From 6b0ac936a7170fb501ba82ebc37c523c427cd69d Mon Sep 17 00:00:00 2001
From: Naveen Kumar P <naveenkumar.p@ittiam.com>
Date: Wed, 17 May 2017 14:07:54 +0530
Subject: Return error for invalid crop parameters

Test: run poc with and without the patch
Bug: 62214264
Change-Id: If627ee9a8f0dbd65963897966e1c2d39f5fbd428
(cherry picked from commit e8c26c16d78c5accec081c8f4516918eee679c4c)
CVE-2017-0762
---
 decoder/ihevcd_parse_headers.c | 16 ++++++++++++++++
 1 file changed, 16 insertions(+)

(limited to 'decoder')

diff --git a/decoder/ihevcd_parse_headers.c b/decoder/ihevcd_parse_headers.c
index d78b950..a33a382 100644
--- a/decoder/ihevcd_parse_headers.c
+++ b/decoder/ihevcd_parse_headers.c
@@ -1283,15 +1283,31 @@ IHEVCD_ERROR_T ihevcd_parse_sps(codec_t *ps_codec)
     {
 
         UEV_PARSE("pic_crop_left_offset", value, ps_bitstrm);
+        if (value >= ps_sps->i2_pic_width_in_luma_samples)
+        {
+            return IHEVCD_INVALID_PARAMETER;
+        }
         ps_sps->i2_pic_crop_left_offset = value;
 
         UEV_PARSE("pic_crop_right_offset", value, ps_bitstrm);
+        if (value >= ps_sps->i2_pic_width_in_luma_samples)
+        {
+            return IHEVCD_INVALID_PARAMETER;
+        }
         ps_sps->i2_pic_crop_right_offset = value;
 
         UEV_PARSE("pic_crop_top_offset", value, ps_bitstrm);
+        if (value >= ps_sps->i2_pic_height_in_luma_samples)
+        {
+            return IHEVCD_INVALID_PARAMETER;
+        }
         ps_sps->i2_pic_crop_top_offset = value;
 
         UEV_PARSE("pic_crop_bottom_offset", value, ps_bitstrm);
+        if (value >= ps_sps->i2_pic_height_in_luma_samples)
+        {
+            return IHEVCD_INVALID_PARAMETER;
+        }
         ps_sps->i2_pic_crop_bottom_offset = value;
     }
     else
-- 
cgit v1.2.3