diff options
| author | Harish Mahendrakar <harish.mahendrakar@ittiam.com> | 2015-08-26 08:58:53 +0530 |
|---|---|---|
| committer | The Android Automerger <android-build@google.com> | 2015-09-25 14:40:39 -0700 |
| commit | aa6ebc2c26de659203e0c77cfce83510c2f41e11 (patch) | |
| tree | 5266649eef187e7edfb2c040735a929a209c67a7 | |
| parent | 06d69b7bd8268268813bba521857ac96635bf200 (diff) | |
| download | android_external_libavc-aa6ebc2c26de659203e0c77cfce83510c2f41e11.tar.gz android_external_libavc-aa6ebc2c26de659203e0c77cfce83510c2f41e11.tar.bz2 android_external_libavc-aa6ebc2c26de659203e0c77cfce83510c2f41e11.zip | |
Decoder: Fixed an out of bound read in intra pred buffers
Bug: 23453762
Change-Id: I129e5a2ac8b9a28f3c894ebca0aef7063ca5934e
(cherry picked from commit 040ec939c61f7dffb76c977b775b1bc1e82f2bde)
| -rw-r--r-- | decoder/ih264d_utils.c | 23 |
1 files changed, 20 insertions, 3 deletions
diff --git a/decoder/ih264d_utils.c b/decoder/ih264d_utils.c index d388421..acca990 100644 --- a/decoder/ih264d_utils.c +++ b/decoder/ih264d_utils.c @@ -1930,23 +1930,26 @@ WORD16 ih264d_allocate_dynamic_bufs(dec_struct_t * ps_dec) } } - size = sizeof(UWORD8) * ((u4_wd_mbs + 1) * MB_SIZE) * 2; + size = sizeof(UWORD8) * ((u4_wd_mbs + 2) * MB_SIZE) * 2; pv_buf = ps_dec->pf_aligned_alloc(pv_mem_ctxt, 128, size); RETURN_IF((NULL == pv_buf), IV_FAIL); ps_dec->pu1_y_intra_pred_line = pv_buf; memset(ps_dec->pu1_y_intra_pred_line, 0, size); + ps_dec->pu1_y_intra_pred_line += MB_SIZE; - size = sizeof(UWORD8) * ((u4_wd_mbs + 1) * MB_SIZE) * 2; + size = sizeof(UWORD8) * ((u4_wd_mbs + 2) * MB_SIZE) * 2; pv_buf = ps_dec->pf_aligned_alloc(pv_mem_ctxt, 128, size); RETURN_IF((NULL == pv_buf), IV_FAIL); ps_dec->pu1_u_intra_pred_line = pv_buf; memset(ps_dec->pu1_u_intra_pred_line, 0, size); + ps_dec->pu1_u_intra_pred_line += MB_SIZE; - size = sizeof(UWORD8) * ((u4_wd_mbs + 1) * MB_SIZE) * 2; + size = sizeof(UWORD8) * ((u4_wd_mbs + 2) * MB_SIZE) * 2; pv_buf = ps_dec->pf_aligned_alloc(pv_mem_ctxt, 128, size); RETURN_IF((NULL == pv_buf), IV_FAIL); ps_dec->pu1_v_intra_pred_line = pv_buf; memset(ps_dec->pu1_v_intra_pred_line, 0, size); + ps_dec->pu1_v_intra_pred_line += MB_SIZE; if(ps_dec->u1_separate_parse) { @@ -2215,8 +2218,22 @@ WORD16 ih264d_free_dynamic_bufs(dec_struct_t * ps_dec) } } + if(ps_dec->pu1_y_intra_pred_line) + { + ps_dec->pu1_y_intra_pred_line -= MB_SIZE; + } PS_DEC_ALIGNED_FREE(ps_dec, ps_dec->pu1_y_intra_pred_line); + + if(ps_dec->pu1_u_intra_pred_line) + { + ps_dec->pu1_u_intra_pred_line -= MB_SIZE; + } PS_DEC_ALIGNED_FREE(ps_dec, ps_dec->pu1_u_intra_pred_line); + + if(ps_dec->pu1_v_intra_pred_line) + { + ps_dec->pu1_v_intra_pred_line -= MB_SIZE; + } PS_DEC_ALIGNED_FREE(ps_dec, ps_dec->pu1_v_intra_pred_line); PS_DEC_ALIGNED_FREE(ps_dec, ps_dec->ps_nbr_mb_row); PS_DEC_ALIGNED_FREE(ps_dec, ps_dec->pu1_mv_bank_buf_base); |