diff options
author | Harish Mahendrakar <harish.mahendrakar@ittiam.com> | 2019-10-22 16:01:37 -0700 |
---|---|---|
committer | Kyriakos Ispoglou <ispo@google.com> | 2019-11-07 16:20:23 -0800 |
commit | c4b0440fb7a36cd8692126404f86f1bd7a19701e (patch) | |
tree | b8dd30bff40791796214f635b4d5d34277362a70 | |
parent | 18673f7a8ce921a0c0e8b25f628540b7d33899bd (diff) | |
download | android_external_libavc-c4b0440fb7a36cd8692126404f86f1bd7a19701e.tar.gz android_external_libavc-c4b0440fb7a36cd8692126404f86f1bd7a19701e.tar.bz2 android_external_libavc-c4b0440fb7a36cd8692126404f86f1bd7a19701e.zip |
decoder: Move initialization of dbp_mgr entries to init_decoder()
Earlier these were only initialized during static buffer allocations.
Initializing them in init_decoder() will ensure that these get
initialized to default values during reset() as well. Without this,
in some error cases, there is a possibility of heap-use-after free,
when resolution changes and these pointers point to memory that is freed
Bug: 142602711
Test: poc in bug
Change-Id: Ie39fee0eca56bf32cdc558099bf167d05eb89620
(cherry picked from commit 01da7b5a52a76aee615b4e32eeceb4887d3662f0)
-rw-r--r-- | decoder/ih264d_api.c | 47 |
1 files changed, 24 insertions, 23 deletions
diff --git a/decoder/ih264d_api.c b/decoder/ih264d_api.c index c6999a6..2ebf386 100644 --- a/decoder/ih264d_api.c +++ b/decoder/ih264d_api.c @@ -963,6 +963,30 @@ void ih264d_init_decoder(void * ps_dec_params) /* Free any dynamic buffers that are allocated */ ih264d_free_dynamic_bufs(ps_dec); + { + UWORD8 i; + struct pic_buffer_t *ps_init_dpb; + ps_init_dpb = ps_dec->ps_dpb_mgr->ps_init_dpb[0][0]; + for(i = 0; i < 2 * MAX_REF_BUFS; i++) + { + ps_init_dpb->pu1_buf1 = NULL; + ps_init_dpb->u1_long_term_frm_idx = MAX_REF_BUFS + 1; + ps_dec->ps_dpb_mgr->ps_init_dpb[0][i] = ps_init_dpb; + ps_dec->ps_dpb_mgr->ps_mod_dpb[0][i] = ps_init_dpb; + ps_init_dpb++; + } + + ps_init_dpb = ps_dec->ps_dpb_mgr->ps_init_dpb[1][0]; + for(i = 0; i < 2 * MAX_REF_BUFS; i++) + { + ps_init_dpb->pu1_buf1 = NULL; + ps_init_dpb->u1_long_term_frm_idx = MAX_REF_BUFS + 1; + ps_dec->ps_dpb_mgr->ps_init_dpb[1][i] = ps_init_dpb; + ps_dec->ps_dpb_mgr->ps_mod_dpb[1][i] = ps_init_dpb; + ps_init_dpb++; + } + } + ps_cur_slice = ps_dec->ps_cur_slice; ps_dec->init_done = 0; @@ -1439,29 +1463,6 @@ WORD32 ih264d_allocate_static_bufs(iv_obj_t **dec_hdl, void *pv_api_ip, void *pv ps_dec->ps_col_mv_base = pv_buf; memset(ps_dec->ps_col_mv_base, 0, size); - { - UWORD8 i; - struct pic_buffer_t *ps_init_dpb; - ps_init_dpb = ps_dec->ps_dpb_mgr->ps_init_dpb[0][0]; - for(i = 0; i < 2 * MAX_REF_BUFS; i++) - { - ps_init_dpb->pu1_buf1 = NULL; - ps_init_dpb->u1_long_term_frm_idx = MAX_REF_BUFS + 1; - ps_dec->ps_dpb_mgr->ps_init_dpb[0][i] = ps_init_dpb; - ps_dec->ps_dpb_mgr->ps_mod_dpb[0][i] = ps_init_dpb; - ps_init_dpb++; - } - - ps_init_dpb = ps_dec->ps_dpb_mgr->ps_init_dpb[1][0]; - for(i = 0; i < 2 * MAX_REF_BUFS; i++) - { - ps_init_dpb->pu1_buf1 = NULL; - ps_init_dpb->u1_long_term_frm_idx = MAX_REF_BUFS + 1; - ps_dec->ps_dpb_mgr->ps_init_dpb[1][i] = ps_init_dpb; - ps_dec->ps_dpb_mgr->ps_mod_dpb[1][i] = ps_init_dpb; - ps_init_dpb++; - } - } ih264d_init_decoder(ps_dec); return IV_SUCCESS; |