summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorHarish Mahendrakar <harish.mahendrakar@ittiam.com>2015-09-18 15:15:50 +0530
committerWei Jia <wjia@google.com>2015-09-18 14:12:13 -0700
commit2ee0c1bced131ffb06d1b430b08a202cd3a52005 (patch)
tree57f87becbda361e56898a18e0941b2e0be21aa58
parent374e7a8984f0674662016c27fe9f4b1eba15810c (diff)
downloadandroid_external_libavc-2ee0c1bced131ffb06d1b430b08a202cd3a52005.tar.gz
android_external_libavc-2ee0c1bced131ffb06d1b430b08a202cd3a52005.tar.bz2
android_external_libavc-2ee0c1bced131ffb06d1b430b08a202cd3a52005.zip
Return error in SPS/PPS parsing when extra bytes are read from input
Bug: 24157524 Change-Id: I4b319ef8e23e1ba5f84f52b92f40ba7fb1429101
-rw-r--r--decoder/ih264d_parse_headers.c15
1 files changed, 13 insertions, 2 deletions
diff --git a/decoder/ih264d_parse_headers.c b/decoder/ih264d_parse_headers.c
index 35c3a16..21ebfa8 100644
--- a/decoder/ih264d_parse_headers.c
+++ b/decoder/ih264d_parse_headers.c
@@ -368,6 +368,12 @@ WORD32 ih264d_parse_pps(dec_struct_t * ps_dec, dec_bit_stream_t * ps_bitstrm)
return ERROR_INV_RANGE_QP_T;
}
+ /* In case bitstream read has exceeded the filled size, then
+ return an error */
+ if(ps_bitstrm->u4_ofst > ps_bitstrm->u4_max_ofst + 8)
+ {
+ return ERROR_INV_SPS_PPS_T;
+ }
ps_pps->u1_is_valid = TRUE;
ps_dec->ps_pps[ps_pps->u1_pic_parameter_set_id] = *ps_pps;
return OK;
@@ -937,8 +943,6 @@ WORD32 ih264d_parse_sps(dec_struct_t *ps_dec, dec_bit_stream_t *ps_bitstrm)
}
- ps_seq->u1_is_valid = TRUE;
-
if(1 == ps_seq->u1_vui_parameters_present_flag)
{
ret = ih264d_parse_vui_parametres(&ps_seq->s_vui, ps_bitstrm);
@@ -1002,6 +1006,13 @@ WORD32 ih264d_parse_sps(dec_struct_t *ps_dec, dec_bit_stream_t *ps_bitstrm)
ps_dec->u2_crop_offset_y = u2_crop_offset_y;
ps_dec->u2_crop_offset_uv = u2_crop_offset_uv;
+ /* In case bitstream read has exceeded the filled size, then
+ return an error */
+ if(ps_bitstrm->u4_ofst > ps_bitstrm->u4_max_ofst)
+ {
+ return ERROR_INV_SPS_PPS_T;
+ }
+ ps_seq->u1_is_valid = TRUE;
ps_dec->ps_sps[u1_seq_parameter_set_id] = *ps_seq;
return OK;