From e6e37db96ac9344a8c36763ab0445efb433b745b Mon Sep 17 00:00:00 2001 From: Naveen Kumar P Date: Fri, 31 Mar 2017 17:44:24 +0530 Subject: Correct Tiles rows and cols check Bug: 36231493 Bug: 34064500 AOSP-Change-Id: Ib17b2c68360685c5a2c019e1497612a130f9f76a (cherry picked from commit 07ef4e7138e0e13d61039530358343a19308b188) CVE-2017-0637 Change-Id: Iba716c70f07fb070fa221eb1f5a3779df6e1d7cc --- decoder/ihevcd_parse_headers.c | 10 ++++++++-- 1 file changed, 8 insertions(+), 2 deletions(-) diff --git a/decoder/ihevcd_parse_headers.c b/decoder/ihevcd_parse_headers.c index 16b60cf..4c38b0a 100644 --- a/decoder/ihevcd_parse_headers.c +++ b/decoder/ihevcd_parse_headers.c @@ -1753,6 +1753,12 @@ IHEVCD_ERROR_T ihevcd_parse_pps(codec_t *ps_codec) ps_pps->i1_loop_filter_across_tiles_enabled_flag = 0; if(ps_pps->i1_tiles_enabled_flag) { + WORD32 wd = ALIGN64(ps_codec->i4_wd); + WORD32 ht = ALIGN64(ps_codec->i4_ht); + + WORD32 max_tile_cols = (wd + MIN_TILE_WD - 1) / MIN_TILE_WD; + WORD32 max_tile_rows = (ht + MIN_TILE_HT - 1) / MIN_TILE_HT; + UEV_PARSE("num_tile_columns_minus1", value, ps_bitstrm); ps_pps->i1_num_tile_columns = value + 1; @@ -1760,9 +1766,9 @@ IHEVCD_ERROR_T ihevcd_parse_pps(codec_t *ps_codec) ps_pps->i1_num_tile_rows = value + 1; if((ps_pps->i1_num_tile_columns < 1) || - (ps_pps->i1_num_tile_columns > ps_sps->i2_pic_wd_in_ctb) || + (ps_pps->i1_num_tile_columns > max_tile_cols) || (ps_pps->i1_num_tile_rows < 1) || - (ps_pps->i1_num_tile_rows > ps_sps->i2_pic_ht_in_ctb)) + (ps_pps->i1_num_tile_rows > max_tile_rows)) return IHEVCD_INVALID_HEADER; BITS_PARSE("uniform_spacing_flag", value, ps_bitstrm, 1); -- cgit v1.2.3