Decoder: Fixed an out of bound read in intra pred buffers
Bug: 23453762
Change-Id: I129e5a2ac8b9a28f3c894ebca0aef7063ca5934e
(cherry picked from commit 040ec939c61f7dffb76c977b775b1bc1e82f2bde)
diff --git a/decoder/ih264d_utils.c b/decoder/ih264d_utils.c
index d388421..acca990 100644
--- a/decoder/ih264d_utils.c
+++ b/decoder/ih264d_utils.c
@@ -1930,23 +1930,26 @@
}
}
- size = sizeof(UWORD8) * ((u4_wd_mbs + 1) * MB_SIZE) * 2;
+ size = sizeof(UWORD8) * ((u4_wd_mbs + 2) * MB_SIZE) * 2;
pv_buf = ps_dec->pf_aligned_alloc(pv_mem_ctxt, 128, size);
RETURN_IF((NULL == pv_buf), IV_FAIL);
ps_dec->pu1_y_intra_pred_line = pv_buf;
memset(ps_dec->pu1_y_intra_pred_line, 0, size);
+ ps_dec->pu1_y_intra_pred_line += MB_SIZE;
- size = sizeof(UWORD8) * ((u4_wd_mbs + 1) * MB_SIZE) * 2;
+ size = sizeof(UWORD8) * ((u4_wd_mbs + 2) * MB_SIZE) * 2;
pv_buf = ps_dec->pf_aligned_alloc(pv_mem_ctxt, 128, size);
RETURN_IF((NULL == pv_buf), IV_FAIL);
ps_dec->pu1_u_intra_pred_line = pv_buf;
memset(ps_dec->pu1_u_intra_pred_line, 0, size);
+ ps_dec->pu1_u_intra_pred_line += MB_SIZE;
- size = sizeof(UWORD8) * ((u4_wd_mbs + 1) * MB_SIZE) * 2;
+ size = sizeof(UWORD8) * ((u4_wd_mbs + 2) * MB_SIZE) * 2;
pv_buf = ps_dec->pf_aligned_alloc(pv_mem_ctxt, 128, size);
RETURN_IF((NULL == pv_buf), IV_FAIL);
ps_dec->pu1_v_intra_pred_line = pv_buf;
memset(ps_dec->pu1_v_intra_pred_line, 0, size);
+ ps_dec->pu1_v_intra_pred_line += MB_SIZE;
if(ps_dec->u1_separate_parse)
{
@@ -2215,8 +2218,22 @@
}
}
+ if(ps_dec->pu1_y_intra_pred_line)
+ {
+ ps_dec->pu1_y_intra_pred_line -= MB_SIZE;
+ }
PS_DEC_ALIGNED_FREE(ps_dec, ps_dec->pu1_y_intra_pred_line);
+
+ if(ps_dec->pu1_u_intra_pred_line)
+ {
+ ps_dec->pu1_u_intra_pred_line -= MB_SIZE;
+ }
PS_DEC_ALIGNED_FREE(ps_dec, ps_dec->pu1_u_intra_pred_line);
+
+ if(ps_dec->pu1_v_intra_pred_line)
+ {
+ ps_dec->pu1_v_intra_pred_line -= MB_SIZE;
+ }
PS_DEC_ALIGNED_FREE(ps_dec, ps_dec->pu1_v_intra_pred_line);
PS_DEC_ALIGNED_FREE(ps_dec, ps_dec->ps_nbr_mb_row);
PS_DEC_ALIGNED_FREE(ps_dec, ps_dec->pu1_mv_bank_buf_base);
