diff options
author | Venkatarama Avadhani <venkatarama.avadhani@ittiam.com> | 2017-02-13 14:35:10 +0530 |
---|---|---|
committer | Sean McCreary <mccreary@mcwest.org> | 2017-04-06 18:05:22 -0600 |
commit | 198f047f02ab36740764ca85faedc40edb94f260 (patch) | |
tree | 1648534779d24991354bd04a873e78475bd6e840 | |
parent | 6ccad27283d5223a94292e1baabd176347f5fbf2 (diff) | |
download | android_external_libmpeg2-198f047f02ab36740764ca85faedc40edb94f260.tar.gz android_external_libmpeg2-198f047f02ab36740764ca85faedc40edb94f260.tar.bz2 android_external_libmpeg2-198f047f02ab36740764ca85faedc40edb94f260.zip |
Error Check for VLD Symbols Readreplicant-6.0-0001
The maximum number of lead zeros in a VLD symbol (17 bits long) is 11.
Bug: 34093073
AOSP-Change-Id: Ifd3f64a3a5199d6e4c33ca65449fc396cfb2f3fc
(cherry picked from commit 75e0ad5127752ce37e3fc78a156652e5da435f14)
CVE-2017-0557
Change-Id: I77829335659afc8bab2f5878785d1be0ee15750a
(cherry picked from commit 227c1f829127405e21dab1664393050c652ef71e)
-rw-r--r-- | decoder/impeg2d_vld.c | 17 |
1 files changed, 17 insertions, 0 deletions
diff --git a/decoder/impeg2d_vld.c b/decoder/impeg2d_vld.c index 459548b..12bb617 100644 --- a/decoder/impeg2d_vld.c +++ b/decoder/impeg2d_vld.c @@ -638,6 +638,15 @@ IMPEG2D_ERROR_CODES_T impeg2d_vld_decode( u4_sym_len = 17; IBITS_NXT(u4_buf,u4_buf_nxt,u4_offset,u4_bits,u4_sym_len) + /* There cannot be more than 11 leading zeros in the decoded + * symbol. The symbol is only 17 bits long, so we subtract 15. + */ + lead_zeros = CLZ(u4_bits) - 15; + if (lead_zeros > 11) + { + return IMPEG2D_MB_DATA_DECODE_ERR; + } + DecodedValue = gau2_impeg2d_tab_one_1_9[u4_bits >> 8]; u4_sym_len = (DecodedValue & 0xf); u4_level = DecodedValue >> 9; @@ -809,6 +818,14 @@ IMPEG2D_ERROR_CODES_T impeg2d_vld_decode( u4_sym_len = 17; IBITS_NXT(u4_buf, u4_buf_nxt, u4_offset, u4_bits, u4_sym_len) + /* There cannot be more than 11 leading zeros in the decoded + * symbol. The symbol is only 17 bits long, so we subtract 15. + */ + lead_zeros = CLZ(u4_bits) - 15; + if (lead_zeros > 11) + { + return IMPEG2D_MB_DATA_DECODE_ERR; + } DecodedValue = gau2_impeg2d_tab_zero_1_9[u4_bits >> 8]; u4_sym_len = BITS(DecodedValue, 3, 0); |