diff options
author | Naveen Kumar P <naveenkumar.p@ittiam.com> | 2017-04-05 10:31:08 +0530 |
---|---|---|
committer | MSe <mse1969@posteo.de> | 2017-07-06 23:59:09 +0200 |
commit | 3d95ec77a93a4439566189075054b9969946113b (patch) | |
tree | 701c98b0d42739f6c0da1efd16d1c53eda3288a1 | |
parent | da51727b114b0fec6fb5fe0a0d3dde06420878d1 (diff) | |
download | android_external_libhevc-3d95ec77a93a4439566189075054b9969946113b.tar.gz android_external_libhevc-3d95ec77a93a4439566189075054b9969946113b.tar.bz2 android_external_libhevc-3d95ec77a93a4439566189075054b9969946113b.zip |
Check for cpb cnt in hrd parsing
Bug: 34896431
The arrays in hrd are of size MAX_CPB_CNT. If cpb cnt is more
than MAX_CPB_CNT, more data is parsed and the subsequent buffer
is corrupted.
AOSP-Change-Id: I74c01b8c7142b67a358eb5e36b160a7fbf2b69e4
(cherry picked from commit 3e194e0edde1d9ceb71d18f6f0e0bf156a76a650)
CVE-2017-0676
Change-Id: Ied5f6ecf2ad2c2ab6f2f9d054ef64db5e80b4892
-rw-r--r-- | decoder/ihevcd_parse_headers.c | 17 |
1 files changed, 13 insertions, 4 deletions
diff --git a/decoder/ihevcd_parse_headers.c b/decoder/ihevcd_parse_headers.c index 2f03959..a504778 100644 --- a/decoder/ihevcd_parse_headers.c +++ b/decoder/ihevcd_parse_headers.c @@ -644,6 +644,9 @@ static WORD32 ihevcd_parse_hrd_parameters(bitstrm_t *ps_bitstrm, if(!ps_hrd->au1_low_delay_hrd_flag[i]) UEV_PARSE("cpb_cnt_minus1[ i ]", ps_hrd->au1_cpb_cnt_minus1[i], ps_bitstrm); + if(ps_hrd->au1_cpb_cnt_minus1[i] >= (MAX_CPB_CNT - 1)) + return IHEVCD_INVALID_PARAMETER; + if(ps_hrd->u1_nal_hrd_parameters_present_flag) ihevcd_parse_sub_layer_hrd_parameters(ps_bitstrm, &ps_hrd->as_sub_layer_hrd_params[i], @@ -742,7 +745,10 @@ static WORD32 ihevcd_parse_vui_parameters(bitstrm_t *ps_bitstrm, BITS_PARSE("vui_hrd_parameters_present_flag", ps_vui->u1_vui_hrd_parameters_present_flag, ps_bitstrm, 1); if(ps_vui->u1_vui_hrd_parameters_present_flag) - ihevcd_parse_hrd_parameters(ps_bitstrm, &ps_vui->s_vui_hrd_parameters, 1, sps_max_sub_layers_minus1); + { + ret = ihevcd_parse_hrd_parameters(ps_bitstrm, &ps_vui->s_vui_hrd_parameters, 1, sps_max_sub_layers_minus1); + RETURN_IF((ret != (IHEVCD_ERROR_T)IHEVCD_SUCCESS), ret); + } } BITS_PARSE("bitstream_restriction_flag", ps_vui->u1_bitstream_restriction_flag, ps_bitstrm, 1); @@ -1489,9 +1495,12 @@ IHEVCD_ERROR_T ihevcd_parse_sps(codec_t *ps_codec) ps_sps->i1_vui_parameters_present_flag = value; if(ps_sps->i1_vui_parameters_present_flag) - ihevcd_parse_vui_parameters(ps_bitstrm, - &ps_sps->s_vui_parameters, - ps_sps->i1_sps_max_sub_layers - 1); + { + ret = ihevcd_parse_vui_parameters(ps_bitstrm, + &ps_sps->s_vui_parameters, + ps_sps->i1_sps_max_sub_layers - 1); + RETURN_IF((ret != (IHEVCD_ERROR_T)IHEVCD_SUCCESS), ret); + } BITS_PARSE("sps_extension_flag", value, ps_bitstrm, 1); |