Fixed out of bound reads in stack variables

Out of bound reads in the following variables are fixed

scaling_mat_offset in ihevcd_iquant_itrans_recon_ctb()
ai1_offset_y, ai1_offset_cb and ai1_offset_cr in ihevcd_sao_shift_ctb()

These values were read but not used

b/32915871

CVE-2017-0406

AOSP Change-Id: Ib07e2ed1bdcc600700d4e9e5d970f6cc2164ab1b
Change-Id: Id3e335941d6f015a55085d2592f92974b3225976
(cherry picked from commit 4def2dfabf8afcb185942131c1e67bb3ff211f05)
(cherry picked from commit 5e7a6141e9e7a165b1234a3fd24ea4b176c3d016)

1 files changed, 4 insertions, 2 deletions

diff --git a/decoder/ihevcd_iquant_itrans_recon_ctb.c b/decoder/ihevcd_iquant_itrans_recon_ctb.c
index a558644..88ace44 100644
--- a/decoder/ihevcd_iquant_itrans_recon_ctb.c
+++ b/decoder/ihevcd_iquant_itrans_recon_ctb.c
@@ -567,9 +567,11 @@ WORD32 ihevcd_iquant_itrans_recon_ctb(process_ctxt_t *ps_proc)
     /* Intra 32x32 Y                                                         */
     /* Inter 32x32 Y                                                         */
     /*************************************************************************/
-    WORD32 scaling_mat_offset[] =
+    /* Only first 20 entries are used. Array is extended to avoid out of bound
+       reads. Skip CUs (64x64) read this table, but don't really use the value */
+    static const WORD32 scaling_mat_offset[] =
       { 0, 16, 32, 48, 64, 80, 96, 160, 224, 288, 352, 416, 480, 736, 992,
-        1248, 1504, 1760, 2016, 3040 };
+        1248, 1504, 1760, 2016, 3040, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0 };
 
     PROFILE_DISABLE_IQ_IT_RECON_INTRA_PRED();