diff options
author | Harish Mahendrakar <harish.mahendrakar@ittiam.com> | 2015-08-26 08:58:53 +0530 |
---|---|---|
committer | Wei Jia <wjia@google.com> | 2015-09-25 16:47:27 +0000 |
commit | 07ae78bd274d4e042be340239de71ed046b16023 (patch) | |
tree | 5266649eef187e7edfb2c040735a929a209c67a7 | |
parent | 251b007eccf5a0ddac897ce27de88d3901bc5d00 (diff) | |
download | android_external_libavc-07ae78bd274d4e042be340239de71ed046b16023.tar.gz android_external_libavc-07ae78bd274d4e042be340239de71ed046b16023.tar.bz2 android_external_libavc-07ae78bd274d4e042be340239de71ed046b16023.zip |
Decoder: Fixed an out of bound read in intra pred buffers
Bug: 23453762
Change-Id: I129e5a2ac8b9a28f3c894ebca0aef7063ca5934e
(cherry picked from commit 040ec939c61f7dffb76c977b775b1bc1e82f2bde)
-rw-r--r-- | decoder/ih264d_utils.c | 23 |
1 files changed, 20 insertions, 3 deletions
diff --git a/decoder/ih264d_utils.c b/decoder/ih264d_utils.c index d388421..acca990 100644 --- a/decoder/ih264d_utils.c +++ b/decoder/ih264d_utils.c @@ -1930,23 +1930,26 @@ WORD16 ih264d_allocate_dynamic_bufs(dec_struct_t * ps_dec) } } - size = sizeof(UWORD8) * ((u4_wd_mbs + 1) * MB_SIZE) * 2; + size = sizeof(UWORD8) * ((u4_wd_mbs + 2) * MB_SIZE) * 2; pv_buf = ps_dec->pf_aligned_alloc(pv_mem_ctxt, 128, size); RETURN_IF((NULL == pv_buf), IV_FAIL); ps_dec->pu1_y_intra_pred_line = pv_buf; memset(ps_dec->pu1_y_intra_pred_line, 0, size); + ps_dec->pu1_y_intra_pred_line += MB_SIZE; - size = sizeof(UWORD8) * ((u4_wd_mbs + 1) * MB_SIZE) * 2; + size = sizeof(UWORD8) * ((u4_wd_mbs + 2) * MB_SIZE) * 2; pv_buf = ps_dec->pf_aligned_alloc(pv_mem_ctxt, 128, size); RETURN_IF((NULL == pv_buf), IV_FAIL); ps_dec->pu1_u_intra_pred_line = pv_buf; memset(ps_dec->pu1_u_intra_pred_line, 0, size); + ps_dec->pu1_u_intra_pred_line += MB_SIZE; - size = sizeof(UWORD8) * ((u4_wd_mbs + 1) * MB_SIZE) * 2; + size = sizeof(UWORD8) * ((u4_wd_mbs + 2) * MB_SIZE) * 2; pv_buf = ps_dec->pf_aligned_alloc(pv_mem_ctxt, 128, size); RETURN_IF((NULL == pv_buf), IV_FAIL); ps_dec->pu1_v_intra_pred_line = pv_buf; memset(ps_dec->pu1_v_intra_pred_line, 0, size); + ps_dec->pu1_v_intra_pred_line += MB_SIZE; if(ps_dec->u1_separate_parse) { @@ -2215,8 +2218,22 @@ WORD16 ih264d_free_dynamic_bufs(dec_struct_t * ps_dec) } } + if(ps_dec->pu1_y_intra_pred_line) + { + ps_dec->pu1_y_intra_pred_line -= MB_SIZE; + } PS_DEC_ALIGNED_FREE(ps_dec, ps_dec->pu1_y_intra_pred_line); + + if(ps_dec->pu1_u_intra_pred_line) + { + ps_dec->pu1_u_intra_pred_line -= MB_SIZE; + } PS_DEC_ALIGNED_FREE(ps_dec, ps_dec->pu1_u_intra_pred_line); + + if(ps_dec->pu1_v_intra_pred_line) + { + ps_dec->pu1_v_intra_pred_line -= MB_SIZE; + } PS_DEC_ALIGNED_FREE(ps_dec, ps_dec->pu1_v_intra_pred_line); PS_DEC_ALIGNED_FREE(ps_dec, ps_dec->ps_nbr_mb_row); PS_DEC_ALIGNED_FREE(ps_dec, ps_dec->pu1_mv_bank_buf_base); |