diff options
author | Harish Mahendrakar <harish.mahendrakar@ittiam.com> | 2017-05-15 18:51:18 +0530 |
---|---|---|
committer | MSe <mse1969@posteo.de> | 2017-07-07 21:12:46 +0200 |
commit | c1f356100f1b0e2c8dff3840874d2ce8d9554686 (patch) | |
tree | c27be12904c148029c71777857288383fe783a22 /decoder | |
parent | e2c7d29262ffdbaab0ed12c6bb6f4c364533c052 (diff) | |
download | android_external_libhevc-c1f356100f1b0e2c8dff3840874d2ce8d9554686.tar.gz android_external_libhevc-c1f356100f1b0e2c8dff3840874d2ce8d9554686.tar.bz2 android_external_libhevc-c1f356100f1b0e2c8dff3840874d2ce8d9554686.zip |
Fix heap buffer overflow while searching for valid PPS
Bug: 37094889
Test: Tested POC on ASAN build
AOSP-Change-Id: Id4e52cd10a4d5eac015efe4b752162dc39cc30b8
(cherry picked from commit 520465122804c4022edd0c8c3c54a93fb4cba613)
CVE-2017-0695
Change-Id: Ia50299381e19b6f6f4b278de3028f98b7aa296be
Diffstat (limited to 'decoder')
-rw-r--r-- | decoder/ihevcd_parse_slice_header.c | 7 |
1 files changed, 4 insertions, 3 deletions
diff --git a/decoder/ihevcd_parse_slice_header.c b/decoder/ihevcd_parse_slice_header.c index a68db25..e1b50b7 100644 --- a/decoder/ihevcd_parse_slice_header.c +++ b/decoder/ihevcd_parse_slice_header.c @@ -257,10 +257,11 @@ IHEVCD_ERROR_T ihevcd_parse_slice_header(codec_t *ps_codec, { pps_t *ps_pps_ref = ps_codec->ps_pps_base; while(0 == ps_pps_ref->i1_pps_valid) + { ps_pps_ref++; - - if((ps_pps_ref - ps_codec->ps_pps_base >= MAX_PPS_CNT - 1)) - return IHEVCD_INVALID_HEADER; + if((ps_pps_ref - ps_codec->ps_pps_base >= MAX_PPS_CNT - 1)) + return IHEVCD_INVALID_HEADER; + } ihevcd_copy_pps(ps_codec, pps_id, ps_pps_ref->i1_pps_id); } |