diff options
author | Naveen Kumar P <naveenkumar.p@ittiam.com> | 2017-03-31 17:44:24 +0530 |
---|---|---|
committer | MSe <mse1969@posteo.de> | 2017-06-09 16:05:13 +0200 |
commit | e6e37db96ac9344a8c36763ab0445efb433b745b (patch) | |
tree | 686017cb1775e71b757ed95acea8c84673ac9991 | |
parent | e3f83a5ce98c6a006a45cb065849d029f734af48 (diff) | |
download | android_external_libhevc-e6e37db96ac9344a8c36763ab0445efb433b745b.tar.gz android_external_libhevc-e6e37db96ac9344a8c36763ab0445efb433b745b.tar.bz2 android_external_libhevc-e6e37db96ac9344a8c36763ab0445efb433b745b.zip |
Correct Tiles rows and cols check
Bug: 36231493
Bug: 34064500
AOSP-Change-Id: Ib17b2c68360685c5a2c019e1497612a130f9f76a
(cherry picked from commit 07ef4e7138e0e13d61039530358343a19308b188)
CVE-2017-0637
Change-Id: Iba716c70f07fb070fa221eb1f5a3779df6e1d7cc
-rw-r--r-- | decoder/ihevcd_parse_headers.c | 10 |
1 files changed, 8 insertions, 2 deletions
diff --git a/decoder/ihevcd_parse_headers.c b/decoder/ihevcd_parse_headers.c index 16b60cf..4c38b0a 100644 --- a/decoder/ihevcd_parse_headers.c +++ b/decoder/ihevcd_parse_headers.c @@ -1753,6 +1753,12 @@ IHEVCD_ERROR_T ihevcd_parse_pps(codec_t *ps_codec) ps_pps->i1_loop_filter_across_tiles_enabled_flag = 0; if(ps_pps->i1_tiles_enabled_flag) { + WORD32 wd = ALIGN64(ps_codec->i4_wd); + WORD32 ht = ALIGN64(ps_codec->i4_ht); + + WORD32 max_tile_cols = (wd + MIN_TILE_WD - 1) / MIN_TILE_WD; + WORD32 max_tile_rows = (ht + MIN_TILE_HT - 1) / MIN_TILE_HT; + UEV_PARSE("num_tile_columns_minus1", value, ps_bitstrm); ps_pps->i1_num_tile_columns = value + 1; @@ -1760,9 +1766,9 @@ IHEVCD_ERROR_T ihevcd_parse_pps(codec_t *ps_codec) ps_pps->i1_num_tile_rows = value + 1; if((ps_pps->i1_num_tile_columns < 1) || - (ps_pps->i1_num_tile_columns > ps_sps->i2_pic_wd_in_ctb) || + (ps_pps->i1_num_tile_columns > max_tile_cols) || (ps_pps->i1_num_tile_rows < 1) || - (ps_pps->i1_num_tile_rows > ps_sps->i2_pic_ht_in_ctb)) + (ps_pps->i1_num_tile_rows > max_tile_rows)) return IHEVCD_INVALID_HEADER; BITS_PARSE("uniform_spacing_flag", value, ps_bitstrm, 1); |