diff options
author | Naveen Kumar P <naveenkumar.p@ittiam.com> | 2017-03-31 16:45:38 +0530 |
---|---|---|
committer | MSe <mse1969@posteo.de> | 2017-07-07 17:59:17 +0200 |
commit | e2c7d29262ffdbaab0ed12c6bb6f4c364533c052 (patch) | |
tree | 15cb306c3f8a835ee2a58b2c0083aadc80a81b4a | |
parent | 3d95ec77a93a4439566189075054b9969946113b (diff) | |
download | android_external_libhevc-e2c7d29262ffdbaab0ed12c6bb6f4c364533c052.tar.gz android_external_libhevc-e2c7d29262ffdbaab0ed12c6bb6f4c364533c052.tar.bz2 android_external_libhevc-e2c7d29262ffdbaab0ed12c6bb6f4c364533c052.zip |
Check for buffer overflow in pps/slice header parsing
Bug: 36215950
Bug: 36215953
Bug: 36216719
AOSP-Change-Id: Ibdc05e1d5aa21d060d7c683fd9af4bed8537053f
(cherry picked from commit d61d5e5f6aa0e5f80b8ae793aca4a4085d015c06)
CVE-2017-0689
Change-Id: Ie8fb16141103647514880a8274100141ba0391fc
-rw-r--r-- | decoder/ihevcd_parse_headers.c | 3 | ||||
-rw-r--r-- | decoder/ihevcd_parse_slice_header.c | 3 |
2 files changed, 6 insertions, 0 deletions
diff --git a/decoder/ihevcd_parse_headers.c b/decoder/ihevcd_parse_headers.c index a504778..d78b950 100644 --- a/decoder/ihevcd_parse_headers.c +++ b/decoder/ihevcd_parse_headers.c @@ -1972,6 +1972,9 @@ IHEVCD_ERROR_T ihevcd_parse_pps(codec_t *ps_codec) /* Not present in HM */ BITS_PARSE("pps_extension_flag", value, ps_bitstrm, 1); + if((UWORD8 *)ps_bitstrm->pu4_buf > ps_bitstrm->pu1_buf_max) + return IHEVCD_INVALID_PARAMETER; + ps_codec->i4_pps_done = 1; return ret; } diff --git a/decoder/ihevcd_parse_slice_header.c b/decoder/ihevcd_parse_slice_header.c index 62ad6c8..a68db25 100644 --- a/decoder/ihevcd_parse_slice_header.c +++ b/decoder/ihevcd_parse_slice_header.c @@ -862,6 +862,9 @@ IHEVCD_ERROR_T ihevcd_parse_slice_header(codec_t *ps_codec, ihevcd_bits_flush_to_byte_boundary(ps_bitstrm); + if((UWORD8 *)ps_bitstrm->pu4_buf > ps_bitstrm->pu1_buf_max) + return IHEVCD_INVALID_PARAMETER; + { dpb_mgr_t *ps_dpb_mgr = (dpb_mgr_t *)ps_codec->pv_dpb_mgr; WORD32 r_idx; |