diff options
| author | Naveen Kumar Ponnusamy <naveenkumar.p@ittiam.com> | 2015-12-04 16:51:43 +0530 |
|---|---|---|
| committer | Wei Jia <wjia@google.com> | 2016-01-13 21:18:46 +0000 |
| commit | 943323f1d9d3dd5c2634deb26cbe72343ca6b3db (patch) | |
| tree | 3fe813a14c70af76003b49e6764d481cd36c400c | |
| parent | 4a524d3a8ae9aa20c36430008e6bd429443f8f1d (diff) | |
| download | android_external_libavc-943323f1d9d3dd5c2634deb26cbe72343ca6b3db.tar.gz android_external_libavc-943323f1d9d3dd5c2634deb26cbe72343ca6b3db.tar.bz2 android_external_libavc-943323f1d9d3dd5c2634deb26cbe72343ca6b3db.zip | |
Return error when there are more mmco params than allocated size
Bug: 25818142
Change-Id: I5c1b23985eeca5192b42703c627ca3d060e4e13d
| -rw-r--r-- | decoder/ih264d_dpb_mgr.c | 10 | ||||
| -rw-r--r-- | decoder/ih264d_parse_bslice.c | 9 | ||||
| -rw-r--r-- | decoder/ih264d_parse_islice.c | 10 | ||||
| -rw-r--r-- | decoder/ih264d_parse_pslice.c | 9 |
4 files changed, 34 insertions, 4 deletions
diff --git a/decoder/ih264d_dpb_mgr.c b/decoder/ih264d_dpb_mgr.c index 205bc9b..7c4305b 100644 --- a/decoder/ih264d_dpb_mgr.c +++ b/decoder/ih264d_dpb_mgr.c @@ -17,6 +17,9 @@ ***************************************************************************** * Originally developed and contributed by Ittiam Systems Pvt. Ltd, Bangalore */ +#include "log/log.h" +#include <cutils/log.h> + #include "ih264_typedefs.h" #include "ih264_macros.h" #include "ih264_platform_macros.h" @@ -872,6 +875,13 @@ WORD32 ih264d_read_mmco_commands(struct _DecStruct * ps_dec) pu4_bitstrm_buf); while(u4_mmco != END_OF_MMCO) { + if (j >= MAX_REF_BUFS) + { + ALOGE("b/25818142"); + android_errorWriteLog(0x534e4554, "25818142"); + ps_dpb_cmds->u1_num_of_commands = 0; + return -1; + } ps_mmc_params = &ps_dpb_cmds->as_mmc_params[j]; ps_mmc_params->u4_mmco = u4_mmco; switch(u4_mmco) diff --git a/decoder/ih264d_parse_bslice.c b/decoder/ih264d_parse_bslice.c index 6707039..eb157e6 100644 --- a/decoder/ih264d_parse_bslice.c +++ b/decoder/ih264d_parse_bslice.c @@ -1581,7 +1581,14 @@ WORD32 ih264d_parse_bslice(dec_struct_t * ps_dec, UWORD16 u2_first_mb_in_slice) if(ps_slice->u1_nal_ref_idc != 0) { if(!ps_dec->ps_dpb_cmds->u1_dpb_commands_read) - ps_dec->u4_bitoffset = ih264d_read_mmco_commands(ps_dec); + { + i_temp = ih264d_read_mmco_commands(ps_dec); + if (i_temp < 0) + { + return ERROR_DBP_MANAGER_T; + } + ps_dec->u4_bitoffset = i_temp; + } else ps_bitstrm->u4_ofst += ps_dec->u4_bitoffset; } diff --git a/decoder/ih264d_parse_islice.c b/decoder/ih264d_parse_islice.c index 001f8fc..bbb6110 100644 --- a/decoder/ih264d_parse_islice.c +++ b/decoder/ih264d_parse_islice.c @@ -1374,8 +1374,14 @@ WORD32 ih264d_parse_islice(dec_struct_t *ps_dec, if(ps_slice->u1_nal_ref_idc != 0) { if(!ps_dec->ps_dpb_cmds->u1_dpb_commands_read) - ps_dec->u4_bitoffset = ih264d_read_mmco_commands( - ps_dec); + { + i_temp = ih264d_read_mmco_commands(ps_dec); + if (i_temp < 0) + { + return ERROR_DBP_MANAGER_T; + } + ps_dec->u4_bitoffset = i_temp; + } else ps_dec->ps_bitstrm->u4_ofst += ps_dec->u4_bitoffset; } diff --git a/decoder/ih264d_parse_pslice.c b/decoder/ih264d_parse_pslice.c index a82b0f8..3cac387 100644 --- a/decoder/ih264d_parse_pslice.c +++ b/decoder/ih264d_parse_pslice.c @@ -2057,7 +2057,14 @@ WORD32 ih264d_parse_pslice(dec_struct_t *ps_dec, UWORD16 u2_first_mb_in_slice) if(ps_cur_slice->u1_nal_ref_idc != 0) { if(!ps_dec->ps_dpb_cmds->u1_dpb_commands_read) - ps_dec->u4_bitoffset = ih264d_read_mmco_commands(ps_dec); + { + i_temp = ih264d_read_mmco_commands(ps_dec); + if (i_temp < 0) + { + return ERROR_DBP_MANAGER_T; + } + ps_dec->u4_bitoffset = i_temp; + } else ps_bitstrm->u4_ofst += ps_dec->u4_bitoffset; |