From 60615b72a0c5ec729aeb99f637d90e119a9dc7b0 Mon Sep 17 00:00:00 2001 From: Harish Mahendrakar Date: Thu, 14 Apr 2016 14:25:51 +0530 Subject: DO NOT MERGE Handle streams with change in max_dec_buffering/num_reorder_frames without resolution change backported from master as part of fixing a security issue on nyc-*. Bug: 34779227 Test: successful re-run of POC after patch AOSP-Change-Id: I404099ac24439b5f6eddc9265dc571929433b3ee (cherry picked from commit 27ad0d7bffb18dc47ab420789ca45f5481906903) CVE-2017-0675 Change-Id: I32be2ce0ec44acf60224f67d7d5b51c64ec87d90 --- decoder/ihevcd_parse_headers.c | 21 +++++++++++++++++++++ 1 file changed, 21 insertions(+) (limited to 'decoder') diff --git a/decoder/ihevcd_parse_headers.c b/decoder/ihevcd_parse_headers.c index 0f98094..6d85601 100644 --- a/decoder/ihevcd_parse_headers.c +++ b/decoder/ihevcd_parse_headers.c @@ -1334,6 +1334,27 @@ IHEVCD_ERROR_T ihevcd_parse_sps(codec_t *ps_codec) UEV_PARSE("max_latency_increase", value, ps_bitstrm); ps_sps->ai1_sps_max_latency_increase[i] = value; } + + /* Check if sps_max_dec_pic_buffering or sps_max_num_reorder_pics + has changed */ + if(0 != ps_codec->i4_first_pic_done) + { + sps_t *ps_sps_old = ps_codec->s_parse.ps_sps; + if(ps_sps_old->ai1_sps_max_dec_pic_buffering[ps_sps_old->i1_sps_max_sub_layers - 1] != + ps_sps->ai1_sps_max_dec_pic_buffering[ps_sps->i1_sps_max_sub_layers - 1]) + { + ps_codec->i4_reset_flag = 1; + return (IHEVCD_ERROR_T)IVD_RES_CHANGED; + } + + if(ps_sps_old->ai1_sps_max_num_reorder_pics[ps_sps_old->i1_sps_max_sub_layers - 1] != + ps_sps->ai1_sps_max_num_reorder_pics[ps_sps->i1_sps_max_sub_layers - 1]) + { + ps_codec->i4_reset_flag = 1; + return (IHEVCD_ERROR_T)IVD_RES_CHANGED; + } + } + UEV_PARSE("log2_min_coding_block_size_minus3", value, ps_bitstrm); ps_sps->i1_log2_min_coding_block_size = value + 3; -- cgit v1.2.3