diff options
| author | Venkatarama Avadhani <venkatarama.avadhani@ittiam.com> | 2017-07-12 17:35:09 +0530 |
|---|---|---|
| committer | Ivan Kutepov <its.kutepov@gmail.com> | 2017-12-09 19:07:47 +0300 |
| commit | a82c5a11f8345f3e0fb53fa3f7a127d9b7ab9913 (patch) | |
| tree | d88b4ab0ad5a5bcf5f4d1e3a6a968ae4d858e4e9 | |
| parent | d10829242f6be4e4e582883bddd16b7a77a59170 (diff) | |
| download | android_external_libmpeg2-a82c5a11f8345f3e0fb53fa3f7a127d9b7ab9913.tar.gz android_external_libmpeg2-a82c5a11f8345f3e0fb53fa3f7a127d9b7ab9913.tar.bz2 android_external_libmpeg2-a82c5a11f8345f3e0fb53fa3f7a127d9b7ab9913.zip | |
Update num_mbs_left When mb_x is Reset.
When we reset the mb_x values, the num_mbs_left should also be
reset accordingly. Added the code for the same in
impeg2d_dec_pnb_mb_params. Also, there was nothing to do in p
frames when the first_mb was set to 1. Added code for setting
mb_x value and updating the num_mbs left similar to
"impeg2d_dec_pnb_mb_params" function.
Bug: 63874456
Test: run PoC through before/after ASAN build
Change-Id: I7a0bfc33e22c0e8cb93ff29198f30052f7f96546
CVE-2017-13151
| -rw-r--r-- | decoder/impeg2d_pnb_pic.c | 29 |
1 files changed, 29 insertions, 0 deletions
diff --git a/decoder/impeg2d_pnb_pic.c b/decoder/impeg2d_pnb_pic.c index 570f0d2..a3ae436 100644 --- a/decoder/impeg2d_pnb_pic.c +++ b/decoder/impeg2d_pnb_pic.c @@ -122,6 +122,33 @@ WORD32 impeg2d_dec_p_mb_params(dec_state_t *ps_dec) impeg2d_dec_skip_mbs(ps_dec, (UWORD16)(u2_mb_addr_incr - 1)); } + else + { + + /****************************************************************/ + /* Section 6.3.17 */ + /* The first MB of a slice cannot be skipped */ + /* But the mb_addr_incr can be > 1, because at the beginning of */ + /* a slice, it indicates the offset from the last MB in the */ + /* previous row. Hence for the first slice in a row, the */ + /* mb_addr_incr needs to be 1. */ + /****************************************************************/ + /* MB_x is set to zero whenever MB_y changes. */ + ps_dec->u2_mb_x = u2_mb_addr_incr - 1; + /* For error resilience */ + ps_dec->u2_mb_x = MIN(ps_dec->u2_mb_x, (ps_dec->u2_num_horiz_mb - 1)); + ps_dec->u2_num_mbs_left = ((ps_dec->u2_num_vert_mb - ps_dec->u2_mb_y) + * ps_dec->u2_num_horiz_mb) - ps_dec->u2_mb_x; + + /****************************************************************/ + /* mb_addr_incr is forced to 1 because in this decoder it is used */ + /* more as an indicator of the number of MBs skipped than the */ + /* as defined by the standard (Section 6.3.17) */ + /****************************************************************/ + u2_mb_addr_incr = 1; + ps_dec->u2_first_mb = 0; + + } } u4_next_word = (UWORD16)impeg2d_bit_stream_nxt(ps_stream,16); @@ -286,6 +313,8 @@ WORD32 impeg2d_dec_pnb_mb_params(dec_state_t *ps_dec) ps_dec->u2_mb_x = u2_mb_addr_incr - 1; /* For error resilience */ ps_dec->u2_mb_x = MIN(ps_dec->u2_mb_x, (ps_dec->u2_num_horiz_mb - 1)); + ps_dec->u2_num_mbs_left = ((ps_dec->u2_num_vert_mb - ps_dec->u2_mb_y) + * ps_dec->u2_num_horiz_mb) - ps_dec->u2_mb_x; /****************************************************************/ /* mb_addr_incr is forced to 1 because in this decoder it is used */ |