Check Number of MBs to Skip.

The number of skip mbs was parsed as 0 and impeg2d_dec_skip_mbs was getting called with a large number because of underflow. Added a check for the same Bug: 63125953 Test: run PoC on ASAN-enabled mpeg2dec before/after Change-Id: I07f43c1745e38e800751997e97d44d2bab0615a8 CVE-2017-0834
author: Venkatarama Avadhani <venkatarama.avadhani@ittiam.com> 2017-06-27 11:55:32 +0530
committer: Ivan Kutepov <its.kutepov@gmail.com> 2017-11-10 17:41:06 +0300
commit: 11387d5a07c69fdd98d3376dc438c7744ed7ae2a (patch)
tree: cfb5bdeacffbe7f61fe1ce01582a7ddfbea784e4
parent: 3dc685ef7312dcb2aa6e8b7f995e262c5716551e (diff)
download: android_external_libmpeg2-11387d5a07c69fdd98d3376dc438c7744ed7ae2a.tar.gz
android_external_libmpeg2-11387d5a07c69fdd98d3376dc438c7744ed7ae2a.tar.bz2
android_external_libmpeg2-11387d5a07c69fdd98d3376dc438c7744ed7ae2a.zip
1 files changed, 6 insertions, 0 deletions
diff --git a/decoder/impeg2d_pnb_pic.c b/decoder/impeg2d_pnb_pic.c
index 69277e5..570f0d2 100644
--- a/decoder/impeg2d_pnb_pic.c
+++ b/decoder/impeg2d_pnb_pic.c
@@ -77,6 +77,12 @@ WORD32  impeg2d_dec_p_mb_params(dec_state_t *ps_dec)
     else
     {
         u2_mb_addr_incr = impeg2d_get_mb_addr_incr(ps_stream);
+
+        if(!u2_mb_addr_incr)
+        {
+            return IV_FAIL;
+        }
+
         if(0 == ps_dec->u2_first_mb)
         {
             /****************************************************************/
author	Venkatarama Avadhani <venkatarama.avadhani@ittiam.com>	2017-06-27 11:55:32 +0530
committer	Ivan Kutepov <its.kutepov@gmail.com>	2017-11-10 17:41:06 +0300
commit	11387d5a07c69fdd98d3376dc438c7744ed7ae2a (patch)
tree	cfb5bdeacffbe7f61fe1ce01582a7ddfbea784e4
parent	3dc685ef7312dcb2aa6e8b7f995e262c5716551e (diff)
download	android_external_libmpeg2-11387d5a07c69fdd98d3376dc438c7744ed7ae2a.tar.gz android_external_libmpeg2-11387d5a07c69fdd98d3376dc438c7744ed7ae2a.tar.bz2 android_external_libmpeg2-11387d5a07c69fdd98d3376dc438c7744ed7ae2a.zip