commit 64112d21e356f999c7c8e4d11fbdaee29898f931
author Naveen Kumar Ponnusamy <naveenkumar.p@ittiam.com> Fri Jan 15 02:10:55 2016 +0000
committer android-build-merger <android-build-merger@google.com> Fri Jan 15 02:10:55 2016 +0000
tree 37df200592dde3692ce4b46f327ea23def5bbe43
parent 608fc7f4ae44cbbbef7f1b553e83751d536f6af6
parent 943323f1d9d3dd5c2634deb26cbe72343ca6b3db

Return error when there are more mmco params than allocated size
am: 943323f1d9

* commit '943323f1d9d3dd5c2634deb26cbe72343ca6b3db':
  Return error when there are more mmco params than allocated size

decoder/ih264d_dpb_mgr.c

diff --git a/decoder/ih264d_dpb_mgr.c b/decoder/ih264d_dpb_mgr.c
index 205bc9b..7c4305b 100644
--- a/decoder/ih264d_dpb_mgr.c
+++ b/decoder/ih264d_dpb_mgr.c
@@ -17,6 +17,9 @@
  *****************************************************************************
  * Originally developed and contributed by Ittiam Systems Pvt. Ltd, Bangalore
 */
+#include "log/log.h"
+#include <cutils/log.h>
+
 #include "ih264_typedefs.h"
 #include "ih264_macros.h"
 #include "ih264_platform_macros.h"
@@ -872,6 +875,13 @@
                                      pu4_bitstrm_buf);
                 while(u4_mmco != END_OF_MMCO)
                 {
+                    if (j >= MAX_REF_BUFS)
+                    {
+                        ALOGE("b/25818142");
+                        android_errorWriteLog(0x534e4554, "25818142");
+                        ps_dpb_cmds->u1_num_of_commands = 0;
+                        return -1;
+                    }
                     ps_mmc_params = &ps_dpb_cmds->as_mmc_params[j];
                     ps_mmc_params->u4_mmco = u4_mmco;
                     switch(u4_mmco)

decoder/ih264d_parse_bslice.c

diff --git a/decoder/ih264d_parse_bslice.c b/decoder/ih264d_parse_bslice.c
index 0758b77..85b0d0f 100644
--- a/decoder/ih264d_parse_bslice.c
+++ b/decoder/ih264d_parse_bslice.c
@@ -1590,7 +1590,14 @@
     if(ps_slice->u1_nal_ref_idc != 0)
     {
         if(!ps_dec->ps_dpb_cmds->u1_dpb_commands_read)
-            ps_dec->u4_bitoffset = ih264d_read_mmco_commands(ps_dec);
+        {
+            i_temp = ih264d_read_mmco_commands(ps_dec);
+            if (i_temp < 0)
+            {
+                return ERROR_DBP_MANAGER_T;
+            }
+            ps_dec->u4_bitoffset = i_temp;
+        }
         else
             ps_bitstrm->u4_ofst += ps_dec->u4_bitoffset;
     }

decoder/ih264d_parse_islice.c

diff --git a/decoder/ih264d_parse_islice.c b/decoder/ih264d_parse_islice.c
index f712c64..a5072e9 100644
--- a/decoder/ih264d_parse_islice.c
+++ b/decoder/ih264d_parse_islice.c
@@ -1372,8 +1372,14 @@
     if(ps_slice->u1_nal_ref_idc != 0)
     {
         if(!ps_dec->ps_dpb_cmds->u1_dpb_commands_read)
-            ps_dec->u4_bitoffset = ih264d_read_mmco_commands(
-                            ps_dec);
+        {
+            i_temp = ih264d_read_mmco_commands(ps_dec);
+            if (i_temp < 0)
+            {
+                return ERROR_DBP_MANAGER_T;
+            }
+            ps_dec->u4_bitoffset = i_temp;
+        }
         else
             ps_dec->ps_bitstrm->u4_ofst += ps_dec->u4_bitoffset;
     }

decoder/ih264d_parse_pslice.c

diff --git a/decoder/ih264d_parse_pslice.c b/decoder/ih264d_parse_pslice.c
index 4084fca..8694a36 100644
--- a/decoder/ih264d_parse_pslice.c
+++ b/decoder/ih264d_parse_pslice.c
@@ -2072,7 +2072,14 @@
     if(ps_cur_slice->u1_nal_ref_idc != 0)
     {
         if(!ps_dec->ps_dpb_cmds->u1_dpb_commands_read)
-            ps_dec->u4_bitoffset = ih264d_read_mmco_commands(ps_dec);
+        {
+            i_temp = ih264d_read_mmco_commands(ps_dec);
+            if (i_temp < 0)
+            {
+                return ERROR_DBP_MANAGER_T;
+            }
+            ps_dec->u4_bitoffset = i_temp;
+        }
         else
             ps_bitstrm->u4_ofst += ps_dec->u4_bitoffset;