diff options
author | Harish Mahendrakar <harish.mahendrakar@ittiam.com> | 2016-12-23 15:29:14 +0530 |
---|---|---|
committer | Ray Essick <essick@google.com> | 2017-02-13 14:44:11 -0800 |
commit | 1f0ab0b089e357da4ecfec4f105726bfc23af5a0 (patch) | |
tree | 4d0d721211c826ea8669933c6f98941e459d5b3f /decoder/ih264d_api.c | |
parent | 51ecbcabfbe2027669881f1cc9b021c1a9dce6f2 (diff) | |
download | android_external_libavc-1f0ab0b089e357da4ecfec4f105726bfc23af5a0.tar.gz android_external_libavc-1f0ab0b089e357da4ecfec4f105726bfc23af5a0.tar.bz2 android_external_libavc-1f0ab0b089e357da4ecfec4f105726bfc23af5a0.zip |
DO NOT MERGE: Decoder: Fixes an out of bound write in bitstream buffer
[this is for mnc-dev only, not any other mnc-*-dev flavors;
there is a different patch for mnc-dr-dev, nyc-* and going forward]
After emulation prevention, data is written as an int,
so at least 3 additional bytes should be available.
And since bitstream functions read 8 bytes ahead, 8 extra bytes
should be available in the bitstream buffer.
Bug: 33934721
Test: Ittiam testing, POC in the bug no longer fails
Change-Id: I444ec6f85d01b0bade9f827e15c4b476779d6c69
Diffstat (limited to 'decoder/ih264d_api.c')
-rw-r--r-- | decoder/ih264d_api.c | 4 |
1 files changed, 3 insertions, 1 deletions
diff --git a/decoder/ih264d_api.c b/decoder/ih264d_api.c index 8d73fbe..aa1312b 100644 --- a/decoder/ih264d_api.c +++ b/decoder/ih264d_api.c @@ -2911,7 +2911,9 @@ WORD32 ih264d_video_decode(iv_obj_t *dec_hdl, void *pv_api_ip, void *pv_api_op) if(buflen == -1) buflen = 0; /* Ignore bytes beyond the allocated size of intermediate buffer */ - buflen = MIN(buflen, (WORD32)ps_dec->ps_mem_tab[MEM_REC_BITSBUF].u4_mem_size); + /* Since 8 bytes are read ahead, ensure 8 bytes are free at the + end of the buffer, which will be memset to 0 after emulation prevention */ + buflen = MIN(buflen, (WORD32)(ps_dec->ps_mem_tab[MEM_REC_BITSBUF].u4_mem_size - 8)); bytes_consumed = buflen + u4_length_of_start_code; ps_dec_op->u4_num_bytes_consumed += bytes_consumed; |