summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorHarish Mahendrakar <harish.mahendrakar@ittiam.com>2019-10-22 16:01:37 -0700
committerKyriakos Ispoglou <ispo@google.com>2019-11-07 16:19:45 -0800
commit89af851902cc10de30cc0b522934597ab8ea95df (patch)
treed7c5e4367e5f9edd6887155c6e54414da44562e6
parenta1f15719f1b153f49cffcab67f5d85f05c01e347 (diff)
downloadandroid_external_libavc-89af851902cc10de30cc0b522934597ab8ea95df.tar.gz
android_external_libavc-89af851902cc10de30cc0b522934597ab8ea95df.tar.bz2
android_external_libavc-89af851902cc10de30cc0b522934597ab8ea95df.zip
decoder: Move initialization of dbp_mgr entries to init_decoder()
Earlier these were only initialized during static buffer allocations. Initializing them in init_decoder() will ensure that these get initialized to default values during reset() as well. Without this, in some error cases, there is a possibility of heap-use-after free, when resolution changes and these pointers point to memory that is freed Bug: 142602711 Test: poc in bug Change-Id: Ie39fee0eca56bf32cdc558099bf167d05eb89620 (cherry picked from commit 01da7b5a52a76aee615b4e32eeceb4887d3662f0)
-rw-r--r--decoder/ih264d_api.c47
1 files changed, 24 insertions, 23 deletions
diff --git a/decoder/ih264d_api.c b/decoder/ih264d_api.c
index c6999a6..2ebf386 100644
--- a/decoder/ih264d_api.c
+++ b/decoder/ih264d_api.c
@@ -963,6 +963,30 @@ void ih264d_init_decoder(void * ps_dec_params)
/* Free any dynamic buffers that are allocated */
ih264d_free_dynamic_bufs(ps_dec);
+ {
+ UWORD8 i;
+ struct pic_buffer_t *ps_init_dpb;
+ ps_init_dpb = ps_dec->ps_dpb_mgr->ps_init_dpb[0][0];
+ for(i = 0; i < 2 * MAX_REF_BUFS; i++)
+ {
+ ps_init_dpb->pu1_buf1 = NULL;
+ ps_init_dpb->u1_long_term_frm_idx = MAX_REF_BUFS + 1;
+ ps_dec->ps_dpb_mgr->ps_init_dpb[0][i] = ps_init_dpb;
+ ps_dec->ps_dpb_mgr->ps_mod_dpb[0][i] = ps_init_dpb;
+ ps_init_dpb++;
+ }
+
+ ps_init_dpb = ps_dec->ps_dpb_mgr->ps_init_dpb[1][0];
+ for(i = 0; i < 2 * MAX_REF_BUFS; i++)
+ {
+ ps_init_dpb->pu1_buf1 = NULL;
+ ps_init_dpb->u1_long_term_frm_idx = MAX_REF_BUFS + 1;
+ ps_dec->ps_dpb_mgr->ps_init_dpb[1][i] = ps_init_dpb;
+ ps_dec->ps_dpb_mgr->ps_mod_dpb[1][i] = ps_init_dpb;
+ ps_init_dpb++;
+ }
+ }
+
ps_cur_slice = ps_dec->ps_cur_slice;
ps_dec->init_done = 0;
@@ -1439,29 +1463,6 @@ WORD32 ih264d_allocate_static_bufs(iv_obj_t **dec_hdl, void *pv_api_ip, void *pv
ps_dec->ps_col_mv_base = pv_buf;
memset(ps_dec->ps_col_mv_base, 0, size);
- {
- UWORD8 i;
- struct pic_buffer_t *ps_init_dpb;
- ps_init_dpb = ps_dec->ps_dpb_mgr->ps_init_dpb[0][0];
- for(i = 0; i < 2 * MAX_REF_BUFS; i++)
- {
- ps_init_dpb->pu1_buf1 = NULL;
- ps_init_dpb->u1_long_term_frm_idx = MAX_REF_BUFS + 1;
- ps_dec->ps_dpb_mgr->ps_init_dpb[0][i] = ps_init_dpb;
- ps_dec->ps_dpb_mgr->ps_mod_dpb[0][i] = ps_init_dpb;
- ps_init_dpb++;
- }
-
- ps_init_dpb = ps_dec->ps_dpb_mgr->ps_init_dpb[1][0];
- for(i = 0; i < 2 * MAX_REF_BUFS; i++)
- {
- ps_init_dpb->pu1_buf1 = NULL;
- ps_init_dpb->u1_long_term_frm_idx = MAX_REF_BUFS + 1;
- ps_dec->ps_dpb_mgr->ps_init_dpb[1][i] = ps_init_dpb;
- ps_dec->ps_dpb_mgr->ps_mod_dpb[1][i] = ps_init_dpb;
- ps_init_dpb++;
- }
- }
ih264d_init_decoder(ps_dec);
return IV_SUCCESS;