From 2be3683d5caab9638ff33d9fee0a48dc7204ddc6 Mon Sep 17 00:00:00 2001
From: Harish Mahendrakar <harish.mahendrakar@ittiam.com>
Date: Fri, 13 Jan 2017 16:41:33 +0530
Subject: Fix in handling wrong cu_qp_delta

cu_qp_delta is now checked for the range as specified in the spec
Bug: 33966031

AOSP-Change-Id: I00420bf68081af92e9f2be9af7ce58d0683094ca

CVE-2017-0540

Change-Id: I3f50e370e43489d9f6c003ad03cddac47796f7af
(cherry picked from commit 01ca88bb6c5bdd44e071f8effebe12f1d7da9853)
---
 decoder/ihevcd_cabac.c       |  3 +--
 decoder/ihevcd_parse_slice.c | 11 ++++++++++-
 2 files changed, 11 insertions(+), 3 deletions(-)

diff --git a/decoder/ihevcd_cabac.c b/decoder/ihevcd_cabac.c
index fa249c4..3a03aa8 100644
--- a/decoder/ihevcd_cabac.c
+++ b/decoder/ihevcd_cabac.c
@@ -669,14 +669,13 @@ UWORD32 ihevcd_cabac_decode_bypass_bins_egk(cab_ctxt_t *ps_cabac,
     numones = k;
     bin = 1;
     u4_sym = 0;
-    while(bin)
+    while(bin && (numones <= 16))
     {
         IHEVCD_CABAC_DECODE_BYPASS_BIN(bin, ps_cabac, ps_bitstrm);
         u4_sym += bin << numones++;
     }
 
     numones -= 1;
-    numones = CLIP3(numones, 0, 16);
 
     if(numones)
     {
diff --git a/decoder/ihevcd_parse_slice.c b/decoder/ihevcd_parse_slice.c
index 3bb658e..f56ba8e 100644
--- a/decoder/ihevcd_parse_slice.c
+++ b/decoder/ihevcd_parse_slice.c
@@ -82,6 +82,9 @@
 /* Bit stream offset threshold */
 #define BITSTRM_OFF_THRS 8
 
+#define MIN_CU_QP_DELTA_ABS(x) (-26 + ((x) * 6) / 2)
+#define MAX_CU_QP_DELTA_ABS(x) (25 + ((x) * 6) / 2)
+
 /**
  * Table used to decode part_mode if AMP is enabled and current CU is not min CU
  */
@@ -302,7 +305,6 @@ WORD32 ihevcd_parse_transform_tree(codec_t *ps_codec,
                     }
                     AEV_TRACE("cu_qp_delta_abs", cu_qp_delta_abs, ps_cabac->u4_range);
 
-
                     ps_codec->s_parse.i4_is_cu_qp_delta_coded = 1;
 
 
@@ -315,6 +317,13 @@ WORD32 ihevcd_parse_transform_tree(codec_t *ps_codec,
                             cu_qp_delta_abs = -cu_qp_delta_abs;
 
                     }
+
+                    if (cu_qp_delta_abs < MIN_CU_QP_DELTA_ABS(ps_sps->i1_bit_depth_luma_minus8)
+                                    || cu_qp_delta_abs > MAX_CU_QP_DELTA_ABS(ps_sps->i1_bit_depth_luma_minus8))
+                    {
+                        return IHEVCD_INVALID_PARAMETER;
+                    }
+
                     ps_codec->s_parse.s_cu.i4_cu_qp_delta = cu_qp_delta_abs;
 
                 }
-- 
cgit v1.2.3