Return error when there are more mmco params than allocated size
Bug: 25818142
Change-Id: I5c1b23985eeca5192b42703c627ca3d060e4e13d
diff --git a/decoder/ih264d_dpb_mgr.c b/decoder/ih264d_dpb_mgr.c
index 205bc9b..7c4305b 100644
--- a/decoder/ih264d_dpb_mgr.c
+++ b/decoder/ih264d_dpb_mgr.c
@@ -17,6 +17,9 @@
*****************************************************************************
* Originally developed and contributed by Ittiam Systems Pvt. Ltd, Bangalore
*/
+#include "log/log.h"
+#include <cutils/log.h>
+
#include "ih264_typedefs.h"
#include "ih264_macros.h"
#include "ih264_platform_macros.h"
@@ -872,6 +875,13 @@
pu4_bitstrm_buf);
while(u4_mmco != END_OF_MMCO)
{
+ if (j >= MAX_REF_BUFS)
+ {
+ ALOGE("b/25818142");
+ android_errorWriteLog(0x534e4554, "25818142");
+ ps_dpb_cmds->u1_num_of_commands = 0;
+ return -1;
+ }
ps_mmc_params = &ps_dpb_cmds->as_mmc_params[j];
ps_mmc_params->u4_mmco = u4_mmco;
switch(u4_mmco)
diff --git a/decoder/ih264d_parse_bslice.c b/decoder/ih264d_parse_bslice.c
index 6707039..eb157e6 100644
--- a/decoder/ih264d_parse_bslice.c
+++ b/decoder/ih264d_parse_bslice.c
@@ -1581,7 +1581,14 @@
if(ps_slice->u1_nal_ref_idc != 0)
{
if(!ps_dec->ps_dpb_cmds->u1_dpb_commands_read)
- ps_dec->u4_bitoffset = ih264d_read_mmco_commands(ps_dec);
+ {
+ i_temp = ih264d_read_mmco_commands(ps_dec);
+ if (i_temp < 0)
+ {
+ return ERROR_DBP_MANAGER_T;
+ }
+ ps_dec->u4_bitoffset = i_temp;
+ }
else
ps_bitstrm->u4_ofst += ps_dec->u4_bitoffset;
}
diff --git a/decoder/ih264d_parse_islice.c b/decoder/ih264d_parse_islice.c
index 001f8fc..bbb6110 100644
--- a/decoder/ih264d_parse_islice.c
+++ b/decoder/ih264d_parse_islice.c
@@ -1374,8 +1374,14 @@
if(ps_slice->u1_nal_ref_idc != 0)
{
if(!ps_dec->ps_dpb_cmds->u1_dpb_commands_read)
- ps_dec->u4_bitoffset = ih264d_read_mmco_commands(
- ps_dec);
+ {
+ i_temp = ih264d_read_mmco_commands(ps_dec);
+ if (i_temp < 0)
+ {
+ return ERROR_DBP_MANAGER_T;
+ }
+ ps_dec->u4_bitoffset = i_temp;
+ }
else
ps_dec->ps_bitstrm->u4_ofst += ps_dec->u4_bitoffset;
}
diff --git a/decoder/ih264d_parse_pslice.c b/decoder/ih264d_parse_pslice.c
index a82b0f8..3cac387 100644
--- a/decoder/ih264d_parse_pslice.c
+++ b/decoder/ih264d_parse_pslice.c
@@ -2057,7 +2057,14 @@
if(ps_cur_slice->u1_nal_ref_idc != 0)
{
if(!ps_dec->ps_dpb_cmds->u1_dpb_commands_read)
- ps_dec->u4_bitoffset = ih264d_read_mmco_commands(ps_dec);
+ {
+ i_temp = ih264d_read_mmco_commands(ps_dec);
+ if (i_temp < 0)
+ {
+ return ERROR_DBP_MANAGER_T;
+ }
+ ps_dec->u4_bitoffset = i_temp;
+ }
else
ps_bitstrm->u4_ofst += ps_dec->u4_bitoffset;