commit 8f14f2c246f1a7afe0d64e72498b556701568d2e
author Naveen Kumar Ponnusamy <naveenkumar.p@ittiam.com> Fri Dec 04 16:51:43 2015 +0530
committer android-build-team Robot <android-build-team-robot@google.com> Wed Sep 13 22:00:22 2017 +0000
tree 9f10d446d90eeba0e57955ef9305f4afa86e6041
parent 5c5adffe1f88a456fcef24c920cc0b352087307b

Return error when there are more mmco params than allocated size

Bug: 25818142

Change-Id: I5c1b23985eeca5192b42703c627ca3d060e4e13d
(cherry picked from commit 943323f1d9d3dd5c2634deb26cbe72343ca6b3db)

decoder/ih264d_dpb_mgr.c

diff --git a/decoder/ih264d_dpb_mgr.c b/decoder/ih264d_dpb_mgr.c
index 88ff0ca..0a61ffd 100644
--- a/decoder/ih264d_dpb_mgr.c
+++ b/decoder/ih264d_dpb_mgr.c
@@ -17,6 +17,9 @@
  *****************************************************************************
  * Originally developed and contributed by Ittiam Systems Pvt. Ltd, Bangalore
 */
+#include "log/log.h"
+#include <cutils/log.h>
+
 #include "ih264_typedefs.h"
 #include "ih264_macros.h"
 #include "ih264_platform_macros.h"
@@ -883,6 +886,13 @@
                                      pu4_bitstrm_buf);
                 while(u4_mmco != END_OF_MMCO)
                 {
+                    if (j >= MAX_REF_BUFS)
+                    {
+                        ALOGE("b/25818142");
+                        android_errorWriteLog(0x534e4554, "25818142");
+                        ps_dpb_cmds->u1_num_of_commands = 0;
+                        return -1;
+                    }
                     ps_mmc_params = &ps_dpb_cmds->as_mmc_params[j];
                     ps_mmc_params->u4_mmco = u4_mmco;
                     switch(u4_mmco)

decoder/ih264d_parse_bslice.c

diff --git a/decoder/ih264d_parse_bslice.c b/decoder/ih264d_parse_bslice.c
index e34a29d..772964a 100644
--- a/decoder/ih264d_parse_bslice.c
+++ b/decoder/ih264d_parse_bslice.c
@@ -1577,7 +1577,14 @@
     if(ps_slice->u1_nal_ref_idc != 0)
     {
         if(!ps_dec->ps_dpb_cmds->u1_dpb_commands_read)
-            ps_dec->u4_bitoffset = ih264d_read_mmco_commands(ps_dec);
+        {
+            i_temp = ih264d_read_mmco_commands(ps_dec);
+            if (i_temp < 0)
+            {
+                return ERROR_DBP_MANAGER_T;
+            }
+            ps_dec->u4_bitoffset = i_temp;
+        }
         else
             ps_bitstrm->u4_ofst += ps_dec->u4_bitoffset;
     }

decoder/ih264d_parse_islice.c

diff --git a/decoder/ih264d_parse_islice.c b/decoder/ih264d_parse_islice.c
index 1a4c6d0..504b775 100644
--- a/decoder/ih264d_parse_islice.c
+++ b/decoder/ih264d_parse_islice.c
@@ -1387,8 +1387,14 @@
     if(ps_slice->u1_nal_ref_idc != 0)
     {
         if(!ps_dec->ps_dpb_cmds->u1_dpb_commands_read)
-            ps_dec->u4_bitoffset = ih264d_read_mmco_commands(
-                            ps_dec);
+        {
+            i_temp = ih264d_read_mmco_commands(ps_dec);
+            if (i_temp < 0)
+            {
+                return ERROR_DBP_MANAGER_T;
+            }
+            ps_dec->u4_bitoffset = i_temp;
+        }
         else
             ps_dec->ps_bitstrm->u4_ofst += ps_dec->u4_bitoffset;
     }

decoder/ih264d_parse_pslice.c

diff --git a/decoder/ih264d_parse_pslice.c b/decoder/ih264d_parse_pslice.c
index c89b6cd..bcfbe05 100644
--- a/decoder/ih264d_parse_pslice.c
+++ b/decoder/ih264d_parse_pslice.c
@@ -2104,7 +2104,14 @@
     if(ps_cur_slice->u1_nal_ref_idc != 0)
     {
         if(!ps_dec->ps_dpb_cmds->u1_dpb_commands_read)
-            ps_dec->u4_bitoffset = ih264d_read_mmco_commands(ps_dec);
+        {
+            i_temp = ih264d_read_mmco_commands(ps_dec);
+            if (i_temp < 0)
+            {
+                return ERROR_DBP_MANAGER_T;
+            }
+            ps_dec->u4_bitoffset = i_temp;
+        }
         else
             ps_bitstrm->u4_ofst += ps_dec->u4_bitoffset;