diff options
| author | Hamsalekha S <hamsalekha.s@ittiam.com> | 2017-09-08 13:52:05 +0530 |
|---|---|---|
| committer | Ivan Kutepov <its.kutepov@gmail.com> | 2017-11-11 17:59:33 +0300 |
| commit | dfa50c608aaffa28f5095f06988e938147dee441 (patch) | |
| tree | f876aec30d376b242a57339c22ac5bbdc11fd934 | |
| parent | ca208d1da7b63b6b922580031b7cb959df910d0c (diff) | |
| download | android_external_libavc-dfa50c608aaffa28f5095f06988e938147dee441.tar.gz android_external_libavc-dfa50c608aaffa28f5095f06988e938147dee441.tar.bz2 android_external_libavc-dfa50c608aaffa28f5095f06988e938147dee441.zip | |
Decoder: Corrected variable datatypes in ih264d_get_implicit_weights.
The difference between two 32 signed numbers was getting assigned
to 16 bits, leading to a divide by zero arithmetic execption.
Modified variable names to match their datatypes.
Bug: 65122447
Change-Id: I45ade1945f10b4d7660bd09fb564e60fd29d40dc
CVE-2017-0857
| -rw-r--r-- | decoder/ih264d_parse_bslice.c | 31 |
1 files changed, 16 insertions, 15 deletions
diff --git a/decoder/ih264d_parse_bslice.c b/decoder/ih264d_parse_bslice.c index 772964a..d341287 100644 --- a/decoder/ih264d_parse_bslice.c +++ b/decoder/ih264d_parse_bslice.c @@ -1197,7 +1197,8 @@ void ih264d_get_implicit_weights(dec_struct_t *ps_dec) struct pic_buffer_t *ps_pic_buff0, *ps_pic_buff1; WORD16 i2_dist_scale_factor; WORD16 i16_tb, i16_td, i16_tx; - UWORD32 u4_poc0, u4_poc1; + WORD32 i4_tb, i4_td; + WORD32 i4_poc0, i4_poc1; UWORD32 ui_temp0, ui_temp1; UWORD8 uc_num_ref_idx_l0_active, uc_num_ref_idx_l1_active; @@ -1210,18 +1211,18 @@ void ih264d_get_implicit_weights(dec_struct_t *ps_dec) for(i = 0; i < uc_num_ref_idx_l0_active; i++) { ps_pic_buff0 = ps_dec->ps_ref_pic_buf_lx[0][i]; - u4_poc0 = ps_pic_buff0->i4_avg_poc; + i4_poc0 = ps_pic_buff0->i4_avg_poc; for(j = 0; j < uc_num_ref_idx_l1_active; j++) { ps_pic_buff1 = ps_dec->ps_ref_pic_buf_lx[1][j]; - u4_poc1 = ps_pic_buff1->i4_avg_poc; + i4_poc1 = ps_pic_buff1->i4_avg_poc; - if(u4_poc1 != u4_poc0) + if(i4_poc1 != i4_poc0) { - i16_tb = ps_dec->ps_cur_pic->i4_poc - u4_poc0; - i16_tb = CLIP3(-128, 127, i16_tb); - i16_td = u4_poc1 - u4_poc0; - i16_td = CLIP3(-128, 127, i16_td); + i4_tb = ps_dec->ps_cur_pic->i4_poc - i4_poc0; + i16_tb = CLIP3(-128, 127, i4_tb); + i4_td = i4_poc1 - i4_poc0; + i16_td = CLIP3(-128, 127, i4_td); i16_tx = (16384 + ABS(SIGN_POW2_DIV(i16_td, 1))) / i16_td; i2_dist_scale_factor = CLIP3(-1024, 1023, (((i16_tb * i16_tx) + 32) >> 6)); @@ -1272,7 +1273,7 @@ void ih264d_get_implicit_weights(dec_struct_t *ps_dec) u2_l0_idx += MAX_REF_BUFS; } ps_pic_buff0 = ps_dec->ps_ref_pic_buf_lx[0][u2_l0_idx]; - u4_poc0 = ps_pic_buff0->i4_poc; + i4_poc0 = ps_pic_buff0->i4_poc; for(j = 0; j < (uc_num_ref_idx_l1_active << 1); j++) { UWORD16 u2_l1_idx; @@ -1285,13 +1286,13 @@ void ih264d_get_implicit_weights(dec_struct_t *ps_dec) u2_l1_idx += MAX_REF_BUFS; } ps_pic_buff1 = ps_dec->ps_ref_pic_buf_lx[1][u2_l1_idx]; - u4_poc1 = ps_pic_buff1->i4_poc; - if(u4_poc1 != u4_poc0) + i4_poc1 = ps_pic_buff1->i4_poc; + if(i4_poc1 != i4_poc0) { - i16_tb = i4_cur_poc - u4_poc0; - i16_tb = CLIP3(-128, 127, i16_tb); - i16_td = u4_poc1 - u4_poc0; - i16_td = CLIP3(-128, 127, i16_td); + i4_tb = i4_cur_poc - i4_poc0; + i16_tb = CLIP3(-128, 127, i4_tb); + i4_td = i4_poc1 - i4_poc0; + i16_td = CLIP3(-128, 127, i4_td); i16_tx = (16384 + ABS(SIGN_POW2_DIV(i16_td, 1))) / i16_td; i2_dist_scale_factor = CLIP3( |