From ec95770c24088ba5fc5c21aa9c28a588970aad46 Mon Sep 17 00:00:00 2001 From: Harish Mahendrakar Date: Fri, 23 Dec 2016 15:29:14 +0530 Subject: Decoder: Fixes an out of bound write in bitstream buffer [for mnc-dr-dev and later; mnc-dev gets a different patch] After emulation prevention, data is written as an int, so at least 3 additional bytes should be available. And since bitstream functions read 8 bytes ahead, 8 extra bytes should be available in the bitstream buffer. Bug: 33934721 AOSP-Change-Id: I444ec6f85d01b0bade9f827e15c4b476779d6c69 CVE-2017-0542 Change-Id: I3c77857dc558b2ab0bacbfae0c56e794154bd50c (cherry picked from commit 33ef7de9ddc8ea7eb9cbc440d1cf89957a0c267b) --- decoder/ih264d_api.c | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) (limited to 'decoder') diff --git a/decoder/ih264d_api.c b/decoder/ih264d_api.c index 62ab5af..9815eff 100644 --- a/decoder/ih264d_api.c +++ b/decoder/ih264d_api.c @@ -1948,7 +1948,9 @@ WORD32 ih264d_video_decode(iv_obj_t *dec_hdl, void *pv_api_ip, void *pv_api_op) if(buflen == -1) buflen = 0; /* Ignore bytes beyond the allocated size of intermediate buffer */ - buflen = MIN(buflen, buf_size); + /* Since 8 bytes are read ahead, ensure 8 bytes are free at the + end of the buffer, which will be memset to 0 after emulation prevention */ + buflen = MIN(buflen, buf_size - 8); bytes_consumed = buflen + u4_length_of_start_code; ps_dec_op->u4_num_bytes_consumed += bytes_consumed; -- cgit v1.2.3