Merge cherrypicks of [2315914, 2315916, 2315837, 2315963, 2315918, 2315814, 2315983, 2315964, 2316107, 2316086, 2316109, 2315977, 2316145, 2316016, 2316110, 2316221, 2316088, 2316210, 2316242, 2316222, 2316075, 2316076, 2316077, 2316089, 2316243, 2316183, 2316078, 2316112, 2316211, 2316149, 2316113, 2316212, 2316151, 2316215, 2316131, 2316115, 2316245, 2316216, 2316116, 2316217, 2316279, 2316186, 2316187, 2316246, 2316247, 2316249, 2316218, 2316092, 2316094, 2316323, 2316360, 2316379] into nyc-mr1-security-a-release
Change-Id: I4284c2d4967ab8a0980ae3d50e1a7af60216c789
diff --git a/decoder/ihevcd_parse_headers.c b/decoder/ihevcd_parse_headers.c
index b560a39..c0f1564 100644
--- a/decoder/ihevcd_parse_headers.c
+++ b/decoder/ihevcd_parse_headers.c
@@ -644,6 +644,9 @@
if(!ps_hrd->au1_low_delay_hrd_flag[i])
UEV_PARSE("cpb_cnt_minus1[ i ]", ps_hrd->au1_cpb_cnt_minus1[i], ps_bitstrm);
+ if(ps_hrd->au1_cpb_cnt_minus1[i] >= (MAX_CPB_CNT - 1))
+ return IHEVCD_INVALID_PARAMETER;
+
if(ps_hrd->u1_nal_hrd_parameters_present_flag)
ihevcd_parse_sub_layer_hrd_parameters(ps_bitstrm,
&ps_hrd->as_sub_layer_hrd_params[i],
@@ -744,7 +747,10 @@
BITS_PARSE("vui_hrd_parameters_present_flag", ps_vui->u1_vui_hrd_parameters_present_flag, ps_bitstrm, 1);
if(ps_vui->u1_vui_hrd_parameters_present_flag)
- ihevcd_parse_hrd_parameters(ps_bitstrm, &ps_vui->s_vui_hrd_parameters, 1, sps_max_sub_layers_minus1);
+ {
+ ret = ihevcd_parse_hrd_parameters(ps_bitstrm, &ps_vui->s_vui_hrd_parameters, 1, sps_max_sub_layers_minus1);
+ RETURN_IF((ret != (IHEVCD_ERROR_T)IHEVCD_SUCCESS), ret);
+ }
}
BITS_PARSE("bitstream_restriction_flag", ps_vui->u1_bitstream_restriction_flag, ps_bitstrm, 1);
@@ -1224,6 +1230,12 @@
ps_sps = (ps_codec->s_parse.ps_sps_base + MAX_SPS_CNT - 1);
+ /* Reset SPS to zero */
+ {
+ WORD16 *pi2_scaling_mat = ps_sps->pi2_scaling_mat;
+ memset(ps_sps, 0, sizeof(sps_t));
+ ps_sps->pi2_scaling_mat = pi2_scaling_mat;
+ }
ps_sps->i1_sps_id = sps_id;
ps_sps->i1_vps_id = vps_id;
ps_sps->i1_sps_max_sub_layers = sps_max_sub_layers;
@@ -1330,6 +1342,35 @@
UEV_PARSE("max_latency_increase", value, ps_bitstrm);
ps_sps->ai1_sps_max_latency_increase[i] = value;
}
+
+ /* Check if sps_max_dec_pic_buffering or sps_max_num_reorder_pics
+ has changed */
+ if(0 != ps_codec->u4_allocate_dynamic_done)
+ {
+ sps_t *ps_sps_old = ps_codec->s_parse.ps_sps;
+ if(ps_sps_old->ai1_sps_max_dec_pic_buffering[ps_sps_old->i1_sps_max_sub_layers - 1] !=
+ ps_sps->ai1_sps_max_dec_pic_buffering[ps_sps->i1_sps_max_sub_layers - 1])
+ {
+ if(0 == ps_codec->i4_first_pic_done)
+ {
+ return IHEVCD_INVALID_PARAMETER;
+ }
+ ps_codec->i4_reset_flag = 1;
+ return (IHEVCD_ERROR_T)IVD_RES_CHANGED;
+ }
+
+ if(ps_sps_old->ai1_sps_max_num_reorder_pics[ps_sps_old->i1_sps_max_sub_layers - 1] !=
+ ps_sps->ai1_sps_max_num_reorder_pics[ps_sps->i1_sps_max_sub_layers - 1])
+ {
+ if(0 == ps_codec->i4_first_pic_done)
+ {
+ return IHEVCD_INVALID_PARAMETER;
+ }
+ ps_codec->i4_reset_flag = 1;
+ return (IHEVCD_ERROR_T)IVD_RES_CHANGED;
+ }
+ }
+
UEV_PARSE("log2_min_coding_block_size_minus3", value, ps_bitstrm);
ps_sps->i1_log2_min_coding_block_size = value + 3;
@@ -1456,9 +1497,12 @@
ps_sps->i1_vui_parameters_present_flag = value;
if(ps_sps->i1_vui_parameters_present_flag)
- ihevcd_parse_vui_parameters(ps_bitstrm,
- &ps_sps->s_vui_parameters,
- ps_sps->i1_sps_max_sub_layers - 1);
+ {
+ ret = ihevcd_parse_vui_parameters(ps_bitstrm,
+ &ps_sps->s_vui_parameters,
+ ps_sps->i1_sps_max_sub_layers - 1);
+ RETURN_IF((ret != (IHEVCD_ERROR_T)IHEVCD_SUCCESS), ret);
+ }
BITS_PARSE("sps_extension_flag", value, ps_bitstrm, 1);
@@ -1495,10 +1539,14 @@
ps_sps->i2_pic_ht_in_min_cb = numerator /
(1 << ps_sps->i1_log2_min_coding_block_size);
}
- if((0 != ps_codec->i4_first_pic_done) &&
+ if((0 != ps_codec->u4_allocate_dynamic_done) &&
((ps_codec->i4_wd != ps_sps->i2_pic_width_in_luma_samples) ||
(ps_codec->i4_ht != ps_sps->i2_pic_height_in_luma_samples)))
{
+ if(0 == ps_codec->i4_first_pic_done)
+ {
+ return IHEVCD_INVALID_PARAMETER;
+ }
ps_codec->i4_reset_flag = 1;
return (IHEVCD_ERROR_T)IVD_RES_CHANGED;
}
@@ -1926,6 +1974,9 @@
/* Not present in HM */
BITS_PARSE("pps_extension_flag", value, ps_bitstrm, 1);
+ if((UWORD8 *)ps_bitstrm->pu4_buf > ps_bitstrm->pu1_buf_max)
+ return IHEVCD_INVALID_PARAMETER;
+
ps_codec->i4_pps_done = 1;
return ret;
}
diff --git a/decoder/ihevcd_parse_slice_header.c b/decoder/ihevcd_parse_slice_header.c
index 62ad6c8..e1b50b7 100644
--- a/decoder/ihevcd_parse_slice_header.c
+++ b/decoder/ihevcd_parse_slice_header.c
@@ -257,10 +257,11 @@
{
pps_t *ps_pps_ref = ps_codec->ps_pps_base;
while(0 == ps_pps_ref->i1_pps_valid)
+ {
ps_pps_ref++;
-
- if((ps_pps_ref - ps_codec->ps_pps_base >= MAX_PPS_CNT - 1))
- return IHEVCD_INVALID_HEADER;
+ if((ps_pps_ref - ps_codec->ps_pps_base >= MAX_PPS_CNT - 1))
+ return IHEVCD_INVALID_HEADER;
+ }
ihevcd_copy_pps(ps_codec, pps_id, ps_pps_ref->i1_pps_id);
}
@@ -862,6 +863,9 @@
ihevcd_bits_flush_to_byte_boundary(ps_bitstrm);
+ if((UWORD8 *)ps_bitstrm->pu4_buf > ps_bitstrm->pu1_buf_max)
+ return IHEVCD_INVALID_PARAMETER;
+
{
dpb_mgr_t *ps_dpb_mgr = (dpb_mgr_t *)ps_codec->pv_dpb_mgr;
WORD32 r_idx;
