diff options
author | Hamsalekha S <hamsalekha.s@ittiam.com> | 2017-09-08 14:22:22 +0530 |
---|---|---|
committer | Ivan Kutepov <its.kutepov@gmail.com> | 2017-11-11 18:00:19 +0300 |
commit | 5a9f4056f6e444f42a4f59df175e8a06fea5df73 (patch) | |
tree | b952f57a7e6dbe6a66e730689120436119080a94 | |
parent | dfa50c608aaffa28f5095f06988e938147dee441 (diff) | |
download | android_external_libavc-5a9f4056f6e444f42a4f59df175e8a06fea5df73.tar.gz android_external_libavc-5a9f4056f6e444f42a4f59df175e8a06fea5df73.tar.bz2 android_external_libavc-5a9f4056f6e444f42a4f59df175e8a06fea5df73.zip |
Decoder: Updated error check while parsing num_ref_idx_lx_active.replicant-6.0-0003
Added an error check on the lower limit of u1_num_ref_idx_lx_active,
while parsing slice header. The minimum possible value is 1.
Bug: 64836894
Change-Id: I57056851fc135ed00f7a10af5c81eb560e9e12de
CVE-2017-0858
-rw-r--r-- | decoder/ih264d_parse_bslice.c | 3 | ||||
-rw-r--r-- | decoder/ih264d_parse_pslice.c | 2 |
2 files changed, 3 insertions, 2 deletions
diff --git a/decoder/ih264d_parse_bslice.c b/decoder/ih264d_parse_bslice.c index d341287..120c594 100644 --- a/decoder/ih264d_parse_bslice.c +++ b/decoder/ih264d_parse_bslice.c @@ -1399,7 +1399,8 @@ WORD32 ih264d_parse_bslice(dec_struct_t * ps_dec, UWORD16 u2_first_mb_in_slice) { u1_max_ref_idx = MAX_FRAMES << 1; } - if((u4_temp > u1_max_ref_idx) || (ui_temp1 > u1_max_ref_idx)) + if((u4_temp > u1_max_ref_idx) || (ui_temp1 > u1_max_ref_idx) + || (u4_temp < 1) || (ui_temp1 < 1)) { return ERROR_NUM_REF; } diff --git a/decoder/ih264d_parse_pslice.c b/decoder/ih264d_parse_pslice.c index bcfbe05..40291cc 100644 --- a/decoder/ih264d_parse_pslice.c +++ b/decoder/ih264d_parse_pslice.c @@ -1963,7 +1963,7 @@ WORD32 ih264d_parse_pslice(dec_struct_t *ps_dec, UWORD16 u2_first_mb_in_slice) UWORD8 u1_max_ref_idx = MAX_FRAMES << u1_field_pic_flag; - if(u4_temp > u1_max_ref_idx) + if(u4_temp > u1_max_ref_idx || u4_temp < 1) { return ERROR_NUM_REF; } |