diff options
author | Naveen Kumar P <naveenkumar.p@ittiam.com> | 2017-03-31 16:58:15 +0530 |
---|---|---|
committer | MSe <mse1969@posteo.de> | 2017-06-09 16:08:28 +0200 |
commit | 5366e29d62182bac4f5df7a7c57a7f69db818a83 (patch) | |
tree | 1fd0a533ae89f66f1fa46f805b3330552cbc1c94 /decoder | |
parent | e6e37db96ac9344a8c36763ab0445efb433b745b (diff) | |
download | android_external_libhevc-5366e29d62182bac4f5df7a7c57a7f69db818a83.tar.gz android_external_libhevc-5366e29d62182bac4f5df7a7c57a7f69db818a83.tar.bz2 android_external_libhevc-5366e29d62182bac4f5df7a7c57a7f69db818a83.zip |
Set current slice ctb x and y to fill prev incomplete slice
If previous slice is not completed, update the current slice
ctb_x and ctb_y so that while filling the previous slice,
the parse slice code can break properly.
Bug: 32322258
Test: boot, ran POC supplied with bug
AOSP-Change-Id: Ie9090694514a018268851560a3f056194ff6fc91
(cherry picked from commit 830858436bb31036d4260f30c25fa83fd351ed40)
CVE-2017-0391
Change-Id: I5fada9d8f5e2afb7cfd7aa5e82ed1a6d5c2b6808
Diffstat (limited to 'decoder')
-rw-r--r-- | decoder/ihevcd_parse_slice_header.c | 4 |
1 files changed, 4 insertions, 0 deletions
diff --git a/decoder/ihevcd_parse_slice_header.c b/decoder/ihevcd_parse_slice_header.c index 744484e..c1cf808 100644 --- a/decoder/ihevcd_parse_slice_header.c +++ b/decoder/ihevcd_parse_slice_header.c @@ -729,11 +729,15 @@ IHEVCD_ERROR_T ihevcd_parse_slice_header(codec_t *ps_codec, { if(ps_codec->i4_pic_present) { + slice_header_t *ps_slice_hdr_next; ps_codec->i4_slice_error = 1; ps_codec->s_parse.i4_cur_slice_idx--; if(ps_codec->s_parse.i4_cur_slice_idx < 0) ps_codec->s_parse.i4_cur_slice_idx = 0; + ps_slice_hdr_next = ps_codec->s_parse.ps_slice_hdr_base + ((ps_codec->s_parse.i4_cur_slice_idx + 1) & (MAX_SLICE_HDR_CNT - 1)); + ps_slice_hdr_next->i2_ctb_x = slice_address % ps_sps->i2_pic_wd_in_ctb; + ps_slice_hdr_next->i2_ctb_y = slice_address / ps_sps->i2_pic_wd_in_ctb; return ret; } else |