diff options
author | Harish Mahendrakar <harish.mahendrakar@ittiam.com> | 2016-12-30 13:51:34 +0530 |
---|---|---|
committer | MSe <mse1969@posteo.de> | 2017-07-06 23:41:48 +0200 |
commit | c707af6e75bcdf6a03f0bbfddd4b80bae4e0e936 (patch) | |
tree | df890d5de10c27d5ab33e0a28ad9e7b614e47b55 | |
parent | a082d436bba350696fcf2fc24c0fe219fc216dde (diff) | |
download | android_external_libavc-c707af6e75bcdf6a03f0bbfddd4b80bae4e0e936.tar.gz android_external_libavc-c707af6e75bcdf6a03f0bbfddd4b80bae4e0e936.tar.bz2 android_external_libavc-c707af6e75bcdf6a03f0bbfddd4b80bae4e0e936.zip |
Decoder: Fixes in accessing mbaff flag in error cases
ps_dec->ps_cur_slice->u1_mbaff_frame_flag is updated in ih264d_start_of_pic().
So updated value should be used after calling ih264d_start_of_pic()
Bug: 33974623
Test: ran POC from bug
AOSP-Change-Id: I0f1ff5e01ed39767f493f197791e51b0da74952f
(cherry picked from commit 3f6937a0031e4acadc9228559ae2ae47b992b16a)
(cherry picked from commit 0f2f2b5fde873b8badee949561c17692588647e8)
CVE-2017-0673
Change-Id: I4e9f951fa836ea597dfa6a593de8da0c476627f1
-rw-r--r-- | decoder/ih264d_parse_pslice.c | 8 |
1 files changed, 4 insertions, 4 deletions
diff --git a/decoder/ih264d_parse_pslice.c b/decoder/ih264d_parse_pslice.c index ca3f80b..a78ea97 100644 --- a/decoder/ih264d_parse_pslice.c +++ b/decoder/ih264d_parse_pslice.c @@ -1456,7 +1456,7 @@ WORD32 ih264d_mark_err_slice_skip(dec_struct_t * ps_dec, UWORD32 u1_inter_mb_type; UWORD32 u1_deblk_mb_type; UWORD16 u2_total_mbs_coded; - UWORD32 u1_mbaff = ps_slice->u1_mbaff_frame_flag; + UWORD32 u1_mbaff; parse_part_params_t *ps_part_info; WORD32 ret; UNUSED(u1_is_idr_slice); @@ -1579,7 +1579,7 @@ WORD32 ih264d_mark_err_slice_skip(dec_struct_t * ps_dec, { // Slice data corrupted // in the case of mbaff, conceal from the even mb. - if((u1_mbaff) && (ps_dec->u4_num_mbs_cur_nmb & 1)) + if((ps_dec->ps_cur_slice->u1_mbaff_frame_flag) && (ps_dec->u4_num_mbs_cur_nmb & 1)) { ps_dec->u4_num_mbs_cur_nmb = ps_dec->u4_num_mbs_cur_nmb - 1; ps_dec->u2_cur_mb_addr--; @@ -1626,7 +1626,7 @@ WORD32 ih264d_mark_err_slice_skip(dec_struct_t * ps_dec, u1_num_mbs_next = i2_pic_wdin_mbs - ps_dec->u2_mbx - 1; u1_end_of_row = (!u1_num_mbs_next) - && (!(u1_mbaff && (u1_num_mbs & 0x01))); + && (!(ps_dec->ps_cur_slice->u1_mbaff_frame_flag && (u1_num_mbs & 0x01))); u1_slice_end = 1; u1_tfr_n_mb = 1; ps_cur_mb_info->u1_end_of_slice = u1_slice_end; @@ -1699,7 +1699,7 @@ WORD32 ih264d_mark_err_slice_skip(dec_struct_t * ps_dec, pu1_buf += size * ps_dec->u2_cur_slice_num; ps_dec->ps_parse_cur_slice->ppv_map_ref_idx_to_poc = (volatile void **)pu1_buf; } - + u1_mbaff = ps_slice->u1_mbaff_frame_flag; ps_dec->ps_cur_slice->u2_first_mb_in_slice = ps_dec->u2_total_mbs_coded >> u1_mbaff; ps_dec->ps_cur_slice->i1_slice_alpha_c0_offset = 0; ps_dec->ps_cur_slice->i1_slice_beta_offset = 0; |