summaryrefslogtreecommitdiffstats
path: root/decoder
Commit message (Collapse)AuthorAgeFilesLines
* decoder: Signal IVD_RES_CHANGED error for change in crop paramsHEADreplicant-6.0-0004-transitionreplicant-6.0-0004-rc6replicant-6.0-0004-rc5-transitionreplicant-6.0-0004-rc5replicant-6.0-0004-rc4replicant-6.0-0004-rc3replicant-6.0-0004-rc2replicant-6.0-0004cm-13.0Harish Mahendrakar2019-04-131-0/+13
| | | | | | | | | | | | | | | IVD_RES_CHANGED was not signaled when crop parameters changed, i.e. display dimensions changed without change in decode dimensions. In such cases, if output buffer was allocated as per the current dimension being decoded, without IVD_RES_CHANGED signalled, there can be an OOB write if the new buffer is smaller than the frame being returned as output Bug: 118399205 Test: vendor Change-Id: Ia750a99cda08a3254a6f8ea8b55d07e655b34d05 (cherry picked from commit 442a01bf37d5bd97bb6d13b382f00265051abbe8)
* Decoder: Modify setting short term reference field flagRitu Baldwa2018-06-081-3/+2
| | | | | | | | | | | | Do not mark bottom field as short term in case of error. Bug: 73553038 Bug: 73552574 Bug: 73552999 Test: poc before/after Change-Id: I8576861af36996a361a81f48ba9b251f0ae4e660 (cherry picked from commit 47cc04b40c94b14841d27eb3ac0b01c3f1739180) CVE-2018-9350
* Decoder: Fixed reset values in parse sps.Ritu Baldwa2018-04-061-0/+4
| | | | | | | | | Memset to zero whenever new sps occurs. Bug: 70897394 Test: manual Change-Id: I5936fd55265ff8ad2b275a72b175cdb540bb7933 (cherry picked from commit 9c32ad7126890dfaa79fd29affaaf07de335fa3a)
* Decoder: Set prev slice type for I slice.Ritu Baldwa2018-04-061-1/+1
| | | | | | | | | Fixed initialization of u1_pr_sl_type for I slice. Bug: 70897454 Test: ran PoC before/after patch Change-Id: I0c37317513b72236be98c2b25482a67bf2b56052 (cherry picked from commit aecdfd1aff2505da11ad48ad4f9f918054ce0c97)
* Decoder: Adding Error Check for Output Buffer Size in Shared Display Mode.Ritu Baldwa2018-03-081-8/+57
| | | | | | | | | | | | | | The output buffer size given by the application, needs to be checked in every process call. This is required in the case of resolution change in shared display mode. Bug: 70294343 Bug: 70350193 Bug: 70526411 Bug: 70526485 Test: manual Change-Id: I2c1e59425e84ac62a874e5ee180e1b98f0a4058f (cherry picked from commit 3692aceb1b244be3e1b36d8e7b804986f593bb69)
* Decoder: Fixed memory overflow in shared display mode.Ritu Baldwa2018-03-081-2/+5
| | | | | | | | | | The factor multiplication should happen only at the source, not at the destination. Bug: 71375536 Test: manual Change-Id: Ib5f00b87150a0533880346fac5464b0b1a802c36 (cherry picked from commit c3b026a87d7da17ca5196e1973137b8691e60bde)
* Decoder: Modified loop condition while parsing ref_list_reordering.Ritu Baldwa2018-02-081-2/+4
| | | | | | | | | | | | When ref_pic_list_reordering_flag_l1 is equal to 1, the number of times that reordering_of_pic_nums_idc is not equal to 3 following ref_pic_list_reordering_flag_l1 should not exceed num_ref_idx_l1_active_minus1 + 1. Bug: 69478425 Change-Id: I031bb744869ac8a57f85bb97574832efd0eefc25 (cherry picked from commit 7ea47d575d26d4d5356670092af26fb6915e75bf) CVE-2017-13228
* Decoder: Handle dec_hdl memory allocation failure gracefullyHarish Mahendrakar2018-01-101-3/+20
| | | | | | | | | | | | If memory allocation for dec_hdl fails, return gracefully with an error code. All other allocation failures are handled correctly. Bug: 68300072 Test: ran poc before/after Change-Id: I118ae71f4aded658441f1932bd4ede3536f5028b (cherry picked from commit 7720b3fe3de04523da3a9ecec2b42a3748529bbd) CVE-2017-13189
* Decoder: Fixed incorrect use of mmco parameters.Ritu Baldwa2018-01-103-1/+11
| | | | | | | | | | | Added extra structure to read mmco values and copied only once per picture. Bug: 65735716 Change-Id: I25b08a37bc78342042c52957774b089abce1a54b (cherry picked from commit 3c70b9a190875938fc57164d9295a3ec791554df) CVE-2017-13186
* Decoder: Detect change of mbaff flag in SPSHamsalekha S2018-01-101-2/+12
| | | | | | | | | | | Change in Mbaff flag needs re-initialization of NMB group and other variables in decoder context. Bug: 64380237 Test: ran poc on ASAN before/after Change-Id: I0fc65e4dfc3cc2c15528ec52da1782ecec61feab (cherry picked from commit d524ba03101c0c662c9d365d7357536b42a0265e) CVE-2017-13204
* Decoder: Increased allocation and added checks in sei parsing.Hamsalekha S2018-01-103-4/+9
| | | | | | | | | | This prevents heap overflow while parsing sei_message. Bug: 63122634 Test: ran PoC on unpatched/patched Change-Id: I61c1ff4ac053a060be8c24da4671db985cac628c (cherry picked from commit f2b70d353768af8d4ead7f32497be05f197925ef) CVE-2017-13203
* Decoder: Fixed hang in the case of dangling fieldHamsalekha S2017-12-091-2/+1
| | | | | | | | | | The u1_top_bottom_decoded flag in the decoder context has been fixed to be updated correctly in the case of dangling field Bug: 63315932 Test: ran POC after patching Change-Id: I8db4ebeb94fba735ba45f365c37e52a202ea84cd CVE-2017-0874
* Decoder: Updated error check while parsing num_ref_idx_lx_active.replicant-6.0-0003Hamsalekha S2017-11-112-2/+3
| | | | | | | | | | Added an error check on the lower limit of u1_num_ref_idx_lx_active, while parsing slice header. The minimum possible value is 1. Bug: 64836894 Change-Id: I57056851fc135ed00f7a10af5c81eb560e9e12de CVE-2017-0858
* Decoder: Corrected variable datatypes in ih264d_get_implicit_weights.Hamsalekha S2017-11-111-15/+16
| | | | | | | | | | | The difference between two 32 signed numbers was getting assigned to 16 bits, leading to a divide by zero arithmetic execption. Modified variable names to match their datatypes. Bug: 65122447 Change-Id: I45ade1945f10b4d7660bd09fb564e60fd29d40dc CVE-2017-0857
* Added an out of bound check on u4_num_bufs in input argumentHarish Mahendrakar2017-11-111-1/+2
| | | | | | | | ps_dec_ip->s_out_buffer.u4_num_bufs was missing out of bound checks Bug: 62688399 Change-Id: Ic5e5c002d29fcb18064550d5a5f9289bb68b448e CVE-2017-0849
* Decoder: Conceal picture only if valid picture buffer is obtained.Hamsalekha S2017-11-111-4/+3
| | | | | | | | | | | | If all the slices in the current pic were invalid, then the decoder would not have received a valid picture buffer in the current call. In such cases there is no need to conceal or deblock the picture. Bug: 62896384 Test: run ASAN-enabled PoC before/after the patch Change-Id: I3cf6e871592826f93b0dcd2b06fff80677bc8338 CVE-2017-0833
* DO NOT MERGE Handle level/profile/num_ref_frames/num_reorder change at the ↵Wonsik Kim2017-11-111-1/+43
| | | | | | | | | | | | | same resolution Cherry pick of Change-Id: Ifa78c3125ab207ce5e39166f4891cba0d3a4e39c which went into master (post-n). This needed backporting to M so that the final fix for 35583675 could be integrated. Bug: 35583675 Test: ran POC without failure Change-Id: I0d248212aaf6635f34a70ad36657416a0c623d32 (cherry picked from commit 142221a3f993adca0c7db7f4b65d76cd9fd72a38)
* Decoder: Fixed number of MB calculation for interlaced error streamsHarish Mahendrakar2017-11-111-2/+3
| | | | | | | | | | At the end of picture processing, if the current pic is partially decoded, number of MBs to be processed was wrongly calculated for interlaced cases. Bug: 33129467 Change-Id: Ia81186c60d346f02663607f2dc14166781db6a69 (cherry picked from commit e1cf7ea8ae9af4d8b5aca7efba61025dae10a345)
* Revert "Decoder: Fixed allocation of pv_map_ref_idx_to_poc_buf."Ivan Kutepov2017-11-114-7/+20
| | | | | | This reverts commit 839c6327f8467e2e238238623ab3831fc4b3f280. Change-Id: Ia07e3a08843c3f52cb40efcd91fa4d1bba3b7b90
* Decoder: Initialize MB info buffer to zero.cm-13.0_20171109Hamsalekha S2017-09-171-0/+1
| | | | | | | | | | | Initialize the buffer used to store inter mb info (reference index, weights etc) to zero. Bug: 36035683 Change-Id: I23561a6a7fe852c0563a631d7ec6ab022cd78ccc (cherry picked from commit 2575ae6c989b133554f9b1267cf5dd694cf2aae6) (cherry picked from commit 9041bb17f70a94019e05459164b4756bde01edee)
* Decoder: Fixed allocation of pv_map_ref_idx_to_poc_buf.Hamsalekha S2017-09-144-20/+7
| | | | | | | | | | | | | | Increased allocation to include reference list1 also by default. In the case of error, we could get B_SLICES even in BASE_PROFILE. The initialization in the dec_slice_struct_t slice structure has also been modified accordingly. Test: run poc with and without this patch Bug: 38496660 Change-Id: I3451d79bbcd9f0d7a80981a9897f877b7f0812bd (cherry picked from commit a925a6b539642c8749c91a6f33e362eda8c4a5b6) CVE-2017-0776
* Initialize DPB structures to valid values.Hamsalekha S2017-09-141-1/+13
| | | | | | | | | | | When the first frame is a B frame, the colocated picture will now point to the current frame. Test: run poc with and without this patch Bug: 38115076 Change-Id: I48a8f128740551d6a9252931dafcf8c629ecad0d (cherry picked from commit b8d362561e48dde8898eb0415f298d64e76f2b7c) CVE-2017-0772
* Decoder: Fixed overflow in refernce list creation.Hamsalekha S2017-09-142-16/+18
| | | | | | | | | | | Since the maximum value of long term index is 255, the loop control variable needs to be 32 bit. Bug: 38448381 Test: ran POC before/after applying fix Change-Id: Iae3ecff38d4a922bde10fde33f1cfcafd2ea2680 (cherry picked from commit cbcd2846fa837e4be6d35f5c1211b070bc8d26da) CVE-2017-0761
* Added error check for output buffer size.Hamsalekha S2017-09-142-44/+106
| | | | | | | | | | | | The output buffer size given by the application, needs to be checked in every process call. This is required in the case of resolution change. Bug: 36006815 Test: avcdec -i poc.bin Change-Id: I16a92cdad23eb7b1e12c1a67c1b2599204f29249 (cherry picked from commit 3f6c941de5cd959072fa046c9d6cb26fa0f01dc6) CVE-2017-0757
* [BACKPORT] Fixed bug in the case of resolution change.replicant-6.0-0002Hamsalekha S2017-09-011-2/+2
| | | | | | | | | | | | Modified the way i4_header_decoded in decoder context is used, to ensure that resolution change is detected even if PPS has not been decoded. Bug: 35583675 Test: ran POC, no longer hangs Change-Id: Ibb3f8dfbeb66a999fd81720a7d2a02dd951a55c4 (cherry picked from commit 1d06027c69e31d450b1e837c81073362d41084d3)
* Fix resolution change within a decode call.Hamsalekha S2017-08-313-0/+12
| | | | | | | | | | | | | If resolution changes within a decode call,due to multiple sps, the decoder hangs as the the application will give the same data again in the next decode call. This results in a hang. Fixed this by flaging an error, when sps/resoultion changes within a process call. Bug: 38487564 Test: ran POC on patched O-based system w/o hanging Change-Id: I30095b2e8bf573c1a58a316a23b1a5e6a4af589b (cherry picked from commit fe18375850fe04b8c4ff2f1b20069e161f718e53)
* Fixed hang in the case of multiple sps id.Hamsalekha S2017-08-311-1/+4
| | | | | | | | | | | | The sps parameters used to detect change in resolution/sps were incorrect. Made a fix to use current sps from decoder context. Bug: 38239864 Change-Id: I2d110e635ced32b3dc7f364e08a97d672fcbae37 (cherry picked from commit 8c6fe35f6d28f3e8c3a9f9458eea89eba858bded) (cherry picked from commit ec3f58500066edee259942057e21489621fca9dd)
* Decoder: Fix in the case of MMCO 6Hamsalekha S2017-08-311-5/+16
| | | | | | | | | | | Added an error check in the case of MMCO 6 (SET_LT_INDEX) Bug: 38014992 Test: POC fails before / works after patch Change-Id: I76e38a8e2ff0bab043b47f44f1f7b1d4fe60d416 (cherry picked from commit 9e4f0ce7042078aeffaa16f2773cc2d1b82cdb12) (cherry picked from commit 41489f9ece970df8530e28d7a24710b1beb755e2)
* Initializing reference list for every P/B slice.Hamsalekha S2017-08-315-42/+5
| | | | | | | | | | | Reference list needs to be initialized for every P/B slice, to ensure colocated picture always points to a valid picture buffer, even in the case of error. Bug: 36279112 Change-Id: I051d7e725b0af209cc7bb333db8da3518adf78a0 (cherry picked from commit f9d3f9af8fc113acda28e1a4e48d85736ee29c75)
* Decoder: Cleaned up parse sps function.Hamsalekha S2017-08-311-14/+15
| | | | | | | | | | | Postponed the initializations to decoder context till the end of the parse sps function, after all the error checks are done. Bug: 37968755 Test: ran poc on ASAN-enabled build before/after Change-Id: Ibee3383c28cede3edb68d2459565d6ce10683bbd (cherry picked from commit 4eb72f7c935595817026b4cf4aed5ef2ff579ab5)
* Decoder: Fixed allocation size of pred info bufferHamsalekha S2017-08-311-4/+1
| | | | | | | | | Buffer allocation size for pred info was increased in the case number reference frames equal to 1. Bug: 36998372 Change-Id: I1f84a16703422109d40bed8436f35d0c2069c088 (cherry picked from commit 9008aed514f7211f6fcad328277ce464b042f622)
* Fix stack buffer overflow in ih264d_process_intra_mbHarish Mahendrakar2017-07-071-3/+9
| | | | | | | | | | | | | | Aligned the sizes of au1_ngbr_pels to ensure SSE42 functions do not result in stack buffer overflow Bug: 36490809 AOSP-Change-Id: I0bfe493f94647046013759b3ec9db3c627ac471e (cherry picked from commit f69e34419b267be7285a7e0e85a019294118ae03) CVE-2017-0699 Change-Id: I4523d94411a752abb2461c4857e66beee67c3364
* Decoder: Added an error check while parsing PPS.Hamsalekha S2017-07-071-2/+4
| | | | | | | | | | | | | Added an error check while parsing PPS syntax element second_chroma_qp_index_offset. Bug: 37207120 AOSP-Change-Id: Icba6b7bcf5940505717ee61134ed801c221b6e26 (cherry picked from commit 62f98981ffc29082dd4bbf173a043a5bcbb86652) CVE-2017-0696 Change-Id: I702fb66977fe51f4489c7f7f928cd3eb27e4756e
* Decoder: Fixed flag u1_top_bottom_decoded.Hamsalekha S2017-07-072-4/+4
| | | | | | | | | | | | | | | Fixed initialization of flag u1_top_bottom_decoded in decoder context. This flag indicates if top field and botton field is decoded. Bug: 36993291 Test: avcdec --input poc.h264 --output /dev/null AOSP-Change-Id: I9f8a2620683abd8b15e4780d76d4849394710716 (cherry picked from commit 7703822731a3e5425390ba1d177d061a699c367d) CVE-2017-0693 Change-Id: Ibd2f703e0aef8faa4cb32e036db1a74815ea7b7c
* Fix in the case of MMCO 3 (long term reference idx).Hamsalekha S2017-07-071-1/+3
| | | | | | | | | | | | | | | | | | Increment number of long term reference buffers only when both top field and bottom field have been set as long term. [backport for M/N from master] Bug: 35584425 Test: ran POC - no hang, no segfault. AOSP-Change-Id: I94e3857944da675eda38f8e1a9bd887f48bff524 (cherry picked from commit 6fa5df8811ea0b8e8459f86dd3c30bf7a9b39482) (cherry picked from commit 46e96d40dbca2896b5e20cf48d14798231c97663) CVE-2017-0688 Change-Id: I3f4077df0fc0764b70c93cb226a5c7503799ba26
* Decoder: Fix end of bitstream error.Hamsalekha S2017-07-072-5/+24
| | | | | | | | | | | | | | The end of bistream error check was fixed for odd number of macroblocks in Mbaff frames. Bug: 37008096 Test: Ittiam-verified AOSP-Change-Id: I058d74a3c1d1511968c2b36802dfc5c102947919 (cherry picked from commit 2e01924cd692191c970c64ec3f358e53dccb9e54) CVE-2017-0680 Change-Id: I4472f827796093e932d9853d45f21a4a16d92928
* Decoder: Fix allocation for Mbaff weight matrixHamsalekha S2017-07-071-3/+2
| | | | | | | | | | | | | | Increased the allocation size for Mbaff weight matrix buffer Bug: 36996978 AOSP-Change-Id: I21cf2cb1010abdc6346f743f5237ae1730c4bf41 (cherry picked from commit 07db35ad5af8c4ee2308f983650d9a1b811841ea) CVE-2017-0679 Change-Id: I1a8e38c839eee9887abf2fd99954237db31b2234
* Decoder: Fix in reference list initialization.Hamsalekha S2017-07-071-2/+2
| | | | | | | | | | | | | | | In the case of error, initialize the new reference list1 with the first picture in default list0 instead of default list1, as first picture in list1 could still be invalid. Bug: 36035074 AOSP-Change-Id: I7ab493ee7a157cbefcd4da8389ff1ff899c16b7f (cherry picked from commit 93954f5e9a5d727e402921ac6fa100e6dcc1d4e8) CVE-2017-0677 Change-Id: I6e3d02457961d222fa721e2d8d283a989302805d
* Decoder: Fixes in accessing mbaff flag in error casesHarish Mahendrakar2017-07-061-4/+4
| | | | | | | | | | | | | | | ps_dec->ps_cur_slice->u1_mbaff_frame_flag is updated in ih264d_start_of_pic(). So updated value should be used after calling ih264d_start_of_pic() Bug: 33974623 Test: ran POC from bug AOSP-Change-Id: I0f1ff5e01ed39767f493f197791e51b0da74952f (cherry picked from commit 3f6937a0031e4acadc9228559ae2ae47b992b16a) (cherry picked from commit 0f2f2b5fde873b8badee949561c17692588647e8) CVE-2017-0673 Change-Id: I4e9f951fa836ea597dfa6a593de8da0c476627f1
* Decoder: Fixed error handling for dangling fieldsHarish Mahendrakar2017-05-191-1/+0
| | | | | | | | | | | | | | | | In case of dangling fields with gaps in frames enabled, field pic in cur_slice was wrongly set to 0. This would cause dangling field to be concealed as a frame, which would result in a number of MB mismatch and hence a hang. Bug: 34097672 AOSP-Change-Id: Ia9b7f72c4676188c45790b2dfbb4fe2c2d2c01f8 (cherry picked from commit 1a13168ca3510ba91274d10fdee46b3642cc9554) CVE-2017-0591 Change-Id: I4087c11d52a5c72c75cb4b992f67ccff63b5d509
* Decoder: Fixed initialization of first_slice_in_picreplicant-6.0-0001Harish Mahendrakar2017-04-054-35/+13
| | | | | | | | | | | | | | | | | | | To handle some errors, first_slice_in_pic was being set to 2. This is now cleaned up and first_slice_in_pic is set to 1 only once per pic. This will ensure picture level initializations are done only once even in case of error clips Bug: 33717589 Bug: 33551775 Bug: 33716442 Bug: 33677995 AOSP-Change-Id: If341436b3cbaa724017eedddd88c2e6fac36d8ba CVE-2017-0555 Change-Id: Ifecf8e8cf6a257eaffdc8411e6af44962b554d72 (cherry picked from commit 0b23c81c3dd9ec38f7e6806a3955fed1925541a0)
* Decoder: Return correct error code for slice header errorsHarish Mahendrakar2017-04-052-8/+8
| | | | | | | | | | | | | Return ERROR_INV_SLICE_HDR_T instead of ERROR_INV_SPS_PPS_T for slice header errors. Bug: 34097915 AOSP-Change-Id: I45d14a71f2322ff349058baaf65fb0f3c1140fba CVE-2017-0552 Change-Id: I4c87503f9014f67721fb3a06a7542215d4f10cd6 (cherry picked from commit 9a00f562a612d56e7b2b989d168647db900ba6cf)
* Fix in returning end of bitstream error for MBAFFHarish Mahendrakar2017-04-052-0/+8
| | | | | | | | | | | | | | | In case of MBAFF streams, slices should terminate on even MB boundary. If bytes are exhausted with odd number of MBs decoded for MBAff, then treat that as error. Bug: 33933140 AOSP-Change-Id: Ifc26b66ff8ebdb3aec5c0d6c512e4cac3f54c5b7 CVE-2017-0550 Change-Id: I239352c34311d40096ebd7eed66acfb11a628475 (cherry picked from commit 7950bf47b6944546a0aff11a7184947de9591b51)
* resolve merge conflicts of 3654ad0 to mnc-dr-devMarco Nelissen2017-04-051-0/+9
| | | | | | | | | | | Bug: 33818508 Bug: 34013472 AOSP-Change-Id: I2e99cbceba1c00555d624e8975522725e362362b CVE-2017-0549 Change-Id: I737d00a2c8d0729d6ef47af2049401f10ff139e4 (cherry picked from commit 37345554fea84afd446d6d8fbb87feea5a0dde3f)
* Decoder: Initialize default reference buffers for all picturesHarish Mahendrakar2017-04-051-1/+1
| | | | | | | | | | | | | Reference buffer is now initialized to default value for each pic before decoding the first slice in the pic Bug: 34097866 AOSP-Change-Id: Id64b123af2188217ce833f11db0e6c0681d41dfd CVE-2017-0543 Change-Id: I49a76e0af23001842630218f79f47a98bc287d6a (cherry picked from commit f634481e940421020e52f511c1fb34aac1db4b2f)
* Decoder: Fixes an out of bound write in bitstream bufferHarish Mahendrakar2017-04-051-1/+3
| | | | | | | | | | | | | | | | | | [for mnc-dr-dev and later; mnc-dev gets a different patch] After emulation prevention, data is written as an int, so at least 3 additional bytes should be available. And since bitstream functions read 8 bytes ahead, 8 extra bytes should be available in the bitstream buffer. Bug: 33934721 AOSP-Change-Id: I444ec6f85d01b0bade9f827e15c4b476779d6c69 CVE-2017-0542 Change-Id: I3c77857dc558b2ab0bacbfae0c56e794154bd50c (cherry picked from commit 33ef7de9ddc8ea7eb9cbc440d1cf89957a0c267b)
* Decoder: Moved end of pic processing to end of decode callHarish Mahendrakar2017-04-054-108/+78
| | | | | | | | | | | | | | | | | | | | ih264d_end_of_pic() was called after parsing slice of a new picture. This is now being done at the end of decode of the current picture. decode_gaps_in_frame_num which needs frame_num of new slice is now done after decoding frame_num in new slice. This helps in handling errors in picaff streams with gaps in frames Bug: 33588051 Bug: 33641588 Bug: 34097231 AOSP-Change-Id: I1a26e611aaa2c19e2043e05a210849bd21b22220 CVE-2017-0538 CVE-2017-0551 Change-Id: I62cd9bff7c8d4b20c930e6ddc4164aaa3368407f (cherry picked from commit 494561291a503840f385fbcd11d9bc5f4dc502b8)
* Decoder: Treat first slice in a picture as part of new picture alwaysHarish Mahendrakar2017-04-051-19/+5
| | | | | | | | | | | | | This is needed to decode streams with consecutive IDRs. Bug: 34097231 Test: successful run of POC in security bug AOSP-Change-Id: Ib737a4ef4b8c5bb7a57c90292102dd28af0615fe CVE-2017-0551 Change-Id: I5d2569034b03ba44830d96319a354e0cb0e665d3 (cherry picked from commit 8b5fd8f24eba5dd19ab2f80ea11a9125aa882ae2)
* Decoder: Fixed an out of bound access while parsing SEIHarish Mahendrakar2017-03-221-1/+1
| | | | | | | | | | | | Invalid SPS Id read was resulting in an out of bound read Bug: 33552073 CVE-2017-0495 Change-Id: Ie5b80222fc7ac3a64475340371be0facdf999d7b (cherry picked from commit d3d60c6a5d7ab605d19b9ac4b95bc227b7b870dc) (cherry picked from commit 99a85bb4690dd30871d9457c30ca3b44a0928cc1) (cherry picked from commit 85c0ec4106659a11c220cd1210f8d76c33d9e2ae)
* Decoder: Initialize ps_cur_slice->u1_mbaff_frame_flag correctly for error casesHarish Mahendrakar2017-03-221-0/+2
| | | | | | | | | | | Bug: 34097213 Bug: 33641588 CVE-2017-0488 Change-Id: I40a6c5af7f1e46e1623ae1b399db3073123390fe (cherry picked from commit 1d5640f2f9013e8de68cedc3e57a6b02b495b3c2) (cherry picked from commit 0340381cd8c220311fd4fe2e8b23e1534657e399)
generated by cgit v1.2.3 (git 2.25.1) at 2024-04-24 17:14:22 +0000