Fixed out of bound read in flush_bits

Bug: 28168413
Change-Id: I3db5432a08daf665e160c0dab2d1928a576418b4

1 files changed, 12 insertions, 3 deletions

diff --git a/decoder/impeg2d_bitstream.c b/decoder/impeg2d_bitstream.c
index b67161d..36092e5 100644
--- a/decoder/impeg2d_bitstream.c
+++ b/decoder/impeg2d_bitstream.c
@@ -191,12 +191,21 @@ INLINE UWORD8 impeg2d_bit_stream_get_bit(stream_t *ps_stream)
 INLINE void impeg2d_bit_stream_flush(void* pv_ctxt, UWORD32 u4_no_of_bits)
 {
     stream_t *ps_stream = (stream_t *)pv_ctxt;
-
-
-    if (ps_stream->u4_offset < ps_stream->u4_max_offset)
+    if ((ps_stream->u4_offset + 64) < ps_stream->u4_max_offset)
     {
         FLUSH_BITS(ps_stream->u4_offset,ps_stream->u4_buf,ps_stream->u4_buf_nxt,u4_no_of_bits,ps_stream->pu4_buf_aligned)
     }
+    else
+    {
+        UWORD32     u4_temp;
+
+        if (((ps_stream->u4_offset & 0x1f) + u4_no_of_bits) >= 32)
+        {
+            ps_stream->u4_buf              = ps_stream->u4_buf_nxt;
+            ps_stream->u4_buf_nxt          = 0;
+        }
+        ps_stream->u4_offset += u4_no_of_bits;
+    }
     return;
 }
 /******************************************************************************