summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorVenkatarama Avadhani <venkatarama.avadhani@ittiam.com>2017-04-05 10:56:11 +0530
committerMSe <mse1969@posteo.de>2017-07-06 23:46:40 +0200
commitbf8f174e15344d89664426a4dc75187b891c0f7c (patch)
treedf25d015a8fe99fff26fa1f5094c39da58596b66
parentbc7c42b6c6bca3cd4a1b6e1ee7b9cf4a5fcff91c (diff)
downloadandroid_external_libmpeg2-bf8f174e15344d89664426a4dc75187b891c0f7c.tar.gz
android_external_libmpeg2-bf8f174e15344d89664426a4dc75187b891c0f7c.tar.bz2
android_external_libmpeg2-bf8f174e15344d89664426a4dc75187b891c0f7c.zip
Check Number of Skip MBs
Adding check to make sure the number of skip MBs do not exceed the total number of MBs left to decode. Bug: 34231163 AOSP-Change-Id: I62ceffdafcbc0c6d580f6ae1b5b9ab0708a7134f (cherry picked from commit f217b853e7527552290bd047381338f934bccdd6) CVE-2017-0674 Change-Id: I7b81dc4ea88ab31da8e1467560e4f16987360399
Diffstat
-rw-r--r--decoder/impeg2d_pnb_pic.c17
1 files changed, 15 insertions, 2 deletions
diff --git a/decoder/impeg2d_pnb_pic.c b/decoder/impeg2d_pnb_pic.c
index a6c2351..5540044 100644
--- a/decoder/impeg2d_pnb_pic.c
+++ b/decoder/impeg2d_pnb_pic.c
@@ -106,6 +106,14 @@ WORD32 impeg2d_dec_p_mb_params(dec_state_t *ps_dec)
u2_mb_addr_incr = ps_dec->u2_num_horiz_mb - ps_dec->u2_mb_x;
}
+ if ((u2_mb_addr_incr - 1) > ps_dec->u2_num_mbs_left)
+ {
+ /* If the number of skip MBs are more than the number of MBs
+ * left, indicate error.
+ */
+ return IV_FAIL;
+ }
+
impeg2d_dec_skip_mbs(ps_dec, (UWORD16)(u2_mb_addr_incr - 1));
}
@@ -297,6 +305,13 @@ WORD32 impeg2d_dec_pnb_mb_params(dec_state_t *ps_dec)
u2_mb_addr_incr = ps_dec->u2_num_horiz_mb - ps_dec->u2_mb_x;
}
+ if ((u2_mb_addr_incr - 1) > ps_dec->u2_num_mbs_left)
+ {
+ /* If the number of skip MBs are more than the number of MBs
+ * left, indicate error.
+ */
+ return IV_FAIL;
+ }
impeg2d_dec_skip_mbs(ps_dec, (UWORD16)(u2_mb_addr_incr - 1));
}
@@ -488,7 +503,6 @@ IMPEG2D_ERROR_CODES_T impeg2d_dec_p_b_slice(dec_state_t *ps_dec)
IMPEG2D_TRACE_MB_START(ps_dec->u2_mb_x, ps_dec->u2_mb_y);
-
if(ps_dec->e_pic_type == B_PIC)
ret = impeg2d_dec_pnb_mb_params(ps_dec);
else
@@ -687,7 +701,6 @@ IMPEG2D_ERROR_CODES_T impeg2d_dec_p_b_slice(dec_state_t *ps_dec)
}
}
-
ps_dec->u2_num_mbs_left--;
ps_dec->u2_first_mb = 0;
ps_dec->u2_mb_x++;
generated by cgit v1.2.3 (git 2.25.1) at 2024-05-31 01:42:48 +0000