diff options
author | Venkatarama Avadhani <venkatarama.avadhani@ittiam.com> | 2017-06-27 11:55:32 +0530 |
---|---|---|
committer | Ivan Kutepov <its.kutepov@gmail.com> | 2017-11-10 17:41:06 +0300 |
commit | 11387d5a07c69fdd98d3376dc438c7744ed7ae2a (patch) | |
tree | cfb5bdeacffbe7f61fe1ce01582a7ddfbea784e4 | |
parent | 3dc685ef7312dcb2aa6e8b7f995e262c5716551e (diff) | |
download | android_external_libmpeg2-11387d5a07c69fdd98d3376dc438c7744ed7ae2a.tar.gz android_external_libmpeg2-11387d5a07c69fdd98d3376dc438c7744ed7ae2a.tar.bz2 android_external_libmpeg2-11387d5a07c69fdd98d3376dc438c7744ed7ae2a.zip |
Check Number of MBs to Skip.
The number of skip mbs was parsed as 0 and impeg2d_dec_skip_mbs was getting
called with a large number because of underflow.
Added a check for the same
Bug: 63125953
Test: run PoC on ASAN-enabled mpeg2dec before/after
Change-Id: I07f43c1745e38e800751997e97d44d2bab0615a8
CVE-2017-0834
-rw-r--r-- | decoder/impeg2d_pnb_pic.c | 6 |
1 files changed, 6 insertions, 0 deletions
diff --git a/decoder/impeg2d_pnb_pic.c b/decoder/impeg2d_pnb_pic.c index 69277e5..570f0d2 100644 --- a/decoder/impeg2d_pnb_pic.c +++ b/decoder/impeg2d_pnb_pic.c @@ -77,6 +77,12 @@ WORD32 impeg2d_dec_p_mb_params(dec_state_t *ps_dec) else { u2_mb_addr_incr = impeg2d_get_mb_addr_incr(ps_stream); + + if(!u2_mb_addr_incr) + { + return IV_FAIL; + } + if(0 == ps_dec->u2_first_mb) { /****************************************************************/ |