diff options
| author | Harish Mahendrakar <harish.mahendrakar@ittiam.com> | 2017-01-13 16:41:33 +0530 |
|---|---|---|
| committer | Sean McCreary <mccreary@mcwest.org> | 2017-04-05 18:21:35 -0600 |
| commit | 2be3683d5caab9638ff33d9fee0a48dc7204ddc6 (patch) | |
| tree | d05737ad7fd3dd847a69a446208f3ae58e6877e3 | |
| parent | c14bbd45ac66a54a5acf995783b43a3b122cb16f (diff) | |
| download | android_external_libhevc-2be3683d5caab9638ff33d9fee0a48dc7204ddc6.tar.gz android_external_libhevc-2be3683d5caab9638ff33d9fee0a48dc7204ddc6.tar.bz2 android_external_libhevc-2be3683d5caab9638ff33d9fee0a48dc7204ddc6.zip | |
Fix in handling wrong cu_qp_deltareplicant-6.0-0001
cu_qp_delta is now checked for the range as specified in the spec
Bug: 33966031
AOSP-Change-Id: I00420bf68081af92e9f2be9af7ce58d0683094ca
CVE-2017-0540
Change-Id: I3f50e370e43489d9f6c003ad03cddac47796f7af
(cherry picked from commit 01ca88bb6c5bdd44e071f8effebe12f1d7da9853)
| -rw-r--r-- | decoder/ihevcd_cabac.c | 3 | ||||
| -rw-r--r-- | decoder/ihevcd_parse_slice.c | 11 |
2 files changed, 11 insertions, 3 deletions
diff --git a/decoder/ihevcd_cabac.c b/decoder/ihevcd_cabac.c index fa249c4..3a03aa8 100644 --- a/decoder/ihevcd_cabac.c +++ b/decoder/ihevcd_cabac.c @@ -669,14 +669,13 @@ UWORD32 ihevcd_cabac_decode_bypass_bins_egk(cab_ctxt_t *ps_cabac, numones = k; bin = 1; u4_sym = 0; - while(bin) + while(bin && (numones <= 16)) { IHEVCD_CABAC_DECODE_BYPASS_BIN(bin, ps_cabac, ps_bitstrm); u4_sym += bin << numones++; } numones -= 1; - numones = CLIP3(numones, 0, 16); if(numones) { diff --git a/decoder/ihevcd_parse_slice.c b/decoder/ihevcd_parse_slice.c index 3bb658e..f56ba8e 100644 --- a/decoder/ihevcd_parse_slice.c +++ b/decoder/ihevcd_parse_slice.c @@ -82,6 +82,9 @@ /* Bit stream offset threshold */ #define BITSTRM_OFF_THRS 8 +#define MIN_CU_QP_DELTA_ABS(x) (-26 + ((x) * 6) / 2) +#define MAX_CU_QP_DELTA_ABS(x) (25 + ((x) * 6) / 2) + /** * Table used to decode part_mode if AMP is enabled and current CU is not min CU */ @@ -302,7 +305,6 @@ WORD32 ihevcd_parse_transform_tree(codec_t *ps_codec, } AEV_TRACE("cu_qp_delta_abs", cu_qp_delta_abs, ps_cabac->u4_range); - ps_codec->s_parse.i4_is_cu_qp_delta_coded = 1; @@ -315,6 +317,13 @@ WORD32 ihevcd_parse_transform_tree(codec_t *ps_codec, cu_qp_delta_abs = -cu_qp_delta_abs; } + + if (cu_qp_delta_abs < MIN_CU_QP_DELTA_ABS(ps_sps->i1_bit_depth_luma_minus8) + || cu_qp_delta_abs > MAX_CU_QP_DELTA_ABS(ps_sps->i1_bit_depth_luma_minus8)) + { + return IHEVCD_INVALID_PARAMETER; + } + ps_codec->s_parse.s_cu.i4_cu_qp_delta = cu_qp_delta_abs; } |