diff options
| author | Harish Mahendrakar <harish.mahendrakar@ittiam.com> | 2016-04-18 16:38:54 +0530 |
|---|---|---|
| committer | MSe <mse1969@posteo.de> | 2017-07-07 21:31:04 +0200 |
| commit | 7aa88ce8babc307faba9c6454b4cb57d8e68a0ac (patch) | |
| tree | ddd79c4521cd8e6aea48e37afde8f9b8da76fb64 | |
| parent | 38d8b385b67fa57b359b7427173c3c22c79c9103 (diff) | |
| download | android_external_libavc-7aa88ce8babc307faba9c6454b4cb57d8e68a0ac.tar.gz android_external_libavc-7aa88ce8babc307faba9c6454b4cb57d8e68a0ac.tar.bz2 android_external_libavc-7aa88ce8babc307faba9c6454b4cb57d8e68a0ac.zip | |
Fix stack buffer overflow in ih264d_process_intra_mb
Aligned the sizes of au1_ngbr_pels to ensure SSE42 functions do not
result in stack buffer overflow
Bug: 36490809
AOSP-Change-Id: I0bfe493f94647046013759b3ec9db3c627ac471e
(cherry picked from commit f69e34419b267be7285a7e0e85a019294118ae03)
CVE-2017-0699
Change-Id: I4523d94411a752abb2461c4857e66beee67c3364
| -rw-r--r-- | decoder/ih264d_process_intra_mb.c | 12 |
1 files changed, 9 insertions, 3 deletions
diff --git a/decoder/ih264d_process_intra_mb.c b/decoder/ih264d_process_intra_mb.c index 279ff87..211d796 100644 --- a/decoder/ih264d_process_intra_mb.c +++ b/decoder/ih264d_process_intra_mb.c @@ -930,7 +930,9 @@ WORD32 ih264d_process_intra_mb(dec_struct_t * ps_dec, } } { - UWORD8 au1_ngbr_pels[33]; + /* Align the size to multiple of 8, so that SIMD functions + can read 64 bits at a time. Only 33 bytes are actaully used */ + UWORD8 au1_ngbr_pels[40]; /* Get neighbour pixels */ /* left pels */ if(u2_use_left_mb) @@ -1175,7 +1177,9 @@ WORD32 ih264d_process_intra_mb(dec_struct_t * ps_dec, /* Scan the sub-blocks in Raster Scan Order */ for(u1_sub_mb_num = 0; u1_sub_mb_num < 16; u1_sub_mb_num++) { - UWORD8 au1_ngbr_pels[13]; + /* Align the size to multiple of 8, so that SIMD functions + can read 64 bits at a time. Only 13 bytes are actaully used */ + UWORD8 au1_ngbr_pels[16]; u1_sub_blk_x = u1_sub_mb_num & 0x3; u1_sub_blk_y = u1_sub_mb_num >> 2; @@ -1664,7 +1668,9 @@ WORD32 ih264d_process_intra_mb(dec_struct_t * ps_dec, } { - UWORD8 au1_ngbr_pels[25]; + /* Align the size to multiple of 8, so that SIMD functions + can read 64 bits at a time. Only 25 bytes are actaully used */ + UWORD8 au1_ngbr_pels[32]; WORD32 ngbr_avail; ngbr_avail = u1_is_left_sub_block << 0; ngbr_avail |= u1_is_top_sub_block << 2; |