diff options
author | Hamsalekha S <hamsalekha.s@ittiam.com> | 2017-04-21 11:01:52 +0530 |
---|---|---|
committer | Ivan Kutepov <its.kutepov@gmail.com> | 2017-09-14 23:58:03 +0300 |
commit | 839c6327f8467e2e238238623ab3831fc4b3f280 (patch) | |
tree | c2fb26bd274d323e55c02608dac3c815ece3a05e | |
parent | 1dacb85853e0881871ba05984373bb18d7f2c149 (diff) | |
download | android_external_libavc-839c6327f8467e2e238238623ab3831fc4b3f280.tar.gz android_external_libavc-839c6327f8467e2e238238623ab3831fc4b3f280.tar.bz2 android_external_libavc-839c6327f8467e2e238238623ab3831fc4b3f280.zip |
Decoder: Fixed allocation of pv_map_ref_idx_to_poc_buf.
Increased allocation to include reference list1 also by
default. In the case of error, we could get B_SLICES
even in BASE_PROFILE. The initialization in the
dec_slice_struct_t slice structure has also been
modified accordingly.
Test: run poc with and without this patch
Bug: 38496660
Change-Id: I3451d79bbcd9f0d7a80981a9897f877b7f0812bd
(cherry picked from commit a925a6b539642c8749c91a6f33e362eda8c4a5b6)
CVE-2017-0776
-rw-r--r-- | decoder/ih264d_parse_bslice.c | 5 | ||||
-rw-r--r-- | decoder/ih264d_parse_pslice.c | 11 | ||||
-rw-r--r-- | decoder/ih264d_parse_slice.c | 6 | ||||
-rw-r--r-- | decoder/ih264d_utils.c | 5 |
4 files changed, 7 insertions, 20 deletions
diff --git a/decoder/ih264d_parse_bslice.c b/decoder/ih264d_parse_bslice.c index 772964a..db64ce9 100644 --- a/decoder/ih264d_parse_bslice.c +++ b/decoder/ih264d_parse_bslice.c @@ -1531,10 +1531,7 @@ WORD32 ih264d_parse_bslice(dec_struct_t * ps_dec, UWORD16 u2_first_mb_in_slice) } num_entries = ((2 * num_entries) + 1); - if(BASE_PROFILE_IDC != ps_dec->ps_cur_sps->u1_profile_idc) - { - num_entries *= 2; - } + num_entries *= 2; size = num_entries * sizeof(void *); size += PAD_MAP_IDX_POC * sizeof(void *); diff --git a/decoder/ih264d_parse_pslice.c b/decoder/ih264d_parse_pslice.c index bcfbe05..d6b0f23 100644 --- a/decoder/ih264d_parse_pslice.c +++ b/decoder/ih264d_parse_pslice.c @@ -1696,10 +1696,8 @@ WORD32 ih264d_mark_err_slice_skip(dec_struct_t * ps_dec, num_entries = 1; } num_entries = ((2 * num_entries) + 1); - if(BASE_PROFILE_IDC != ps_dec->ps_cur_sps->u1_profile_idc) - { - num_entries *= 2; - } + num_entries *= 2; + size = num_entries * sizeof(void *); size += PAD_MAP_IDX_POC * sizeof(void *); @@ -2063,10 +2061,7 @@ WORD32 ih264d_parse_pslice(dec_struct_t *ps_dec, UWORD16 u2_first_mb_in_slice) num_entries = 1; } num_entries = ((2 * num_entries) + 1); - if(BASE_PROFILE_IDC != ps_dec->ps_cur_sps->u1_profile_idc) - { - num_entries *= 2; - } + num_entries *= 2; size = num_entries * sizeof(void *); size += PAD_MAP_IDX_POC * sizeof(void *); diff --git a/decoder/ih264d_parse_slice.c b/decoder/ih264d_parse_slice.c index 849b9c5..bdfccb6 100644 --- a/decoder/ih264d_parse_slice.c +++ b/decoder/ih264d_parse_slice.c @@ -1802,10 +1802,8 @@ WORD32 ih264d_parse_decode_slice(UWORD8 u1_is_idr_slice, num_entries = 1; } num_entries = ((2 * num_entries) + 1); - if(BASE_PROFILE_IDC != ps_dec->ps_cur_sps->u1_profile_idc) - { - num_entries *= 2; - } + num_entries *= 2; + size = num_entries * sizeof(void *); size += PAD_MAP_IDX_POC * sizeof(void *); diff --git a/decoder/ih264d_utils.c b/decoder/ih264d_utils.c index 96bf1a3..7ddef7a 100644 --- a/decoder/ih264d_utils.c +++ b/decoder/ih264d_utils.c @@ -1978,10 +1978,7 @@ WORD16 ih264d_allocate_dynamic_bufs(dec_struct_t * ps_dec) num_entries = 1; } num_entries = ((2 * num_entries) + 1); - if(BASE_PROFILE_IDC != ps_dec->ps_cur_sps->u1_profile_idc) - { - num_entries *= 2; - } + num_entries *= 2; size = num_entries * sizeof(void *); size += PAD_MAP_IDX_POC * sizeof(void *); |