diff options
| author | Venkatarama Avadhani <venkatarama.avadhani@ittiam.com> | 2017-05-12 08:40:23 +0530 |
|---|---|---|
| committer | Ivan Kutepov <its.kutepov@gmail.com> | 2017-08-13 19:02:20 +0300 |
| commit | 4f5d50b9cc0cbf5a67e386c163e48775279d3eae (patch) | |
| tree | 754094f1b9a2eed27bf49e9c48cad4d2aded6d4f | |
| parent | 36c843db482a03167f83c02559a4e043fad9fc72 (diff) | |
| download | android_external_libmpeg2-4f5d50b9cc0cbf5a67e386c163e48775279d3eae.tar.gz android_external_libmpeg2-4f5d50b9cc0cbf5a67e386c163e48775279d3eae.tar.bz2 android_external_libmpeg2-4f5d50b9cc0cbf5a67e386c163e48775279d3eae.zip | |
Correcting NumCoeff Check in VLD
The coefficient index should be less than the number of coefficients
allowed (max = 64). The check has been moved, so we check only before
reading a new coefficient.
Bug: 37237390
Bug: 37203196
Test: ran POC on patched n-mr2 system
Change-Id: I61060c524a5c3c26c7d1fe901393df083b2372ea
(cherry picked from commit edfd6f6089d54c9bdf937b614724cb02179ed178)
| -rw-r--r-- | decoder/impeg2d_vld.c | 57 |
1 files changed, 40 insertions, 17 deletions
diff --git a/decoder/impeg2d_vld.c b/decoder/impeg2d_vld.c index 12bb617..80ee403 100644 --- a/decoder/impeg2d_vld.c +++ b/decoder/impeg2d_vld.c @@ -655,7 +655,11 @@ IMPEG2D_ERROR_CODES_T impeg2d_vld_decode( { u4_run = ((DecodedValue >> 4) & 0x1f); u4_numCoeffs += u4_run; - u4_pos = pu1_scan[u4_numCoeffs++ & 63]; + if (u4_numCoeffs >= NUM_COEFFS) + { + return IMPEG2D_MB_TEX_DECODE_ERR; + } + u4_pos = pu1_scan[u4_numCoeffs++]; pu1_pos[*pi4_num_coeffs] = u4_pos; FLUSH_BITS(u4_offset,u4_buf,u4_buf_nxt,u4_sym_len,pu4_buf_aligned) @@ -701,7 +705,11 @@ IMPEG2D_ERROR_CODES_T impeg2d_vld_decode( u4_level = ((WORD16) DecodedValue) >> 9; u4_numCoeffs += u4_run; - u4_pos = pu1_scan[u4_numCoeffs++ & 63]; + if (u4_numCoeffs >= NUM_COEFFS) + { + return IMPEG2D_MB_TEX_DECODE_ERR; + } + u4_pos = pu1_scan[u4_numCoeffs++]; pu1_pos[*pi4_num_coeffs] = u4_pos; pi2_outAddr[*pi4_num_coeffs] = u4_level; (*pi4_num_coeffs)++; @@ -722,7 +730,11 @@ IMPEG2D_ERROR_CODES_T impeg2d_vld_decode( u4_level = (u4_level - ((u4_level & 0x0800) << 1)); u4_numCoeffs += u4_run; - u4_pos = pu1_scan[u4_numCoeffs++ & 63]; + if (u4_numCoeffs >= NUM_COEFFS) + { + return IMPEG2D_MB_TEX_DECODE_ERR; + } + u4_pos = pu1_scan[u4_numCoeffs++]; pu1_pos[*pi4_num_coeffs] = u4_pos; pi2_outAddr[*pi4_num_coeffs] = u4_level; (*pi4_num_coeffs)++; @@ -785,8 +797,12 @@ IMPEG2D_ERROR_CODES_T impeg2d_vld_decode( u4_level = (u4_level - (u4_level_first_byte << 1)); } u4_numCoeffs += u4_run; + if (u4_numCoeffs >= NUM_COEFFS) + { + return IMPEG2D_MB_TEX_DECODE_ERR; + } - u4_pos = pu1_scan[u4_numCoeffs++ & 63]; + u4_pos = pu1_scan[u4_numCoeffs++]; pu1_pos[*pi4_num_coeffs] = u4_pos; pi2_outAddr[*pi4_num_coeffs] = u4_level; @@ -798,11 +814,6 @@ IMPEG2D_ERROR_CODES_T impeg2d_vld_decode( u4_nz_cols |= 1 << (u4_pos & 0x7); u4_nz_rows |= 1 << (u4_pos >> 0x3); - if (u4_numCoeffs > 64) - { - return IMPEG2D_MB_TEX_DECODE_ERR; - } - } IBITS_GET(u4_buf,u4_buf_nxt,u4_offset,u4_bits,pu4_buf_aligned,u4_sym_len) } @@ -836,8 +847,12 @@ IMPEG2D_ERROR_CODES_T impeg2d_vld_decode( u4_run = BITS(DecodedValue, 8,4); u4_numCoeffs += u4_run; + if (u4_numCoeffs >= NUM_COEFFS) + { + return IMPEG2D_MB_TEX_DECODE_ERR; + } - u4_pos = pu1_scan[u4_numCoeffs++ & 63]; + u4_pos = pu1_scan[u4_numCoeffs++]; pu1_pos[*pi4_num_coeffs] = u4_pos; FLUSH_BITS(u4_offset,u4_buf,u4_buf_nxt,u4_sym_len,pu4_buf_aligned) @@ -872,8 +887,12 @@ IMPEG2D_ERROR_CODES_T impeg2d_vld_decode( u4_level = ((WORD16) DecodedValue) >> 9; u4_numCoeffs += u4_run; + if (u4_numCoeffs >= NUM_COEFFS) + { + return IMPEG2D_MB_TEX_DECODE_ERR; + } - u4_pos = pu1_scan[u4_numCoeffs++ & 63]; + u4_pos = pu1_scan[u4_numCoeffs++]; pu1_pos[*pi4_num_coeffs] = u4_pos; if (1 == lead_zeros) u4_sym_len--; @@ -897,8 +916,12 @@ IMPEG2D_ERROR_CODES_T impeg2d_vld_decode( u4_level = (u4_level - ((u4_level & 0x0800) << 1)); u4_numCoeffs += u4_run; + if (u4_numCoeffs >= NUM_COEFFS) + { + return IMPEG2D_MB_TEX_DECODE_ERR; + } - u4_pos = pu1_scan[u4_numCoeffs++ & 63]; + u4_pos = pu1_scan[u4_numCoeffs++]; pu1_pos[*pi4_num_coeffs] = u4_pos; pi2_outAddr[*pi4_num_coeffs] = u4_level; @@ -962,8 +985,12 @@ IMPEG2D_ERROR_CODES_T impeg2d_vld_decode( u4_level = (u4_level - (u4_level_first_byte << 1)); } u4_numCoeffs += u4_run; + if (u4_numCoeffs >= NUM_COEFFS) + { + return IMPEG2D_MB_TEX_DECODE_ERR; + } - u4_pos = pu1_scan[u4_numCoeffs++ & 63]; + u4_pos = pu1_scan[u4_numCoeffs++]; pu1_pos[*pi4_num_coeffs] = u4_pos; pi2_outAddr[*pi4_num_coeffs] = u4_level; @@ -974,10 +1001,6 @@ IMPEG2D_ERROR_CODES_T impeg2d_vld_decode( u4_nz_cols |= 1 << (u4_pos & 0x7); u4_nz_rows |= 1 << (u4_pos >> 0x3); - if (u4_numCoeffs > 64) - { - return IMPEG2D_MB_TEX_DECODE_ERR; - } } |