diff options
| author | Harish Mahendrakar <harish.mahendrakar@ittiam.com> | 2016-12-20 11:08:57 +0530 |
|---|---|---|
| committer | Sean McCreary <mccreary@mcwest.org> | 2017-03-22 12:25:50 -0600 |
| commit | 15692d55ebdaf22fdd049a6851a38186fb546e3d (patch) | |
| tree | f9598548eb16e2336a189a41e3b75d2fe4dcd25a /decoder | |
| parent | 9c6a714d380f7e957055c72b2de68a8157077efb (diff) | |
| download | android_external_libavc-15692d55ebdaf22fdd049a6851a38186fb546e3d.tar.gz android_external_libavc-15692d55ebdaf22fdd049a6851a38186fb546e3d.tar.bz2 android_external_libavc-15692d55ebdaf22fdd049a6851a38186fb546e3d.zip | |
Decoder: Fix in the case of error in the first MB in frame.
In case of error in first MB in a frame, ps_dec->i4_submb_ofst
was decremented to result in negative offsets.
Bug: 33351708
CVE-2017-0468
CVE-2017-0482
Change-Id: I7376f781782576616351ffa0e1d43b835f7bbbbe
(cherry picked from commit 56b5563f3eecb845148a2948beb3f07343784f3f)
(cherry picked from commit 0e8b1dff88e08b9d738d2360f05b96108e190995)
Diffstat (limited to 'decoder')
| -rw-r--r-- | decoder/ih264d_parse_pslice.c | 10 |
1 files changed, 5 insertions, 5 deletions
diff --git a/decoder/ih264d_parse_pslice.c b/decoder/ih264d_parse_pslice.c index 78c36c1..478620a 100644 --- a/decoder/ih264d_parse_pslice.c +++ b/decoder/ih264d_parse_pslice.c @@ -1606,13 +1606,13 @@ WORD32 ih264d_mark_err_slice_skip(dec_struct_t * ps_dec, ps_dec->u1_mb_ngbr_availablity = ps_cur_mb_info->u1_mb_ngbr_availablity; - // Going back 1 mb - ps_dec->pv_parse_tu_coeff_data = ps_dec->pv_prev_mb_parse_tu_coeff_data; - ps_dec->u2_cur_mb_addr--; - ps_dec->i4_submb_ofst -= SUB_BLK_SIZE; - if(u1_num_mbs) { + // Going back 1 mb + ps_dec->pv_parse_tu_coeff_data = ps_dec->pv_prev_mb_parse_tu_coeff_data; + ps_dec->u2_cur_mb_addr--; + ps_dec->i4_submb_ofst -= SUB_BLK_SIZE; + // Parse/decode N-MB left unparsed if (ps_dec->u1_pr_sl_type == P_SLICE || ps_dec->u1_pr_sl_type == B_SLICE) |