diff options
| author | Harish Mahendrakar <harish.mahendrakar@ittiam.com> | 2015-12-18 10:09:18 +0530 |
|---|---|---|
| committer | Sean McCreary <mccreary@mcwest.org> | 2017-03-22 20:06:57 -0600 |
| commit | 3b152ae7f484853e392b905113d301dc9691c289 (patch) | |
| tree | 5ef03e0811cab163d1f66bfc2f3ade34569e5530 | |
| parent | b133b420f540eb0bad149236df206f75677e8b58 (diff) | |
| download | android_external_libhevc-3b152ae7f484853e392b905113d301dc9691c289.tar.gz android_external_libhevc-3b152ae7f484853e392b905113d301dc9691c289.tar.bz2 android_external_libhevc-3b152ae7f484853e392b905113d301dc9691c289.zip | |
Fixed out of bound reads in stack variables
Out of bound reads in the following variables are fixed
scaling_mat_offset in ihevcd_iquant_itrans_recon_ctb()
ai1_offset_y, ai1_offset_cb and ai1_offset_cr in ihevcd_sao_shift_ctb()
These values were read but not used
b/32915871
CVE-2017-0406
AOSP Change-Id: Ib07e2ed1bdcc600700d4e9e5d970f6cc2164ab1b
Change-Id: Id3e335941d6f015a55085d2592f92974b3225976
(cherry picked from commit 4def2dfabf8afcb185942131c1e67bb3ff211f05)
(cherry picked from commit 5e7a6141e9e7a165b1234a3fd24ea4b176c3d016)
| -rw-r--r-- | decoder/ihevcd_iquant_itrans_recon_ctb.c | 6 | ||||
| -rw-r--r-- | decoder/ihevcd_sao.c | 9 |
2 files changed, 9 insertions, 6 deletions
diff --git a/decoder/ihevcd_iquant_itrans_recon_ctb.c b/decoder/ihevcd_iquant_itrans_recon_ctb.c index a558644..88ace44 100644 --- a/decoder/ihevcd_iquant_itrans_recon_ctb.c +++ b/decoder/ihevcd_iquant_itrans_recon_ctb.c @@ -567,9 +567,11 @@ WORD32 ihevcd_iquant_itrans_recon_ctb(process_ctxt_t *ps_proc) /* Intra 32x32 Y */ /* Inter 32x32 Y */ /*************************************************************************/ - WORD32 scaling_mat_offset[] = + /* Only first 20 entries are used. Array is extended to avoid out of bound + reads. Skip CUs (64x64) read this table, but don't really use the value */ + static const WORD32 scaling_mat_offset[] = { 0, 16, 32, 48, 64, 80, 96, 160, 224, 288, 352, 416, 480, 736, 992, - 1248, 1504, 1760, 2016, 3040 }; + 1248, 1504, 1760, 2016, 3040, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0 }; PROFILE_DISABLE_IQ_IT_RECON_INTRA_PRED(); diff --git a/decoder/ihevcd_sao.c b/decoder/ihevcd_sao.c index 2702317..dc852c6 100644 --- a/decoder/ihevcd_sao.c +++ b/decoder/ihevcd_sao.c @@ -568,10 +568,11 @@ void ihevcd_sao_shift_ctb(sao_ctxt_t *ps_sao_ctxt) UWORD8 *pu1_sao_src_top_left_luma_bot_left; UWORD8 *au1_sao_src_top_left_chroma_bot_left; UWORD8 *pu1_sao_src_top_left_chroma_bot_left; - - WORD8 ai1_offset_y[5]; - WORD8 ai1_offset_cb[5]; - WORD8 ai1_offset_cr[5]; + /* Only 5 values are used, but arrays are large + enough so that SIMD functions can read 64 bits at a time */ + WORD8 ai1_offset_y[8]; + WORD8 ai1_offset_cb[8]; + WORD8 ai1_offset_cr[8]; WORD32 chroma_yuv420sp_vu = ps_sao_ctxt->is_chroma_yuv420sp_vu; PROFILE_DISABLE_SAO(); |