From 89af851902cc10de30cc0b522934597ab8ea95df Mon Sep 17 00:00:00 2001
From: Harish Mahendrakar <harish.mahendrakar@ittiam.com>
Date: Tue, 22 Oct 2019 16:01:37 -0700
Subject: decoder: Move initialization of dbp_mgr entries to init_decoder()

Earlier these were only initialized during static buffer allocations.
Initializing them in init_decoder() will ensure that these get
initialized to default values during reset() as well. Without this,
in some error cases, there is a possibility of heap-use-after free,
when resolution changes and these pointers point to memory that is freed

Bug: 142602711
Test: poc in bug
Change-Id: Ie39fee0eca56bf32cdc558099bf167d05eb89620
(cherry picked from commit 01da7b5a52a76aee615b4e32eeceb4887d3662f0)
---
 decoder/ih264d_api.c | 47 ++++++++++++++++++++++++-----------------------
 1 file changed, 24 insertions(+), 23 deletions(-)

diff --git a/decoder/ih264d_api.c b/decoder/ih264d_api.c
index c6999a6..2ebf386 100644
--- a/decoder/ih264d_api.c
+++ b/decoder/ih264d_api.c
@@ -963,6 +963,30 @@ void ih264d_init_decoder(void * ps_dec_params)
     /* Free any dynamic buffers that are allocated */
     ih264d_free_dynamic_bufs(ps_dec);
 
+    {
+        UWORD8 i;
+        struct pic_buffer_t *ps_init_dpb;
+        ps_init_dpb = ps_dec->ps_dpb_mgr->ps_init_dpb[0][0];
+        for(i = 0; i < 2 * MAX_REF_BUFS; i++)
+        {
+            ps_init_dpb->pu1_buf1 = NULL;
+            ps_init_dpb->u1_long_term_frm_idx = MAX_REF_BUFS + 1;
+            ps_dec->ps_dpb_mgr->ps_init_dpb[0][i] = ps_init_dpb;
+            ps_dec->ps_dpb_mgr->ps_mod_dpb[0][i] = ps_init_dpb;
+            ps_init_dpb++;
+        }
+
+        ps_init_dpb = ps_dec->ps_dpb_mgr->ps_init_dpb[1][0];
+        for(i = 0; i < 2 * MAX_REF_BUFS; i++)
+        {
+            ps_init_dpb->pu1_buf1 = NULL;
+            ps_init_dpb->u1_long_term_frm_idx = MAX_REF_BUFS + 1;
+            ps_dec->ps_dpb_mgr->ps_init_dpb[1][i] = ps_init_dpb;
+            ps_dec->ps_dpb_mgr->ps_mod_dpb[1][i] = ps_init_dpb;
+            ps_init_dpb++;
+        }
+    }
+
     ps_cur_slice = ps_dec->ps_cur_slice;
     ps_dec->init_done = 0;
 
@@ -1439,29 +1463,6 @@ WORD32 ih264d_allocate_static_bufs(iv_obj_t **dec_hdl, void *pv_api_ip, void *pv
     ps_dec->ps_col_mv_base = pv_buf;
     memset(ps_dec->ps_col_mv_base, 0, size);
 
-    {
-        UWORD8 i;
-        struct pic_buffer_t *ps_init_dpb;
-        ps_init_dpb = ps_dec->ps_dpb_mgr->ps_init_dpb[0][0];
-        for(i = 0; i < 2 * MAX_REF_BUFS; i++)
-        {
-            ps_init_dpb->pu1_buf1 = NULL;
-            ps_init_dpb->u1_long_term_frm_idx = MAX_REF_BUFS + 1;
-            ps_dec->ps_dpb_mgr->ps_init_dpb[0][i] = ps_init_dpb;
-            ps_dec->ps_dpb_mgr->ps_mod_dpb[0][i] = ps_init_dpb;
-            ps_init_dpb++;
-        }
-
-        ps_init_dpb = ps_dec->ps_dpb_mgr->ps_init_dpb[1][0];
-        for(i = 0; i < 2 * MAX_REF_BUFS; i++)
-        {
-            ps_init_dpb->pu1_buf1 = NULL;
-            ps_init_dpb->u1_long_term_frm_idx = MAX_REF_BUFS + 1;
-            ps_dec->ps_dpb_mgr->ps_init_dpb[1][i] = ps_init_dpb;
-            ps_dec->ps_dpb_mgr->ps_mod_dpb[1][i] = ps_init_dpb;
-            ps_init_dpb++;
-        }
-    }
     ih264d_init_decoder(ps_dec);
 
     return IV_SUCCESS;
-- 
cgit v1.2.3