diff options
| author | Hamsalekha S <hamsalekha.s@ittiam.com> | 2017-07-04 17:06:50 +0530 |
|---|---|---|
| committer | Moritz Horstmann <dev@peterzweg.at> | 2018-01-13 21:43:57 +0100 |
| commit | 2c9d1d077dda764e728c732498d5e30c6f7fab8a (patch) | |
| tree | 38ab0a98d90397963a505a5568cc198ff1420948 | |
| parent | 8f141f1c5c68a8c6466d918079826aedb2ccf8e4 (diff) | |
| download | android_external_libavc-2c9d1d077dda764e728c732498d5e30c6f7fab8a.tar.gz android_external_libavc-2c9d1d077dda764e728c732498d5e30c6f7fab8a.tar.bz2 android_external_libavc-2c9d1d077dda764e728c732498d5e30c6f7fab8a.zip | |
Decoder: Increased allocation and added checks in sei parsing.
This prevents heap overflow while parsing sei_message.
Bug: 63122634
Test: ran PoC on unpatched/patched
Change-Id: I61c1ff4ac053a060be8c24da4671db985cac628c
(cherry picked from commit f2b70d353768af8d4ead7f32497be05f197925ef)
| -rw-r--r-- | decoder/ih264d_api.c | 3 | ||||
| -rw-r--r-- | decoder/ih264d_defs.h | 3 | ||||
| -rw-r--r-- | decoder/ih264d_sei.c | 7 |
3 files changed, 9 insertions, 4 deletions
diff --git a/decoder/ih264d_api.c b/decoder/ih264d_api.c index 5ef49b1..5f306c2 100644 --- a/decoder/ih264d_api.c +++ b/decoder/ih264d_api.c @@ -2044,7 +2044,8 @@ WORD32 ih264d_video_decode(iv_obj_t *dec_hdl, void *pv_api_ip, void *pv_api_op) void *pv_buf; void *pv_mem_ctxt = ps_dec->pv_mem_ctxt; size = MAX(256000, ps_dec->u2_pic_wd * ps_dec->u2_pic_ht * 3 / 2); - pv_buf = ps_dec->pf_aligned_alloc(pv_mem_ctxt, 128, size); + pv_buf = ps_dec->pf_aligned_alloc(pv_mem_ctxt, 128, + size + EXTRA_BS_OFFSET); RETURN_IF((NULL == pv_buf), IV_FAIL); ps_dec->pu1_bits_buf_dynamic = pv_buf; ps_dec->u4_dynamic_bits_buf_size = size; diff --git a/decoder/ih264d_defs.h b/decoder/ih264d_defs.h index 0682339..d6e3029 100644 --- a/decoder/ih264d_defs.h +++ b/decoder/ih264d_defs.h @@ -107,6 +107,9 @@ /* For 420SP */ #define YUV420SP_FACTOR 2 +/*To prevent buffer overflow access; in case the size of nal unit is + * greater than the allocated buffer size*/ +#define EXTRA_BS_OFFSET 16*16*2 /** *************************************************************************** diff --git a/decoder/ih264d_sei.c b/decoder/ih264d_sei.c index 800f2c9..098a1f3 100644 --- a/decoder/ih264d_sei.c +++ b/decoder/ih264d_sei.c @@ -336,7 +336,7 @@ WORD32 ih264d_parse_sei_message(dec_struct_t *ps_dec, ui4_payload_type = 0; u4_bits = ih264d_get_bits_h264(ps_bitstrm, 8); - while(0xff == u4_bits) + while(0xff == u4_bits && !EXCEED_OFFSET(ps_bitstrm)) { u4_bits = ih264d_get_bits_h264(ps_bitstrm, 8); ui4_payload_type += 255; @@ -345,7 +345,7 @@ WORD32 ih264d_parse_sei_message(dec_struct_t *ps_dec, ui4_payload_size = 0; u4_bits = ih264d_get_bits_h264(ps_bitstrm, 8); - while(0xff == u4_bits) + while(0xff == u4_bits && !EXCEED_OFFSET(ps_bitstrm)) { u4_bits = ih264d_get_bits_h264(ps_bitstrm, 8); ui4_payload_size += 255; @@ -370,7 +370,8 @@ WORD32 ih264d_parse_sei_message(dec_struct_t *ps_dec, { H264_DEC_DEBUG_PRINT("\nError in parsing SEI message"); } - while(0 == ih264d_check_byte_aligned(ps_bitstrm)) + while(0 == ih264d_check_byte_aligned(ps_bitstrm) + && !EXCEED_OFFSET(ps_bitstrm)) { u4_bits = ih264d_get_bit_h264(ps_bitstrm); if(u4_bits) |