Correct Tiles rows and cols check

Bug: 36231493
Bug: 34064500
AOSP-Change-Id: Ib17b2c68360685c5a2c019e1497612a130f9f76a
(cherry picked from commit 07ef4e7138e0e13d61039530358343a19308b188)
CVE-2017-0637

Change-Id: Iba716c70f07fb070fa221eb1f5a3779df6e1d7cc

1 files changed, 8 insertions, 2 deletions

diff --git a/decoder/ihevcd_parse_headers.c b/decoder/ihevcd_parse_headers.c
index 16b60cf..4c38b0a 100644
--- a/decoder/ihevcd_parse_headers.c
+++ b/decoder/ihevcd_parse_headers.c
@@ -1753,6 +1753,12 @@ IHEVCD_ERROR_T ihevcd_parse_pps(codec_t *ps_codec)
     ps_pps->i1_loop_filter_across_tiles_enabled_flag = 0;
     if(ps_pps->i1_tiles_enabled_flag)
     {
+        WORD32 wd = ALIGN64(ps_codec->i4_wd);
+        WORD32 ht = ALIGN64(ps_codec->i4_ht);
+
+        WORD32 max_tile_cols = (wd + MIN_TILE_WD - 1) / MIN_TILE_WD;
+        WORD32 max_tile_rows = (ht + MIN_TILE_HT - 1) / MIN_TILE_HT;
+
         UEV_PARSE("num_tile_columns_minus1", value, ps_bitstrm);
         ps_pps->i1_num_tile_columns = value + 1;
 
@@ -1760,9 +1766,9 @@ IHEVCD_ERROR_T ihevcd_parse_pps(codec_t *ps_codec)
         ps_pps->i1_num_tile_rows = value + 1;
 
         if((ps_pps->i1_num_tile_columns < 1) ||
-                        (ps_pps->i1_num_tile_columns > ps_sps->i2_pic_wd_in_ctb) ||
+                        (ps_pps->i1_num_tile_columns > max_tile_cols) ||
                         (ps_pps->i1_num_tile_rows < 1) ||
-                        (ps_pps->i1_num_tile_rows > ps_sps->i2_pic_ht_in_ctb))
+                        (ps_pps->i1_num_tile_rows > max_tile_rows))
             return IHEVCD_INVALID_HEADER;
 
         BITS_PARSE("uniform_spacing_flag", value, ps_bitstrm, 1);