From 9dd9ccf7d0c90640080fe35595517ef07a132123 Mon Sep 17 00:00:00 2001
From: Harish Mahendrakar <harish.mahendrakar@ittiam.com>
Date: Fri, 13 Jan 2017 11:23:29 +0530
Subject: Decoder: Fixed an out of bound access while parsing SEI

Invalid SPS Id read was resulting in an out of bound read
Bug: 33552073

CVE-2017-0495

Change-Id: Ie5b80222fc7ac3a64475340371be0facdf999d7b
(cherry picked from commit d3d60c6a5d7ab605d19b9ac4b95bc227b7b870dc)
(cherry picked from commit 99a85bb4690dd30871d9457c30ca3b44a0928cc1)
(cherry picked from commit 85c0ec4106659a11c220cd1210f8d76c33d9e2ae)
---
 decoder/ih264d_sei.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/decoder/ih264d_sei.c b/decoder/ih264d_sei.c
index 14ffcd6..800f2c9 100644
--- a/decoder/ih264d_sei.c
+++ b/decoder/ih264d_sei.c
@@ -80,7 +80,7 @@ WORD32 ih264d_parse_buffering_period(buf_period_t *ps_buf_prd,
     UNUSED(ps_buf_prd);
     u1_seq_parameter_set_id = ih264d_uev(pu4_bitstrm_ofst,
                                          pu4_bitstrm_buf);
-    if(u1_seq_parameter_set_id > MAX_NUM_SEQ_PARAMS)
+    if(u1_seq_parameter_set_id >= MAX_NUM_SEQ_PARAMS)
         return ERROR_INVALID_SEQ_PARAM;
     ps_seq = &ps_dec->ps_sps[u1_seq_parameter_set_id];
     if(TRUE != ps_seq->u1_is_valid)
-- 
cgit v1.2.3