summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorRitu Baldwa <ritu.baldwa@ittiam.com>2017-11-28 18:38:18 +0530
committerIvan Kutepov <its.kutepov@gmail.com>2018-02-08 02:23:11 +0300
commit17d9bcba70cf74d98728f3d5741f3453aaf8996f (patch)
treed48a2339e3bfaaa8e67c4e4a482cfa259462575d
parent7201f5cd3aaf484891e6fb66c7dadfd5e2ce08d2 (diff)
downloadandroid_external_libavc-17d9bcba70cf74d98728f3d5741f3453aaf8996f.tar.gz
android_external_libavc-17d9bcba70cf74d98728f3d5741f3453aaf8996f.tar.bz2
android_external_libavc-17d9bcba70cf74d98728f3d5741f3453aaf8996f.zip
Decoder: Modified loop condition while parsing ref_list_reordering.
When ref_pic_list_reordering_flag_l1 is equal to 1, the number of times that reordering_of_pic_nums_idc is not equal to 3 following ref_pic_list_reordering_flag_l1 should not exceed num_ref_idx_l1_active_minus1 + 1. Bug: 69478425 Change-Id: I031bb744869ac8a57f85bb97574832efd0eefc25 (cherry picked from commit 7ea47d575d26d4d5356670092af26fb6915e75bf) CVE-2017-13228
-rw-r--r--decoder/ih264d_dpb_mgr.c6
1 files changed, 4 insertions, 2 deletions
diff --git a/decoder/ih264d_dpb_mgr.c b/decoder/ih264d_dpb_mgr.c
index 998e97a..8c6bb19 100644
--- a/decoder/ih264d_dpb_mgr.c
+++ b/decoder/ih264d_dpb_mgr.c
@@ -721,7 +721,7 @@ WORD32 ih264d_ref_idx_reordering(dec_struct_t *ps_dec, UWORD8 uc_lx)
UWORD16 ui_max_frame_num =
ps_dec->ps_cur_sps->u2_u4_max_pic_num_minus1 + 1;
- WORD32 i;
+ WORD32 i, count = 0;
UWORD32 ui_remapIdc, ui_nextUev;
WORD16 u2_pred_frame_num = u4_cur_pic_num;
WORD32 i_temp;
@@ -742,7 +742,8 @@ WORD32 ih264d_ref_idx_reordering(dec_struct_t *ps_dec, UWORD8 uc_lx)
ui_remapIdc = ih264d_uev(pu4_bitstrm_ofst, pu4_bitstrm_buf);
- while(ui_remapIdc != 3)
+ while((ui_remapIdc != 3)
+ && (count < ps_cur_slice->u1_num_ref_idx_lx_active[uc_lx]))
{
ui_nextUev = ih264d_uev(pu4_bitstrm_ofst, pu4_bitstrm_buf);
if(ui_remapIdc != 2)
@@ -811,6 +812,7 @@ WORD32 ih264d_ref_idx_reordering(dec_struct_t *ps_dec, UWORD8 uc_lx)
ui_remapIdc = ih264d_uev(pu4_bitstrm_ofst, pu4_bitstrm_buf);
/* Get the remapping_idc - 0/1/2/3 */
+ count++;
}
//Handle the ref indices that were not remapped