Fix integer overflow error in deinterlacer

In deinterlacer, in few cases previous fields pointer was derived
using some uninitialized strides. This value was never used later.

Avoiding the unnecessary pointer increment fixes the integer overflow.

Bug: 136697219
Test: poc in bug

Change-Id: I79805694aef5c4923cd4459bebbd13462be039ce

1 files changed, 10 insertions, 5 deletions

diff --git a/common/ideint.c b/common/ideint.c
index 24e4e72..af6d15e 100644
--- a/common/ideint.c
+++ b/common/ideint.c
@@ -206,7 +206,7 @@ IDEINT_ERROR_T ideint_process(void *pv_ctxt,
 
     for(i = 0; i < num_comp; i++)
     {
-        UWORD8 *pu1_prv, *pu1_out;
+        UWORD8 *pu1_prv = NULL, *pu1_out;
         UWORD8 *pu1_top, *pu1_bot, *pu1_dst;
         WORD32 cur_strd, out_strd, dst_strd;
 
@@ -255,14 +255,16 @@ IDEINT_ERROR_T ideint_process(void *pv_ctxt,
         {
             disable_cac_sad = 1;
         }
-
         for(row = comp_row_start; row < comp_row_end; row++)
         {
             pu1_out = ps_out_frm->apu1_buf[i];
             pu1_out += (ps_out_frm->ai4_strd[i] * row << 3);
 
-            pu1_prv = ps_prv_fld->apu1_buf[i];
-            pu1_prv += (ps_prv_fld->ai4_strd[i] * row << 2);
+            if(0 == disable_cac_sad)
+            {
+                pu1_prv = ps_prv_fld->apu1_buf[i];
+                pu1_prv += (ps_prv_fld->ai4_strd[i] * row << 2);
+            }
 
             if(ps_ctxt->s_params.i4_cur_fld_top)
             {
@@ -408,7 +410,10 @@ IDEINT_ERROR_T ideint_process(void *pv_ctxt,
                         memcpy(pu1_out + j * out_strd, au1_dst + j * BLK_WD, blk_wd);
                     }
                 }
-                pu1_prv += 8;
+                if(NULL != pu1_prv)
+                {
+                    pu1_prv += 8;
+                }
                 pu1_top += 8;
                 pu1_bot += 8;
                 pu1_out += 8;