Added check for invalid log2_max_transform_block_size in SPS

Bug: 33918236
Bug: 33964497
Bug: 33965905
Bug: 33862021

CVE-2017-0472

AOSP Change-Id: If121221d0f6e983c05d95d123af9bed378d1961f
Change-Id: Ib3ef6e3abc584ed1d797f18fc47b22d13129beda
(cherry picked from commit b5cae8181efbb9649ffddb659305a0da59ed445a)
(cherry picked from commit dfa7251ff270ae7e12a019e6735542e36b2a47e0)

1 files changed, 9 insertions, 0 deletions

diff --git a/decoder/ihevcd_parse_headers.c b/decoder/ihevcd_parse_headers.c
index ecc271a..17de2a2 100644
--- a/decoder/ihevcd_parse_headers.c
+++ b/decoder/ihevcd_parse_headers.c
@@ -1191,6 +1191,7 @@ IHEVCD_ERROR_T ihevcd_parse_sps(codec_t *ps_codec)
     sps_t *ps_sps;
     profile_tier_lvl_info_t s_ptl;
     bitstrm_t *ps_bitstrm = &ps_codec->s_parse.s_bitstrm;
+    WORD32 ctb_log2_size_y = 0;
 
 
     BITS_PARSE("video_parameter_set_id", value, ps_bitstrm, 4);
@@ -1323,6 +1324,8 @@ IHEVCD_ERROR_T ihevcd_parse_sps(codec_t *ps_codec)
     UEV_PARSE("log2_diff_max_min_coding_block_size", value, ps_bitstrm);
     ps_sps->i1_log2_diff_max_min_coding_block_size = value;
 
+    ctb_log2_size_y = ps_sps->i1_log2_min_coding_block_size + ps_sps->i1_log2_diff_max_min_coding_block_size;
+
     UEV_PARSE("log2_min_transform_block_size_minus2", value, ps_bitstrm);
     ps_sps->i1_log2_min_transform_block_size = value + 2;
 
@@ -1332,6 +1335,12 @@ IHEVCD_ERROR_T ihevcd_parse_sps(codec_t *ps_codec)
     ps_sps->i1_log2_max_transform_block_size = ps_sps->i1_log2_min_transform_block_size +
                     ps_sps->i1_log2_diff_max_min_transform_block_size;
 
+    if ((ps_sps->i1_log2_max_transform_block_size < 0) ||
+                    (ps_sps->i1_log2_max_transform_block_size > MIN(ctb_log2_size_y, 5)))
+    {
+        return IHEVCD_INVALID_PARAMETER;
+    }
+
     ps_sps->i1_log2_ctb_size = ps_sps->i1_log2_min_coding_block_size +
                     ps_sps->i1_log2_diff_max_min_coding_block_size;