Check for buffer overflow in pps/slice header parsing

Bug: 36215950
Bug: 36215953
Bug: 36216719
AOSP-Change-Id: Ibdc05e1d5aa21d060d7c683fd9af4bed8537053f
(cherry picked from commit d61d5e5f6aa0e5f80b8ae793aca4a4085d015c06)

CVE-2017-0689

Change-Id: Ie8fb16141103647514880a8274100141ba0391fc

2 files changed, 6 insertions, 0 deletions

diff --git a/decoder/ihevcd_parse_headers.c b/decoder/ihevcd_parse_headers.c
index a504778..d78b950 100644
--- a/decoder/ihevcd_parse_headers.c
+++ b/decoder/ihevcd_parse_headers.c
@@ -1972,6 +1972,9 @@ IHEVCD_ERROR_T ihevcd_parse_pps(codec_t *ps_codec)
     /* Not present in HM */
     BITS_PARSE("pps_extension_flag", value, ps_bitstrm, 1);
 
+    if((UWORD8 *)ps_bitstrm->pu4_buf > ps_bitstrm->pu1_buf_max)
+        return IHEVCD_INVALID_PARAMETER;
+
     ps_codec->i4_pps_done = 1;
     return ret;
 }
diff --git a/decoder/ihevcd_parse_slice_header.c b/decoder/ihevcd_parse_slice_header.c
index 62ad6c8..a68db25 100644
--- a/decoder/ihevcd_parse_slice_header.c
+++ b/decoder/ihevcd_parse_slice_header.c
@@ -862,6 +862,9 @@ IHEVCD_ERROR_T ihevcd_parse_slice_header(codec_t *ps_codec,
 
     ihevcd_bits_flush_to_byte_boundary(ps_bitstrm);
 
+    if((UWORD8 *)ps_bitstrm->pu4_buf > ps_bitstrm->pu1_buf_max)
+        return IHEVCD_INVALID_PARAMETER;
+
     {
         dpb_mgr_t *ps_dpb_mgr = (dpb_mgr_t *)ps_codec->pv_dpb_mgr;
         WORD32 r_idx;