diff options
| author | Naveen Kumar P <naveenkumar.p@ittiam.com> | 2017-09-19 16:07:41 +0530 |
|---|---|---|
| committer | Ivan Kutepov <its.kutepov@gmail.com> | 2017-12-09 19:11:08 +0300 |
| commit | b890609a4bd439b31fe71a2c480d0e15e0590075 (patch) | |
| tree | 3bd6828886e8c5551a0c6ec1f33ad010d0654e2f | |
| parent | 8d6e2a807fb9a5c940c457006f0c1e6a455419a4 (diff) | |
| download | android_external_libhevc-b890609a4bd439b31fe71a2c480d0e15e0590075.tar.gz android_external_libhevc-b890609a4bd439b31fe71a2c480d0e15e0590075.tar.bz2 android_external_libhevc-b890609a4bd439b31fe71a2c480d0e15e0590075.zip | |
Alloc extra bytes for bits buf for parse optimzation
Without this extra allocation, if a nal fills entire bits
buffer, there will be out of bound memory read access.
Bug: 65719872
Test: ran poc before/after on ASAN of master
Change-Id: I1c36821505bdc4fe6c23f30a02ab2fb0fb657946
CVE-2017-13149
| -rw-r--r-- | decoder/ihevcd_api.c | 4 |
1 files changed, 2 insertions, 2 deletions
diff --git a/decoder/ihevcd_api.c b/decoder/ihevcd_api.c index 1cd968e..3dac4f7 100644 --- a/decoder/ihevcd_api.c +++ b/decoder/ihevcd_api.c @@ -1187,7 +1187,7 @@ WORD32 ihevcd_allocate_static_bufs(iv_obj_t **pps_codec_obj, /* Request memory for static bitstream buffer which holds bitstream after emulation prevention */ size = MIN_BITSBUF_SIZE; - pv_buf = pf_aligned_alloc(pv_mem_ctxt, 128, size); + pv_buf = pf_aligned_alloc(pv_mem_ctxt, 128, size + 16); //Alloc extra for parse optimization RETURN_IF((NULL == pv_buf), IV_FAIL); ps_codec->pu1_bitsbuf_static = pv_buf; ps_codec->u4_bitsbuf_size_static = size; @@ -1880,7 +1880,7 @@ WORD32 ihevcd_allocate_dynamic_bufs(codec_t *ps_codec) size = wd * ht; if(size > MIN_BITSBUF_SIZE) { - pv_buf = ps_codec->pf_aligned_alloc(pv_mem_ctxt, 128, size); + pv_buf = ps_codec->pf_aligned_alloc(pv_mem_ctxt, 128, size + 16); //Alloc extra for parse optimization RETURN_IF((NULL == pv_buf), IV_FAIL); ps_codec->pu1_bitsbuf_dynamic = pv_buf; ps_codec->u4_bitsbuf_size_dynamic = size; |