decoder: Move initialization of dbp_mgr entries to init_decoder()
Earlier these were only initialized during static buffer allocations.
Initializing them in init_decoder() will ensure that these get
initialized to default values during reset() as well. Without this,
in some error cases, there is a possibility of heap-use-after free,
when resolution changes and these pointers point to memory that is freed
Bug: 142602711
Test: poc in bug
Change-Id: Ie39fee0eca56bf32cdc558099bf167d05eb89620
(cherry picked from commit 01da7b5a52a76aee615b4e32eeceb4887d3662f0)
diff --git a/decoder/ih264d_api.c b/decoder/ih264d_api.c
index c9426a6..fa5bb26 100644
--- a/decoder/ih264d_api.c
+++ b/decoder/ih264d_api.c
@@ -963,6 +963,30 @@
/* Free any dynamic buffers that are allocated */
ih264d_free_dynamic_bufs(ps_dec);
+ {
+ UWORD8 i;
+ struct pic_buffer_t *ps_init_dpb;
+ ps_init_dpb = ps_dec->ps_dpb_mgr->ps_init_dpb[0][0];
+ for(i = 0; i < 2 * MAX_REF_BUFS; i++)
+ {
+ ps_init_dpb->pu1_buf1 = NULL;
+ ps_init_dpb->u1_long_term_frm_idx = MAX_REF_BUFS + 1;
+ ps_dec->ps_dpb_mgr->ps_init_dpb[0][i] = ps_init_dpb;
+ ps_dec->ps_dpb_mgr->ps_mod_dpb[0][i] = ps_init_dpb;
+ ps_init_dpb++;
+ }
+
+ ps_init_dpb = ps_dec->ps_dpb_mgr->ps_init_dpb[1][0];
+ for(i = 0; i < 2 * MAX_REF_BUFS; i++)
+ {
+ ps_init_dpb->pu1_buf1 = NULL;
+ ps_init_dpb->u1_long_term_frm_idx = MAX_REF_BUFS + 1;
+ ps_dec->ps_dpb_mgr->ps_init_dpb[1][i] = ps_init_dpb;
+ ps_dec->ps_dpb_mgr->ps_mod_dpb[1][i] = ps_init_dpb;
+ ps_init_dpb++;
+ }
+ }
+
ps_cur_slice = ps_dec->ps_cur_slice;
ps_dec->init_done = 0;
@@ -1463,29 +1487,6 @@
ps_dec->ps_col_mv_base = pv_buf;
memset(ps_dec->ps_col_mv_base, 0, size);
- {
- UWORD8 i;
- struct pic_buffer_t *ps_init_dpb;
- ps_init_dpb = ps_dec->ps_dpb_mgr->ps_init_dpb[0][0];
- for(i = 0; i < 2 * MAX_REF_BUFS; i++)
- {
- ps_init_dpb->pu1_buf1 = NULL;
- ps_init_dpb->u1_long_term_frm_idx = MAX_REF_BUFS + 1;
- ps_dec->ps_dpb_mgr->ps_init_dpb[0][i] = ps_init_dpb;
- ps_dec->ps_dpb_mgr->ps_mod_dpb[0][i] = ps_init_dpb;
- ps_init_dpb++;
- }
-
- ps_init_dpb = ps_dec->ps_dpb_mgr->ps_init_dpb[1][0];
- for(i = 0; i < 2 * MAX_REF_BUFS; i++)
- {
- ps_init_dpb->pu1_buf1 = NULL;
- ps_init_dpb->u1_long_term_frm_idx = MAX_REF_BUFS + 1;
- ps_dec->ps_dpb_mgr->ps_init_dpb[1][i] = ps_init_dpb;
- ps_dec->ps_dpb_mgr->ps_mod_dpb[1][i] = ps_init_dpb;
- ps_init_dpb++;
- }
- }
ih264d_init_decoder(ps_dec);
return IV_SUCCESS;