From 2907089d17d4098aba2b0bbedf982541f51ba1d3 Mon Sep 17 00:00:00 2001
From: Naveen Kumar P <naveenkumar.p@ittiam.com>
Date: Thu, 25 May 2017 15:30:59 +0530
Subject: Fix OOB issue in nal unit parsing

Bug: 37712181
Test: ran patched against POC on nyc-mr2
Change-Id: I5408b3afd898db99265f94573d1163ef83c9b99c
(cherry picked from commit 62ebc3276199bef53c4b87cfcd8c8586af255fee)
---
 decoder/ihevcd_nal.c | 7 ++++---
 1 file changed, 4 insertions(+), 3 deletions(-)

(limited to 'decoder')

diff --git a/decoder/ihevcd_nal.c b/decoder/ihevcd_nal.c
index bee399f..cc4a27f 100644
--- a/decoder/ihevcd_nal.c
+++ b/decoder/ihevcd_nal.c
@@ -114,7 +114,8 @@ WORD32 ihevcd_nal_search_start_code(UWORD8 *pu1_buf, WORD32 bytes_remaining)
         }
 
         zero_byte_cnt++;
-        if((pu1_buf[ofst + 1] == START_CODE_PREFIX_BYTE) &&
+        if((ofst < (bytes_remaining - 1)) &&
+           (pu1_buf[ofst + 1] == START_CODE_PREFIX_BYTE) &&
            (zero_byte_cnt >= NUM_ZEROS_BEFORE_START_CODE))
         {
             /* Found the start code */
@@ -123,7 +124,7 @@ WORD32 ihevcd_nal_search_start_code(UWORD8 *pu1_buf, WORD32 bytes_remaining)
             break;
         }
     }
-    if(0 == start_code_found)
+    if((0 == start_code_found) && (ofst < bytes_remaining))
     {
         if((START_CODE_PREFIX_BYTE == pu1_buf[ofst]) &&
            (zero_byte_cnt >= NUM_ZEROS_BEFORE_START_CODE))
@@ -231,7 +232,7 @@ IHEVCD_ERROR_T ihevcd_nal_remv_emuln_bytes(UWORD8 *pu1_src,
 
     }
 
-    if(0 == start_code_found)
+    if((0 == start_code_found) && (src_cnt < bytes_remaining))
     {
         u1_src = pu1_src[src_cnt++];
         if(zero_byte_cnt >= NUM_ZEROS_BEFORE_START_CODE)
-- 
cgit v1.2.3