diff options
author | Venkatarama Avadhani <venkatarama.avadhani@ittiam.com> | 2017-06-09 12:03:34 +0530 |
---|---|---|
committer | Ivan Kutepov <its.kutepov@gmail.com> | 2017-10-03 22:44:10 +0300 |
commit | 876062d8ec10f198609180fdfde171134eddf4d7 (patch) | |
tree | 292ae28998171f6d1a859c9688281257010ffa48 | |
parent | 8854ed8f6923b489f21c553bb937e02462a00dca (diff) | |
download | android_external_libmpeg2-876062d8ec10f198609180fdfde171134eddf4d7.tar.gz android_external_libmpeg2-876062d8ec10f198609180fdfde171134eddf4d7.tar.bz2 android_external_libmpeg2-876062d8ec10f198609180fdfde171134eddf4d7.zip |
Fixed Memory Overflow Errors
In function impeg2d_dec_p_b_slice, there was no check for num_mbs_left ==
0 after skip_mbs function call. Hence, even though it should have returned
as an error, it goes ahead to decode the frame and writes beyond the
buffer allocated for output. Put a check for the same.
Bug: 38207066
Test: before/after execution of PoC on angler/nyc-mr2-dev
Change-Id: If4b7bea51032bf2fe2edd03f64a68847aa4f6a00
(cherry picked from commit 2df080153464bf57084d68ba3594e199bc140eb4)
CVE-2017-0810
-rw-r--r-- | decoder/impeg2d_pnb_pic.c | 6 |
1 files changed, 6 insertions, 0 deletions
diff --git a/decoder/impeg2d_pnb_pic.c b/decoder/impeg2d_pnb_pic.c index 5540044..69277e5 100644 --- a/decoder/impeg2d_pnb_pic.c +++ b/decoder/impeg2d_pnb_pic.c @@ -510,6 +510,12 @@ IMPEG2D_ERROR_CODES_T impeg2d_dec_p_b_slice(dec_state_t *ps_dec) if(ret) return IMPEG2D_MB_TEX_DECODE_ERR; + + if(0 >= ps_dec->u2_num_mbs_left) + { + break; + } + IMPEG2D_TRACE_MB_START(ps_dec->u2_mb_x, ps_dec->u2_mb_y); u4_x_dst_offset = u4_frm_offset + (ps_dec->u2_mb_x << 4); |