diff options
| author | Hamsalekha S <hamsalekha.s@ittiam.com> | 2017-05-10 14:23:48 +0530 |
|---|---|---|
| committer | MSe <mse1969@posteo.de> | 2017-07-07 21:15:49 +0200 |
| commit | 38d8b385b67fa57b359b7427173c3c22c79c9103 (patch) | |
| tree | 8c27334d42ae771392144d1424aa60e9c729abc8 | |
| parent | a4e451b46a6077b842e05aec8d2d83cbb7f50e04 (diff) | |
| download | android_external_libavc-38d8b385b67fa57b359b7427173c3c22c79c9103.tar.gz android_external_libavc-38d8b385b67fa57b359b7427173c3c22c79c9103.tar.bz2 android_external_libavc-38d8b385b67fa57b359b7427173c3c22c79c9103.zip | |
Decoder: Added an error check while parsing PPS.
Added an error check while parsing PPS syntax element
second_chroma_qp_index_offset.
Bug: 37207120
AOSP-Change-Id: Icba6b7bcf5940505717ee61134ed801c221b6e26
(cherry picked from commit 62f98981ffc29082dd4bbf173a043a5bcbb86652)
CVE-2017-0696
Change-Id: I702fb66977fe51f4489c7f7f928cd3eb27e4756e
| -rw-r--r-- | decoder/ih264d_parse_headers.c | 6 |
1 files changed, 4 insertions, 2 deletions
diff --git a/decoder/ih264d_parse_headers.c b/decoder/ih264d_parse_headers.c index bc4ace4..ba32225 100644 --- a/decoder/ih264d_parse_headers.c +++ b/decoder/ih264d_parse_headers.c @@ -361,11 +361,13 @@ WORD32 ih264d_parse_pps(dec_struct_t * ps_dec, dec_bit_stream_t * ps_bitstrm) } /* read second_chroma_qp_index_offset syntax element */ - ps_pps->i1_second_chroma_qp_index_offset = ih264d_sev( + i_temp = ih264d_sev( pu4_bitstrm_ofst, pu4_bitstrm_buf); - if((ps_pps->i1_second_chroma_qp_index_offset + 12) > 24) + if((i_temp < -12) || (i_temp > 12)) return ERROR_INV_RANGE_QP_T; + + ps_pps->i1_second_chroma_qp_index_offset = i_temp; } /* In case bitstream read has exceeded the filled size, then |