diff options
author | Harish Mahendrakar <harish.mahendrakar@ittiam.com> | 2017-01-13 17:22:34 +0530 |
---|---|---|
committer | Sean McCreary <mccreary@mcwest.org> | 2017-05-21 14:46:26 -0600 |
commit | 0f2c17885d77692f5017e372793a407057afc45c (patch) | |
tree | ba766cfe086f8fc37265334f42b532fc4ffa4fcc /decoder | |
parent | 629f0b17212b2f3954bbada48392e89d1201847c (diff) | |
download | android_external_libhevc-0f2c17885d77692f5017e372793a407057afc45c.tar.gz android_external_libhevc-0f2c17885d77692f5017e372793a407057afc45c.tar.bz2 android_external_libhevc-0f2c17885d77692f5017e372793a407057afc45c.zip |
Return error if SPS parsing reads more bytes than the nal length
Bug: 35039946
AOSP-Change-Id: Ia97fa8711f313d0029d2b13e6d150d5e46b2bb99
(cherry picked from commit a6c58e18a49a1ea4929f8345b3c59f900d5813f5)
(cherry picked from commit 232bbe1908d1dd9f10513d7b8065ecaf5c9a11a6)
CVE-2017-0590
Change-Id: I95f922a2c6fc96253b1b3cecb2f6a9b4acb06077
Diffstat (limited to 'decoder')
-rw-r--r-- | decoder/ihevcd_parse_headers.c | 4 |
1 files changed, 4 insertions, 0 deletions
diff --git a/decoder/ihevcd_parse_headers.c b/decoder/ihevcd_parse_headers.c index 3cae4e5..16b60cf 100644 --- a/decoder/ihevcd_parse_headers.c +++ b/decoder/ihevcd_parse_headers.c @@ -1460,6 +1460,10 @@ IHEVCD_ERROR_T ihevcd_parse_sps(codec_t *ps_codec) BITS_PARSE("sps_extension_flag", value, ps_bitstrm, 1); + if((UWORD8 *)ps_bitstrm->pu4_buf > ps_bitstrm->pu1_buf_max) + { + return IHEVCD_INVALID_PARAMETER; + } { WORD32 numerator; |