Merge cherrypicks of [3276508, 3277765, 3277766, 3277904, 3276473, 3278009, 3278010, 3277767, 3277768, 3277769, 3277770, 3276509, 3276510, 3278011, 3278012, 3278013, 3278014, 3278099, 3278100, 3278101, 3278102, 3278103, 3278104, 3278105, 3278106, 3277800, 3276474, 3278015, 3278016, 3278017, 3278118, 3278119, 3278120, 3278121, 3278122, 3277946, 3277905, 3277947, 3277906, 3277751, 3278123, 3277752, 3278110, 3277771, 3277907, 3278095, 3277908, 3278111, 3277772, 3276475, 3276476] into oc-mr1-release
Change-Id: I26938a88f84d29ba2623432f2b7207a86b2ee93c
diff --git a/decoder/ih264d_api.c b/decoder/ih264d_api.c
index 0341389..804fdb7 100644
--- a/decoder/ih264d_api.c
+++ b/decoder/ih264d_api.c
@@ -1490,20 +1490,37 @@
/*****************************************************************************/
WORD32 ih264d_create(iv_obj_t *dec_hdl, void *pv_api_ip, void *pv_api_op)
{
+ ih264d_create_ip_t *ps_create_ip;
ih264d_create_op_t *ps_create_op;
WORD32 ret;
+ ps_create_ip = (ih264d_create_ip_t *)pv_api_ip;
ps_create_op = (ih264d_create_op_t *)pv_api_op;
ps_create_op->s_ivd_create_op_t.u4_error_code = 0;
-
+ dec_hdl = NULL;
ret = ih264d_allocate_static_bufs(&dec_hdl, pv_api_ip, pv_api_op);
/* If allocation of some buffer fails, then free buffers allocated till then */
- if((IV_FAIL == ret) && (NULL != dec_hdl))
+ if(IV_FAIL == ret)
{
- ih264d_free_static_bufs(dec_hdl);
+ if(dec_hdl)
+ {
+ if(dec_hdl->pv_codec_handle)
+ {
+ ih264d_free_static_bufs(dec_hdl);
+ }
+ else
+ {
+ void (*pf_aligned_free)(void *pv_mem_ctxt, void *pv_buf);
+ void *pv_mem_ctxt;
+
+ pf_aligned_free = ps_create_ip->s_ivd_create_ip_t.pf_aligned_free;
+ pv_mem_ctxt = ps_create_ip->s_ivd_create_ip_t.pv_mem_ctxt;
+ pf_aligned_free(pv_mem_ctxt, dec_hdl);
+ }
+ }
ps_create_op->s_ivd_create_op_t.u4_error_code = IVD_MEM_ALLOC_FAILED;
ps_create_op->s_ivd_create_op_t.u4_error_code = 1 << IVD_FATALERROR;
@@ -2052,7 +2069,8 @@
void *pv_buf;
void *pv_mem_ctxt = ps_dec->pv_mem_ctxt;
size = MAX(256000, ps_dec->u2_pic_wd * ps_dec->u2_pic_ht * 3 / 2);
- pv_buf = ps_dec->pf_aligned_alloc(pv_mem_ctxt, 128, size);
+ pv_buf = ps_dec->pf_aligned_alloc(pv_mem_ctxt, 128,
+ size + EXTRA_BS_OFFSET);
RETURN_IF((NULL == pv_buf), IV_FAIL);
ps_dec->pu1_bits_buf_dynamic = pv_buf;
ps_dec->u4_dynamic_bits_buf_size = size;
diff --git a/decoder/ih264d_defs.h b/decoder/ih264d_defs.h
index 4622775..260e358 100644
--- a/decoder/ih264d_defs.h
+++ b/decoder/ih264d_defs.h
@@ -108,6 +108,9 @@
/* For 420SP */
#define YUV420SP_FACTOR 2
+/*To prevent buffer overflow access; in case the size of nal unit is
+ * greater than the allocated buffer size*/
+#define EXTRA_BS_OFFSET 16*16*2
/**
***************************************************************************
diff --git a/decoder/ih264d_dpb_mgr.c b/decoder/ih264d_dpb_mgr.c
index 303d4e8..f6417c7 100644
--- a/decoder/ih264d_dpb_mgr.c
+++ b/decoder/ih264d_dpb_mgr.c
@@ -843,7 +843,7 @@
WORD32 ih264d_read_mmco_commands(struct _DecStruct * ps_dec)
{
dec_bit_stream_t *ps_bitstrm = ps_dec->ps_bitstrm;
- dpb_commands_t *ps_dpb_cmds = ps_dec->ps_dpb_cmds;
+ dpb_commands_t *ps_dpb_cmds = &(ps_dec->s_dpb_cmds_scratch);
dec_slice_params_t * ps_slice = ps_dec->ps_cur_slice;
WORD32 j;
UWORD8 u1_buf_mode;
diff --git a/decoder/ih264d_parse_headers.c b/decoder/ih264d_parse_headers.c
index 4f3136f..f0d0d88 100644
--- a/decoder/ih264d_parse_headers.c
+++ b/decoder/ih264d_parse_headers.c
@@ -479,7 +479,7 @@
{
UWORD8 i;
dec_seq_params_t *ps_seq = NULL;
- UWORD8 u1_profile_idc, u1_level_idc, u1_seq_parameter_set_id;
+ UWORD8 u1_profile_idc, u1_level_idc, u1_seq_parameter_set_id, u1_mb_aff_flag = 0;
UWORD16 i2_max_frm_num;
UWORD32 *pu4_bitstrm_buf = ps_bitstrm->pu4_buffer;
UWORD32 *pu4_bitstrm_ofst = &ps_bitstrm->u4_ofst;
@@ -802,9 +802,19 @@
COPYTHECONTEXT("SPS: frame_mbs_only_flag", u1_frm);
if(!u1_frm)
+ u1_mb_aff_flag = ih264d_get_bit_h264(ps_bitstrm);
+
+ if((ps_dec->i4_header_decoded & 1)
+ && (ps_seq->u1_mb_aff_flag != u1_mb_aff_flag))
+ {
+ ps_dec->u1_res_changed = 1;
+ return IVD_RES_CHANGED;
+ }
+
+ if(!u1_frm)
{
u2_pic_ht <<= 1;
- ps_seq->u1_mb_aff_flag = ih264d_get_bit_h264(ps_bitstrm);
+ ps_seq->u1_mb_aff_flag = u1_mb_aff_flag;
COPYTHECONTEXT("SPS: mb_adaptive_frame_field_flag",
ps_seq->u1_mb_aff_flag);
diff --git a/decoder/ih264d_parse_slice.c b/decoder/ih264d_parse_slice.c
index 2d8a9af..609c2fe 100644
--- a/decoder/ih264d_parse_slice.c
+++ b/decoder/ih264d_parse_slice.c
@@ -1858,6 +1858,15 @@
if(ret != OK)
return ret;
+ if(u1_nal_ref_idc != 0)
+ {
+ if(!ps_dec->ps_dpb_cmds->u1_dpb_commands_read)
+ {
+ memcpy((void *)ps_dec->ps_dpb_cmds, (void *)(&(ps_dec->s_dpb_cmds_scratch)),
+ sizeof(dpb_commands_t));
+ }
+ }
+
/* storing last Mb X and MbY of the slice */
ps_dec->i2_prev_slice_mbx = ps_dec->u2_mbx;
ps_dec->i2_prev_slice_mby = ps_dec->u2_mby;
diff --git a/decoder/ih264d_sei.c b/decoder/ih264d_sei.c
index 800f2c9..098a1f3 100644
--- a/decoder/ih264d_sei.c
+++ b/decoder/ih264d_sei.c
@@ -336,7 +336,7 @@
ui4_payload_type = 0;
u4_bits = ih264d_get_bits_h264(ps_bitstrm, 8);
- while(0xff == u4_bits)
+ while(0xff == u4_bits && !EXCEED_OFFSET(ps_bitstrm))
{
u4_bits = ih264d_get_bits_h264(ps_bitstrm, 8);
ui4_payload_type += 255;
@@ -345,7 +345,7 @@
ui4_payload_size = 0;
u4_bits = ih264d_get_bits_h264(ps_bitstrm, 8);
- while(0xff == u4_bits)
+ while(0xff == u4_bits && !EXCEED_OFFSET(ps_bitstrm))
{
u4_bits = ih264d_get_bits_h264(ps_bitstrm, 8);
ui4_payload_size += 255;
@@ -370,7 +370,8 @@
{
H264_DEC_DEBUG_PRINT("\nError in parsing SEI message");
}
- while(0 == ih264d_check_byte_aligned(ps_bitstrm))
+ while(0 == ih264d_check_byte_aligned(ps_bitstrm)
+ && !EXCEED_OFFSET(ps_bitstrm))
{
u4_bits = ih264d_get_bit_h264(ps_bitstrm);
if(u4_bits)
diff --git a/decoder/ih264d_structs.h b/decoder/ih264d_structs.h
index 6958a0c..706fe9d 100644
--- a/decoder/ih264d_structs.h
+++ b/decoder/ih264d_structs.h
@@ -968,6 +968,7 @@
/* Variables for Decode Buffer Management */
dpb_manager_t *ps_dpb_mgr;
dpb_commands_t *ps_dpb_cmds;
+ dpb_commands_t s_dpb_cmds_scratch;
/* Variables Required for N MB design */
dec_mb_info_t *ps_nmb_info;
