summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorHamsalekha S <hamsalekha.s@ittiam.com>2017-06-16 16:33:48 +0530
committerIvan Kutepov <its.kutepov@gmail.com>2017-09-14 23:57:21 +0300
commit96936fc01454748878df2d4ac3cea506272c4adc (patch)
treec4630376e6180cc6310d3773ba8fb84d6adc5f1c
parent8f9a5fb90224a91e88418586d4792dab7b6abc66 (diff)
downloadandroid_external_libavc-96936fc01454748878df2d4ac3cea506272c4adc.tar.gz
android_external_libavc-96936fc01454748878df2d4ac3cea506272c4adc.tar.bz2
android_external_libavc-96936fc01454748878df2d4ac3cea506272c4adc.zip
Decoder: Fixed overflow in refernce list creation.
Since the maximum value of long term index is 255, the loop control variable needs to be 32 bit. Bug: 38448381 Test: ran POC before/after applying fix Change-Id: Iae3ecff38d4a922bde10fde33f1cfcafd2ea2680 (cherry picked from commit cbcd2846fa837e4be6d35f5c1211b070bc8d26da) CVE-2017-0761
-rw-r--r--decoder/ih264d_process_bslice.c19
-rw-r--r--decoder/ih264d_process_pslice.c15
2 files changed, 18 insertions, 16 deletions
diff --git a/decoder/ih264d_process_bslice.c b/decoder/ih264d_process_bslice.c
index 7784110..42fad03 100644
--- a/decoder/ih264d_process_bslice.c
+++ b/decoder/ih264d_process_bslice.c
@@ -1212,7 +1212,8 @@ void ih264d_init_ref_idx_lx_b(dec_struct_t *ps_dec)
struct dpb_info_t *ps_next_dpb;
WORD32 i_cur_poc, i_max_st_poc, i_min_st_poc, i_ref_poc, i_temp_poc;
WORD8 i;
- UWORD8 u1_max_lt_index, u1_min_lt_index, u1_lt_index;
+ UWORD8 u1_max_lt_index, u1_min_lt_index;
+ UWORD32 u4_lt_index;
UWORD8 u1_field_pic_flag;
dec_slice_params_t *ps_cur_slice;
UWORD8 u1_L0, u1_L1;
@@ -1264,9 +1265,9 @@ void ih264d_init_ref_idx_lx_b(dec_struct_t *ps_dec)
}
for(i = 0; i < ps_dpb_mgr->u1_num_lt_ref_bufs; i++)
{
- u1_lt_index = ps_next_dpb->u1_lt_idx;
- u1_max_lt_index = (UWORD8)(MAX(u1_max_lt_index, u1_lt_index));
- u1_min_lt_index = (UWORD8)(MIN(u1_min_lt_index, u1_lt_index));
+ u4_lt_index = ps_next_dpb->u1_lt_idx;
+ u1_max_lt_index = (UWORD8)(MAX(u1_max_lt_index, u4_lt_index));
+ u1_min_lt_index = (UWORD8)(MIN(u1_min_lt_index, u4_lt_index));
/* Chase the next link */
ps_next_dpb = ps_next_dpb->ps_prev_long;
@@ -1333,12 +1334,12 @@ void ih264d_init_ref_idx_lx_b(dec_struct_t *ps_dec)
/* Start from ST head */
u1_num_short_term_bufs = u1_L0;
- for(u1_lt_index = u1_min_lt_index; u1_lt_index <= u1_max_lt_index; u1_lt_index++)
+ for(u4_lt_index = u1_min_lt_index; u4_lt_index <= u1_max_lt_index; u4_lt_index++)
{
ps_next_dpb = ps_dpb_mgr->ps_dpb_ht_head;
for(i = 0; i < ps_dpb_mgr->u1_num_lt_ref_bufs; i++)
{
- if(ps_next_dpb->u1_lt_idx == u1_lt_index)
+ if(ps_next_dpb->u1_lt_idx == u4_lt_index)
{
ih264d_insert_pic_in_ref_pic_listx(ps_ref_pic_buf_lx,
ps_next_dpb->ps_pic_buf);
@@ -1466,13 +1467,13 @@ void ih264d_init_ref_idx_lx_b(dec_struct_t *ps_dec)
/* Start from ST head */
u1_num_short_term_bufs = u1_L1;
- for(u1_lt_index = u1_min_lt_index; u1_lt_index <= u1_max_lt_index;
- u1_lt_index++)
+ for(u4_lt_index = u1_min_lt_index; u4_lt_index <= u1_max_lt_index;
+ u4_lt_index++)
{
ps_next_dpb = ps_dpb_mgr->ps_dpb_ht_head;
for(i = 0; i < ps_dpb_mgr->u1_num_lt_ref_bufs; i++)
{
- if(ps_next_dpb->u1_lt_idx == u1_lt_index)
+ if(ps_next_dpb->u1_lt_idx == u4_lt_index)
{
ih264d_insert_pic_in_ref_pic_listx(ps_ref_pic_buf_lx,
ps_next_dpb->ps_pic_buf);
diff --git a/decoder/ih264d_process_pslice.c b/decoder/ih264d_process_pslice.c
index 95ac557..efda5cf 100644
--- a/decoder/ih264d_process_pslice.c
+++ b/decoder/ih264d_process_pslice.c
@@ -971,7 +971,8 @@ void ih264d_init_ref_idx_lx_p(dec_struct_t *ps_dec)
dpb_manager_t *ps_dpb_mgr;
struct dpb_info_t *ps_next_dpb;
WORD8 i;
- UWORD8 u1_max_lt_index, u1_min_lt_index, u1_lt_index;
+ UWORD8 u1_max_lt_index, u1_min_lt_index;
+ UWORD32 u4_lt_index;
UWORD8 u1_field_pic_flag;
dec_slice_params_t *ps_cur_slice;
UWORD8 u1_L0;
@@ -1018,9 +1019,9 @@ void ih264d_init_ref_idx_lx_p(dec_struct_t *ps_dec)
for(i = 0; i < ps_dpb_mgr->u1_num_lt_ref_bufs; i++)
{
- u1_lt_index = ps_next_dpb->u1_lt_idx;
- u1_max_lt_index = (UWORD8)(MAX(u1_max_lt_index, u1_lt_index));
- u1_min_lt_index = (UWORD8)(MIN(u1_min_lt_index, u1_lt_index));
+ u4_lt_index = ps_next_dpb->u1_lt_idx;
+ u1_max_lt_index = (UWORD8)(MAX(u1_max_lt_index, u4_lt_index));
+ u1_min_lt_index = (UWORD8)(MIN(u1_min_lt_index, u4_lt_index));
/* Chase the next link */
ps_next_dpb = ps_next_dpb->ps_prev_long;
@@ -1065,13 +1066,13 @@ void ih264d_init_ref_idx_lx_p(dec_struct_t *ps_dec)
/* Arrange all Long term buffers in ascending order, in LongtermIndex */
/* Start from LT head */
u1_num_short_term_bufs = u1_L0;
- for(u1_lt_index = u1_min_lt_index; u1_lt_index <= u1_max_lt_index;
- u1_lt_index++)
+ for(u4_lt_index = u1_min_lt_index; u4_lt_index <= u1_max_lt_index;
+ u4_lt_index++)
{
ps_next_dpb = ps_dpb_mgr->ps_dpb_ht_head;
for(i = 0; i < ps_dpb_mgr->u1_num_lt_ref_bufs; i++)
{
- if(ps_next_dpb->u1_lt_idx == u1_lt_index)
+ if(ps_next_dpb->u1_lt_idx == u4_lt_index)
{
ih264d_insert_pic_in_ref_pic_listx(ps_ref_pic_buf_lx,
ps_next_dpb->ps_pic_buf);