commit 943323f1d9d3dd5c2634deb26cbe72343ca6b3db
author Naveen Kumar Ponnusamy <naveenkumar.p@ittiam.com> Fri Dec 04 16:51:43 2015 +0530
committer Wei Jia <wjia@google.com> Wed Jan 13 21:18:46 2016 +0000
tree 3fe813a14c70af76003b49e6764d481cd36c400c
parent 4a524d3a8ae9aa20c36430008e6bd429443f8f1d

Return error when there are more mmco params than allocated size

Bug: 25818142

Change-Id: I5c1b23985eeca5192b42703c627ca3d060e4e13d

decoder/ih264d_dpb_mgr.c

diff --git a/decoder/ih264d_dpb_mgr.c b/decoder/ih264d_dpb_mgr.c
index 205bc9b..7c4305b 100644
--- a/decoder/ih264d_dpb_mgr.c
+++ b/decoder/ih264d_dpb_mgr.c
@@ -17,6 +17,9 @@
  *****************************************************************************
  * Originally developed and contributed by Ittiam Systems Pvt. Ltd, Bangalore
 */
+#include "log/log.h"
+#include <cutils/log.h>
+
 #include "ih264_typedefs.h"
 #include "ih264_macros.h"
 #include "ih264_platform_macros.h"
@@ -872,6 +875,13 @@
                                      pu4_bitstrm_buf);
                 while(u4_mmco != END_OF_MMCO)
                 {
+                    if (j >= MAX_REF_BUFS)
+                    {
+                        ALOGE("b/25818142");
+                        android_errorWriteLog(0x534e4554, "25818142");
+                        ps_dpb_cmds->u1_num_of_commands = 0;
+                        return -1;
+                    }
                     ps_mmc_params = &ps_dpb_cmds->as_mmc_params[j];
                     ps_mmc_params->u4_mmco = u4_mmco;
                     switch(u4_mmco)

decoder/ih264d_parse_bslice.c

diff --git a/decoder/ih264d_parse_bslice.c b/decoder/ih264d_parse_bslice.c
index 6707039..eb157e6 100644
--- a/decoder/ih264d_parse_bslice.c
+++ b/decoder/ih264d_parse_bslice.c
@@ -1581,7 +1581,14 @@
     if(ps_slice->u1_nal_ref_idc != 0)
     {
         if(!ps_dec->ps_dpb_cmds->u1_dpb_commands_read)
-            ps_dec->u4_bitoffset = ih264d_read_mmco_commands(ps_dec);
+        {
+            i_temp = ih264d_read_mmco_commands(ps_dec);
+            if (i_temp < 0)
+            {
+                return ERROR_DBP_MANAGER_T;
+            }
+            ps_dec->u4_bitoffset = i_temp;
+        }
         else
             ps_bitstrm->u4_ofst += ps_dec->u4_bitoffset;
     }

decoder/ih264d_parse_islice.c

diff --git a/decoder/ih264d_parse_islice.c b/decoder/ih264d_parse_islice.c
index 001f8fc..bbb6110 100644
--- a/decoder/ih264d_parse_islice.c
+++ b/decoder/ih264d_parse_islice.c
@@ -1374,8 +1374,14 @@
     if(ps_slice->u1_nal_ref_idc != 0)
     {
         if(!ps_dec->ps_dpb_cmds->u1_dpb_commands_read)
-            ps_dec->u4_bitoffset = ih264d_read_mmco_commands(
-                            ps_dec);
+        {
+            i_temp = ih264d_read_mmco_commands(ps_dec);
+            if (i_temp < 0)
+            {
+                return ERROR_DBP_MANAGER_T;
+            }
+            ps_dec->u4_bitoffset = i_temp;
+        }
         else
             ps_dec->ps_bitstrm->u4_ofst += ps_dec->u4_bitoffset;
     }

decoder/ih264d_parse_pslice.c

diff --git a/decoder/ih264d_parse_pslice.c b/decoder/ih264d_parse_pslice.c
index a82b0f8..3cac387 100644
--- a/decoder/ih264d_parse_pslice.c
+++ b/decoder/ih264d_parse_pslice.c
@@ -2057,7 +2057,14 @@
     if(ps_cur_slice->u1_nal_ref_idc != 0)
     {
         if(!ps_dec->ps_dpb_cmds->u1_dpb_commands_read)
-            ps_dec->u4_bitoffset = ih264d_read_mmco_commands(ps_dec);
+        {
+            i_temp = ih264d_read_mmco_commands(ps_dec);
+            if (i_temp < 0)
+            {
+                return ERROR_DBP_MANAGER_T;
+            }
+            ps_dec->u4_bitoffset = i_temp;
+        }
         else
             ps_bitstrm->u4_ofst += ps_dec->u4_bitoffset;