diff options
author | Harish Mahendrakar <harish.mahendrakar@ittiam.com> | 2015-11-24 12:15:13 +0530 |
---|---|---|
committer | The Android Automerger <android-build@google.com> | 2016-02-26 16:55:54 -0800 |
commit | b658a2160bb985095bfef65c44aa0d457b27135b (patch) | |
tree | 89a8548660115b7faa0d57774609aa00b2b98118 | |
parent | 5422a297cff37ff3426abde4b58e51d85d129304 (diff) | |
download | android_external_libmpeg2-b658a2160bb985095bfef65c44aa0d457b27135b.tar.gz android_external_libmpeg2-b658a2160bb985095bfef65c44aa0d457b27135b.tar.bz2 android_external_libmpeg2-b658a2160bb985095bfef65c44aa0d457b27135b.zip |
Fixed stack buffer overflow
Bugfix: 25812590
Moved check for numCoeffs > 64 inside the coeff decode loop
Change-Id: I444b77ef2a3da9233ec14bb72ac70b7e2fa56bd1
(cherry picked from commit ff3496c45c571da7eb93d6f9f05758813468fc72)
-rw-r--r-- | decoder/impeg2d_vld.c | 17 |
1 files changed, 9 insertions, 8 deletions
diff --git a/decoder/impeg2d_vld.c b/decoder/impeg2d_vld.c index 972f42a..459548b 100644 --- a/decoder/impeg2d_vld.c +++ b/decoder/impeg2d_vld.c @@ -789,13 +789,13 @@ IMPEG2D_ERROR_CODES_T impeg2d_vld_decode( u4_nz_cols |= 1 << (u4_pos & 0x7); u4_nz_rows |= 1 << (u4_pos >> 0x3); + if (u4_numCoeffs > 64) + { + return IMPEG2D_MB_TEX_DECODE_ERR; + } } IBITS_GET(u4_buf,u4_buf_nxt,u4_offset,u4_bits,pu4_buf_aligned,u4_sym_len) - if (u4_numCoeffs > 64) - { - return IMPEG2D_MB_TEX_DECODE_ERR; - } } else { @@ -957,10 +957,11 @@ IMPEG2D_ERROR_CODES_T impeg2d_vld_decode( u4_nz_cols |= 1 << (u4_pos & 0x7); u4_nz_rows |= 1 << (u4_pos >> 0x3); - } - if (u4_numCoeffs > 64) - { - return IMPEG2D_MB_TEX_DECODE_ERR; + if (u4_numCoeffs > 64) + { + return IMPEG2D_MB_TEX_DECODE_ERR; + } + } IBITS_GET(u4_buf,u4_buf_nxt,u4_offset,u4_bits,pu4_buf_aligned,u4_sym_len) |