diff options
author | Harish Mahendrakar <harish.mahendrakar@ittiam.com> | 2016-02-17 18:06:36 +0530 |
---|---|---|
committer | The Android Automerger <android-build@google.com> | 2016-03-01 15:25:08 -0800 |
commit | c57fc3703ae2e0d41b1f6580c50015937f2d23c1 (patch) | |
tree | c310d4182df9e0debb7b6f2e4dc754818cb9e5e0 | |
parent | 50a580a2f581cac3de9603fc204ccdd985414179 (diff) | |
download | android_external_libavc-c57fc3703ae2e0d41b1f6580c50015937f2d23c1.tar.gz android_external_libavc-c57fc3703ae2e0d41b1f6580c50015937f2d23c1.tar.bz2 android_external_libavc-c57fc3703ae2e0d41b1f6580c50015937f2d23c1.zip |
Decoder: Fix stack underflow in CAVLC 4x4 parse functions
Bug: 26399350
Change-Id: Id768751672a7b093ab6e53d4fc0b3188d470920e
-rw-r--r-- | decoder/ih264d_parse_cavlc.c | 18 |
1 files changed, 15 insertions, 3 deletions
diff --git a/decoder/ih264d_parse_cavlc.c b/decoder/ih264d_parse_cavlc.c index a3f345c..b6a0125 100644 --- a/decoder/ih264d_parse_cavlc.c +++ b/decoder/ih264d_parse_cavlc.c @@ -443,7 +443,11 @@ WORD32 ih264d_cavlc_4x4res_block_totalcoeff_2to10(UWORD32 u4_isdc, UWORD32 u4_bitstream_offset = ps_bitstrm->u4_ofst; UWORD32 u4_trailing_ones = u4_total_coeff_trail_one & 0xFFFF; UWORD32 u4_total_coeff = u4_total_coeff_trail_one >> 16; - WORD16 i2_level_arr[16]; + // To avoid error check at 4x4 level, allocating for 3 extra levels(16+3) + // since u4_trailing_ones can at the max be 3. This will be required when + // u4_total_coeff is less than u4_trailing_ones + WORD16 ai2_level_arr[19]; + WORD16 *i2_level_arr = &ai2_level_arr[3]; tu_sblk4x4_coeff_data_t *ps_tu_4x4; WORD16 *pi2_coeff_data; @@ -721,7 +725,11 @@ WORD32 ih264d_cavlc_4x4res_block_totalcoeff_11to16(UWORD32 u4_isdc, UWORD32 u4_bitstream_offset = ps_bitstrm->u4_ofst; UWORD32 u4_trailing_ones = u4_total_coeff_trail_one & 0xFFFF; UWORD32 u4_total_coeff = u4_total_coeff_trail_one >> 16; - WORD16 i2_level_arr[16]; + // To avoid error check at 4x4 level, allocating for 3 extra levels(16+3) + // since u4_trailing_ones can at the max be 3. This will be required when + // u4_total_coeff is less than u4_trailing_ones + WORD16 ai2_level_arr[19];// + WORD16 *i2_level_arr = &ai2_level_arr[3]; tu_sblk4x4_coeff_data_t *ps_tu_4x4; WORD16 *pi2_coeff_data; @@ -993,7 +1001,11 @@ void ih264d_rest_of_residual_cav_chroma_dc_block(UWORD32 u4_total_coeff_trail_on UWORD32 u4_bitstream_offset = ps_bitstrm->u4_ofst; UWORD32 u4_trailing_ones = u4_total_coeff_trail_one & 0xFFFF; UWORD32 u4_total_coeff = u4_total_coeff_trail_one >> 16; - WORD16 i2_level_arr[4]; + // To avoid error check at 4x4 level, allocating for 3 extra levels(4+3) + // since u4_trailing_ones can at the max be 3. This will be required when + // u4_total_coeff is less than u4_trailing_ones + WORD16 ai2_level_arr[7];// + WORD16 *i2_level_arr = &ai2_level_arr[3]; tu_sblk4x4_coeff_data_t *ps_tu_4x4; WORD16 *pi2_coeff_data; |