diff options
author | Harish Mahendrakar <harish.mahendrakar@ittiam.com> | 2017-05-25 16:38:51 +0530 |
---|---|---|
committer | Ivan Kutepov <its.kutepov@gmail.com> | 2017-11-10 17:57:20 +0300 |
commit | 8d6e2a807fb9a5c940c457006f0c1e6a455419a4 (patch) | |
tree | f0837280cf34f2a41333cbc88b67c7145e300186 | |
parent | e137cae7b673a19a364a0ac20800dd2d938ab37a (diff) | |
download | android_external_libhevc-8d6e2a807fb9a5c940c457006f0c1e6a455419a4.tar.gz android_external_libhevc-8d6e2a807fb9a5c940c457006f0c1e6a455419a4.tar.bz2 android_external_libhevc-8d6e2a807fb9a5c940c457006f0c1e6a455419a4.zip |
Added an out of bound check on u4_num_bufs in input argumentreplicant-6.0-0003
ps_dec_ip->s_out_buffer.u4_num_bufs was missing out of bound checks
Bug: 35430570
Change-Id: Ibbf9891a885f69e208107725e34e7217147b891e
(cherry picked from commit 8221313d58ad4ebe9875760f065d999928172d6e)
CVE-2017-0851
-rw-r--r-- | decoder/ihevcd_decode.c | 3 |
1 files changed, 2 insertions, 1 deletions
diff --git a/decoder/ihevcd_decode.c b/decoder/ihevcd_decode.c index 7b82e84..04ad8f5 100644 --- a/decoder/ihevcd_decode.c +++ b/decoder/ihevcd_decode.c @@ -421,7 +421,8 @@ WORD32 ihevcd_decode(iv_obj_t *ps_codec_obj, void *pv_api_ip, void *pv_api_op) if(0 == ps_codec->i4_share_disp_buf && ps_codec->i4_header_mode == 0) { UWORD32 i; - if(ps_dec_ip->s_out_buffer.u4_num_bufs == 0) + if((ps_dec_ip->s_out_buffer.u4_num_bufs <= 0) || + (ps_dec_ip->s_out_buffer.u4_num_bufs > IVD_VIDDEC_MAX_IO_BUFFERS)) { ps_dec_op->u4_error_code |= 1 << IVD_UNSUPPORTEDPARAM; ps_dec_op->u4_error_code |= IVD_DISP_FRM_ZERO_OP_BUFS; |