -1087,8 +1089,7 @@ WORD32 ih264d_parse_islice_data_cabac(dec_struct_t * ps_dec, { ih264d_update_mbaff_left_nnz(ps_dec, ps_cur_mb_info); } - /* Next macroblock information */ - i2_cur_mb_addr++; + if(ps_cur_mb_info->u1_topmb && u1_mbaff) uc_more_data_flag = 1; @@ -1099,6 +1100,16 @@ WORD32 ih264d_parse_islice_data_cabac(dec_struct_t * ps_dec, uc_more_data_flag = !uc_more_data_flag; COPYTHECONTEXT("Decode Sliceterm",!uc_more_data_flag); } + + if(u1_mbaff) + { + if(!uc_more_data_flag && (0 == (i2_cur_mb_addr & 1))) + { + return ERROR_EOB_FLUSHBITS_T; + } + } + /* Next macroblock information */ + i2_cur_mb_addr++; /* Store the colocated information */ { diff --git a/decoder/ih264d_parse_pslice.c b/decoder/ih264d_parse_pslice.c index a78ea97..97ea27c 100644 --- a/decoder/ih264d_parse_pslice.c +++ b/decoder/ih264d_parse_pslice.c @@ -1006,8 +1006,7 @@ WORD32 ih264d_parse_inter_slice_data_cabac(dec_struct_t * ps_dec, { ih264d_update_mbaff_left_nnz(ps_dec, ps_cur_mb_info); } - /* Next macroblock information */ - i2_cur_mb_addr++; + if(ps_cur_mb_info->u1_topmb && u1_mbaff) uc_more_data_flag = 1; @@ -1019,6 +1018,15 @@ WORD32 ih264d_parse_inter_slice_data_cabac(dec_struct_t * ps_dec, COPYTHECONTEXT("Decode Sliceterm",!uc_more_data_flag); } + if(u1_mbaff) + { + if(!uc_more_data_flag && (0 == (i2_cur_mb_addr & 1))) + { + return ERROR_EOB_FLUSHBITS_T; + } + } + /* Next macroblock information */ + i2_cur_mb_addr++; u1_num_mbs++; u1_num_mbsNby2++; ps_parse_mb_data++; |