Check only allocated mv bufs for releasing from reference

When checking mv bufs for releasing from reference, unallocated
mv bufs were also checked. This issue was fixed by restricting
the loop count to allocated number of mv bufs.

Bug: 34896906
Bug: 34819017

AOSP-Change-Id: If832f590b301f414d4cd5206414efc61a70c17cb
(cherry picked from commit 23bfe3e06d53ea749073a5d7ceda84239742b2c2)
CVE-2017-0642

Change-Id: I6bc4ce3298df94d288211bd642db49e67ece42ee

4 files changed, 11 insertions, 6 deletions

diff --git a/decoder/ihevcd_parse_slice_header.c b/decoder/ihevcd_parse_slice_header.c
index c1cf808..62ad6c8 100644
--- a/decoder/ihevcd_parse_slice_header.c
+++ b/decoder/ihevcd_parse_slice_header.c
@@ -219,7 +219,7 @@ IHEVCD_ERROR_T ihevcd_parse_slice_header(codec_t *ps_codec,
 {
     IHEVCD_ERROR_T ret = (IHEVCD_ERROR_T)IHEVCD_SUCCESS;
     WORD32 value;
-    WORD32 i;
+    WORD32 i, j;
     WORD32 sps_id;
 
     pps_t *ps_pps;
@@ -884,11 +884,11 @@ IHEVCD_ERROR_T ihevcd_parse_slice_header(codec_t *ps_codec,
                     ihevc_dpb_mgr_del_ref((dpb_mgr_t *)ps_codec->pv_dpb_mgr, (buf_mgr_t *)ps_codec->pv_pic_buf_mgr, ps_pic_buf->i4_abs_poc);
                     /* Find buffer id of the MV bank corresponding to the buffer being freed (Buffer with POC of u4_abs_poc) */
                     ps_mv_buf = (mv_buf_t *)ps_codec->ps_mv_buf;
-                    for(i = 0; i < BUF_MGR_MAX_CNT; i++)
+                    for(j = 0; j < ps_codec->i4_max_dpb_size; j++)
                     {
                         if(ps_mv_buf && ps_mv_buf->i4_abs_poc == ps_pic_buf->i4_abs_poc)
                         {
-                            ihevc_buf_mgr_release((buf_mgr_t *)ps_codec->pv_mv_buf_mgr, i, BUF_MGR_REF);
+                            ihevc_buf_mgr_release((buf_mgr_t *)ps_codec->pv_mv_buf_mgr, j, BUF_MGR_REF);
                             break;
                         }
                         ps_mv_buf++;
diff --git a/decoder/ihevcd_ref_list.c b/decoder/ihevcd_ref_list.c
index 76bb476..0fe6aa4 100644
--- a/decoder/ihevcd_ref_list.c
+++ b/decoder/ihevcd_ref_list.c
@@ -92,7 +92,7 @@ mv_buf_t* ihevcd_mv_mgr_get_poc(buf_mgr_t *ps_mv_buf_mgr, UWORD32 abs_poc)
 
 WORD32 ihevcd_ref_list(codec_t *ps_codec, pps_t *ps_pps, sps_t *ps_sps, slice_header_t *ps_slice_hdr)
 {
-    WORD32 i;
+    WORD32 i, j;
     WORD32 st_rps_idx;
     WORD32 num_neg_pics, num_pos_pics;
     WORD8 *pi1_used;
@@ -503,11 +503,11 @@ WORD32 ihevcd_ref_list(codec_t *ps_codec, pps_t *ps_pps, sps_t *ps_sps, slice_he
 
             /* Find buffer id of the MV bank corresponding to the buffer being freed (Buffer with POC of u4_abs_poc) */
             ps_mv_buf = (mv_buf_t *)ps_codec->ps_mv_buf;
-            for(i = 0; i < BUF_MGR_MAX_CNT; i++)
+            for(j = 0; j < ps_codec->i4_max_dpb_size; j++)
             {
                 if(ps_mv_buf && ps_mv_buf->i4_abs_poc == ps_pic_buf->i4_abs_poc)
                 {
-                    ihevc_buf_mgr_release((buf_mgr_t *)ps_codec->pv_mv_buf_mgr, i, BUF_MGR_REF);
+                    ihevc_buf_mgr_release((buf_mgr_t *)ps_codec->pv_mv_buf_mgr, j, BUF_MGR_REF);
                     break;
                 }
                 ps_mv_buf++;
diff --git a/decoder/ihevcd_structs.h b/decoder/ihevcd_structs.h
index ce0653e..1a46984 100644
--- a/decoder/ihevcd_structs.h
+++ b/decoder/ihevcd_structs.h
@@ -1929,6 +1929,9 @@ struct _codec_t
      */
     void *ps_mv_buf;
 
+    /** Holds the number of mv_buf_t structures allocated */
+    WORD32 i4_max_dpb_size;
+
     /**
      * Base address for Motion Vector bank buffer
      */
diff --git a/decoder/ihevcd_utils.c b/decoder/ihevcd_utils.c
index c6c21f5..797b079 100644..100755
--- a/decoder/ihevcd_utils.c
+++ b/decoder/ihevcd_utils.c
@@ -598,6 +598,8 @@ IHEVCD_ERROR_T ihevcd_mv_buf_mgr_add_bufs(codec_t *ps_codec)
      */
     max_dpb_size++;
 
+    ps_codec->i4_max_dpb_size = max_dpb_size;
+
     pu1_buf = (UWORD8 *)ps_codec->pv_mv_bank_buf_base;
 
     ps_mv_buf = (mv_buf_t *)pu1_buf;