summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorNaveen Kumar P <naveenkumar.p@ittiam.com>2017-04-05 10:31:08 +0530
committerMSe <mse1969@posteo.de>2017-07-06 23:59:09 +0200
commit3d95ec77a93a4439566189075054b9969946113b (patch)
tree701c98b0d42739f6c0da1efd16d1c53eda3288a1
parentda51727b114b0fec6fb5fe0a0d3dde06420878d1 (diff)
downloadandroid_external_libhevc-3d95ec77a93a4439566189075054b9969946113b.tar.gz
android_external_libhevc-3d95ec77a93a4439566189075054b9969946113b.tar.bz2
android_external_libhevc-3d95ec77a93a4439566189075054b9969946113b.zip
Check for cpb cnt in hrd parsing
Bug: 34896431 The arrays in hrd are of size MAX_CPB_CNT. If cpb cnt is more than MAX_CPB_CNT, more data is parsed and the subsequent buffer is corrupted. AOSP-Change-Id: I74c01b8c7142b67a358eb5e36b160a7fbf2b69e4 (cherry picked from commit 3e194e0edde1d9ceb71d18f6f0e0bf156a76a650) CVE-2017-0676 Change-Id: Ied5f6ecf2ad2c2ab6f2f9d054ef64db5e80b4892
-rw-r--r--decoder/ihevcd_parse_headers.c17
1 files changed, 13 insertions, 4 deletions
diff --git a/decoder/ihevcd_parse_headers.c b/decoder/ihevcd_parse_headers.c
index 2f03959..a504778 100644
--- a/decoder/ihevcd_parse_headers.c
+++ b/decoder/ihevcd_parse_headers.c
@@ -644,6 +644,9 @@ static WORD32 ihevcd_parse_hrd_parameters(bitstrm_t *ps_bitstrm,
if(!ps_hrd->au1_low_delay_hrd_flag[i])
UEV_PARSE("cpb_cnt_minus1[ i ]", ps_hrd->au1_cpb_cnt_minus1[i], ps_bitstrm);
+ if(ps_hrd->au1_cpb_cnt_minus1[i] >= (MAX_CPB_CNT - 1))
+ return IHEVCD_INVALID_PARAMETER;
+
if(ps_hrd->u1_nal_hrd_parameters_present_flag)
ihevcd_parse_sub_layer_hrd_parameters(ps_bitstrm,
&ps_hrd->as_sub_layer_hrd_params[i],
@@ -742,7 +745,10 @@ static WORD32 ihevcd_parse_vui_parameters(bitstrm_t *ps_bitstrm,
BITS_PARSE("vui_hrd_parameters_present_flag", ps_vui->u1_vui_hrd_parameters_present_flag, ps_bitstrm, 1);
if(ps_vui->u1_vui_hrd_parameters_present_flag)
- ihevcd_parse_hrd_parameters(ps_bitstrm, &ps_vui->s_vui_hrd_parameters, 1, sps_max_sub_layers_minus1);
+ {
+ ret = ihevcd_parse_hrd_parameters(ps_bitstrm, &ps_vui->s_vui_hrd_parameters, 1, sps_max_sub_layers_minus1);
+ RETURN_IF((ret != (IHEVCD_ERROR_T)IHEVCD_SUCCESS), ret);
+ }
}
BITS_PARSE("bitstream_restriction_flag", ps_vui->u1_bitstream_restriction_flag, ps_bitstrm, 1);
@@ -1489,9 +1495,12 @@ IHEVCD_ERROR_T ihevcd_parse_sps(codec_t *ps_codec)
ps_sps->i1_vui_parameters_present_flag = value;
if(ps_sps->i1_vui_parameters_present_flag)
- ihevcd_parse_vui_parameters(ps_bitstrm,
- &ps_sps->s_vui_parameters,
- ps_sps->i1_sps_max_sub_layers - 1);
+ {
+ ret = ihevcd_parse_vui_parameters(ps_bitstrm,
+ &ps_sps->s_vui_parameters,
+ ps_sps->i1_sps_max_sub_layers - 1);
+ RETURN_IF((ret != (IHEVCD_ERROR_T)IHEVCD_SUCCESS), ret);
+ }
BITS_PARSE("sps_extension_flag", value, ps_bitstrm, 1);