diff options
author | Ritu Baldwa <ritu.baldwa@ittiam.com> | 2017-11-28 18:38:18 +0530 |
---|---|---|
committer | Ivan Kutepov <its.kutepov@gmail.com> | 2018-02-08 02:23:11 +0300 |
commit | 17d9bcba70cf74d98728f3d5741f3453aaf8996f (patch) | |
tree | d48a2339e3bfaaa8e67c4e4a482cfa259462575d | |
parent | 7201f5cd3aaf484891e6fb66c7dadfd5e2ce08d2 (diff) | |
download | android_external_libavc-17d9bcba70cf74d98728f3d5741f3453aaf8996f.tar.gz android_external_libavc-17d9bcba70cf74d98728f3d5741f3453aaf8996f.tar.bz2 android_external_libavc-17d9bcba70cf74d98728f3d5741f3453aaf8996f.zip |
Decoder: Modified loop condition while parsing ref_list_reordering.
When ref_pic_list_reordering_flag_l1 is equal to 1, the number of times
that reordering_of_pic_nums_idc is not equal to 3 following
ref_pic_list_reordering_flag_l1 should not exceed
num_ref_idx_l1_active_minus1 + 1.
Bug: 69478425
Change-Id: I031bb744869ac8a57f85bb97574832efd0eefc25
(cherry picked from commit 7ea47d575d26d4d5356670092af26fb6915e75bf)
CVE-2017-13228
-rw-r--r-- | decoder/ih264d_dpb_mgr.c | 6 |
1 files changed, 4 insertions, 2 deletions
diff --git a/decoder/ih264d_dpb_mgr.c b/decoder/ih264d_dpb_mgr.c index 998e97a..8c6bb19 100644 --- a/decoder/ih264d_dpb_mgr.c +++ b/decoder/ih264d_dpb_mgr.c @@ -721,7 +721,7 @@ WORD32 ih264d_ref_idx_reordering(dec_struct_t *ps_dec, UWORD8 uc_lx) UWORD16 ui_max_frame_num = ps_dec->ps_cur_sps->u2_u4_max_pic_num_minus1 + 1; - WORD32 i; + WORD32 i, count = 0; UWORD32 ui_remapIdc, ui_nextUev; WORD16 u2_pred_frame_num = u4_cur_pic_num; WORD32 i_temp; @@ -742,7 +742,8 @@ WORD32 ih264d_ref_idx_reordering(dec_struct_t *ps_dec, UWORD8 uc_lx) ui_remapIdc = ih264d_uev(pu4_bitstrm_ofst, pu4_bitstrm_buf); - while(ui_remapIdc != 3) + while((ui_remapIdc != 3) + && (count < ps_cur_slice->u1_num_ref_idx_lx_active[uc_lx])) { ui_nextUev = ih264d_uev(pu4_bitstrm_ofst, pu4_bitstrm_buf); if(ui_remapIdc != 2) @@ -811,6 +812,7 @@ WORD32 ih264d_ref_idx_reordering(dec_struct_t *ps_dec, UWORD8 uc_lx) ui_remapIdc = ih264d_uev(pu4_bitstrm_ofst, pu4_bitstrm_buf); /* Get the remapping_idc - 0/1/2/3 */ + count++; } //Handle the ref indices that were not remapped |