Error Check for VLD Symbols Readreplicant-6.0-0001

The maximum number of lead zeros in a VLD symbol (17 bits long) is 11. Bug: 34093073 AOSP-Change-Id: Ifd3f64a3a5199d6e4c33ca65449fc396cfb2f3fc (cherry picked from commit 75e0ad5127752ce37e3fc78a156652e5da435f14) CVE-2017-0557 Change-Id: I77829335659afc8bab2f5878785d1be0ee15750a (cherry picked from commit 227c1f829127405e21dab1664393050c652ef71e)
author: Venkatarama Avadhani <venkatarama.avadhani@ittiam.com> 2017-02-13 14:35:10 +0530
committer: Sean McCreary <mccreary@mcwest.org> 2017-04-06 18:05:22 -0600
commit: 198f047f02ab36740764ca85faedc40edb94f260 (patch)
tree: 1648534779d24991354bd04a873e78475bd6e840
parent: 6ccad27283d5223a94292e1baabd176347f5fbf2 (diff)
download: android_external_libmpeg2-198f047f02ab36740764ca85faedc40edb94f260.tar.gz
android_external_libmpeg2-198f047f02ab36740764ca85faedc40edb94f260.tar.bz2
android_external_libmpeg2-198f047f02ab36740764ca85faedc40edb94f260.zip
1 files changed, 17 insertions, 0 deletions
diff --git a/decoder/impeg2d_vld.c b/decoder/impeg2d_vld.c
index 459548b..12bb617 100644
--- a/decoder/impeg2d_vld.c
+++ b/decoder/impeg2d_vld.c
@@ -638,6 +638,15 @@ IMPEG2D_ERROR_CODES_T impeg2d_vld_decode(
                 u4_sym_len = 17;
                 IBITS_NXT(u4_buf,u4_buf_nxt,u4_offset,u4_bits,u4_sym_len)
 
+                /* There cannot be more than 11 leading zeros in the decoded
+                 * symbol. The symbol is only 17 bits long, so we subtract 15.
+                 */
+                lead_zeros = CLZ(u4_bits) - 15;
+                if (lead_zeros > 11)
+                {
+                    return IMPEG2D_MB_DATA_DECODE_ERR;
+                }
+
                 DecodedValue = gau2_impeg2d_tab_one_1_9[u4_bits >> 8];
                 u4_sym_len = (DecodedValue & 0xf);
                 u4_level = DecodedValue >> 9;
@@ -809,6 +818,14 @@ IMPEG2D_ERROR_CODES_T impeg2d_vld_decode(
                 u4_sym_len = 17;
                 IBITS_NXT(u4_buf, u4_buf_nxt, u4_offset, u4_bits, u4_sym_len)
 
+                /* There cannot be more than 11 leading zeros in the decoded
+                 * symbol. The symbol is only 17 bits long, so we subtract 15.
+                 */
+                lead_zeros = CLZ(u4_bits) - 15;
+                if (lead_zeros > 11)
+                {
+                    return IMPEG2D_MB_DATA_DECODE_ERR;
+                }
 
                 DecodedValue = gau2_impeg2d_tab_zero_1_9[u4_bits >> 8];
                 u4_sym_len = BITS(DecodedValue, 3, 0);
author	Venkatarama Avadhani <venkatarama.avadhani@ittiam.com>	2017-02-13 14:35:10 +0530
committer	Sean McCreary <mccreary@mcwest.org>	2017-04-06 18:05:22 -0600
commit	198f047f02ab36740764ca85faedc40edb94f260 (patch)
tree	1648534779d24991354bd04a873e78475bd6e840
parent	6ccad27283d5223a94292e1baabd176347f5fbf2 (diff)
download	android_external_libmpeg2-198f047f02ab36740764ca85faedc40edb94f260.tar.gz android_external_libmpeg2-198f047f02ab36740764ca85faedc40edb94f260.tar.bz2 android_external_libmpeg2-198f047f02ab36740764ca85faedc40edb94f260.zip