commit 8446343c58609392722bc1dfb698f390d23886a2
author Harish Mahendrakar <harish.mahendrakar@ittiam.com> Fri Sep 18 15:15:50 2015 +0530
committer The Android Automerger <android-build@google.com> Tue Oct 27 15:22:04 2015 -0700
tree 57f87becbda361e56898a18e0941b2e0be21aa58
parent f2be91980e5c9eca7563266ba0b0411134d03d87

Return error in SPS/PPS parsing when extra bytes are read from input

Bug: 24157524

Change-Id: I4b319ef8e23e1ba5f84f52b92f40ba7fb1429101

decoder/ih264d_parse_headers.c

diff --git a/decoder/ih264d_parse_headers.c b/decoder/ih264d_parse_headers.c
index 35c3a16..21ebfa8 100644
--- a/decoder/ih264d_parse_headers.c
+++ b/decoder/ih264d_parse_headers.c
@@ -368,6 +368,12 @@
             return ERROR_INV_RANGE_QP_T;
     }
 
+    /* In case bitstream read has exceeded the filled size, then
+       return an error */
+    if(ps_bitstrm->u4_ofst > ps_bitstrm->u4_max_ofst + 8)
+    {
+        return ERROR_INV_SPS_PPS_T;
+    }
     ps_pps->u1_is_valid = TRUE;
     ps_dec->ps_pps[ps_pps->u1_pic_parameter_set_id] = *ps_pps;
     return OK;
@@ -937,8 +943,6 @@
 
     }
 
-    ps_seq->u1_is_valid = TRUE;
-
     if(1 == ps_seq->u1_vui_parameters_present_flag)
     {
         ret = ih264d_parse_vui_parametres(&ps_seq->s_vui, ps_bitstrm);
@@ -1002,6 +1006,13 @@
     ps_dec->u2_crop_offset_y = u2_crop_offset_y;
     ps_dec->u2_crop_offset_uv = u2_crop_offset_uv;
 
+    /* In case bitstream read has exceeded the filled size, then
+       return an error */
+    if(ps_bitstrm->u4_ofst > ps_bitstrm->u4_max_ofst)
+    {
+        return ERROR_INV_SPS_PPS_T;
+    }
+    ps_seq->u1_is_valid = TRUE;
     ps_dec->ps_sps[u1_seq_parameter_set_id] = *ps_seq;
 
     return OK;