Check for Valid Frame Rate in Header

Bug: 34093952
AOSP-Change-Id: I9f009edda84555e8d14b138684a38114fb888bf8
(cherry picked from commit 3f068a4e66cc972cf798c79a196099bd7d3bfceb)

CVE-2017-0556

Change-Id: I86f9600e387f2ca94cc901e76a0f89fc7ed86459
(cherry picked from commit f301cff2c1ddd880d9a2c77b22602a137519867b)

1 files changed, 8 insertions, 0 deletions

diff --git a/decoder/impeg2d_dec_hdr.c b/decoder/impeg2d_dec_hdr.c
index 9e4a9a0..747d4b5 100644
--- a/decoder/impeg2d_dec_hdr.c
+++ b/decoder/impeg2d_dec_hdr.c
@@ -44,6 +44,10 @@
 #include "impeg2d_deinterlace.h"
 
 
+/*****************************************************************************
+* MPEG2 Constants for Parse Check
+******************************************************************************/
+#define MPEG2_MAX_FRAME_RATE_CODE   8
 
 /******************************************************************************
 *  Function Name   : impeg2d_next_start_code
@@ -199,6 +203,10 @@ IMPEG2D_ERROR_CODES_T impeg2d_dec_seq_hdr(dec_state_t *ps_dec)
     /* Frame rate code(4 bits)                                                */
     /*------------------------------------------------------------------------*/
     ps_dec->u2_frame_rate_code = impeg2d_bit_stream_get(ps_stream,4);
+    if (ps_dec->u2_frame_rate_code > MPEG2_MAX_FRAME_RATE_CODE)
+    {
+        return IMPEG2D_FRM_HDR_DECODE_ERR;
+    }
     /*------------------------------------------------------------------------*/
     /* Flush the following as they are not being used                         */
     /* bit_rate_value (18 bits)                                               */