Check for buffer overflow in pps/slice header parsing Bug: 36215950 Bug: 36215953 Bug: 36216719 Change-Id: Ibdc05e1d5aa21d060d7c683fd9af4bed8537053f (cherry picked from commit d61d5e5f6aa0e5f80b8ae793aca4a4085d015c06)

commit: 55ffcfb67ff66fa66d2406ecff5102ae73cfbaea [log] [tgz]
author: Naveen Kumar P <naveenkumar.p@ittiam.com> Fri Mar 31 16:45:38 2017 +0530
committer: android-build-team Robot <android-build-team-robot@google.com> Wed Sep 13 20:21:36 2017 +0000
tree: 3da3614ffad3fbf13b082ecd9c87f083ebc3a25f
parent: 6076ba9a8b68bef2842b37552ceb8fbbd86db78a [diff]
diff --git a/decoder/ihevcd_parse_headers.c b/decoder/ihevcd_parse_headers.c
index a504778..d78b950 100644
--- a/decoder/ihevcd_parse_headers.c
+++ b/decoder/ihevcd_parse_headers.c

@@ -1972,6 +1972,9 @@
     /* Not present in HM */
     BITS_PARSE("pps_extension_flag", value, ps_bitstrm, 1);
 
+    if((UWORD8 *)ps_bitstrm->pu4_buf > ps_bitstrm->pu1_buf_max)
+        return IHEVCD_INVALID_PARAMETER;
+
     ps_codec->i4_pps_done = 1;
     return ret;
 }

diff --git a/decoder/ihevcd_parse_slice_header.c b/decoder/ihevcd_parse_slice_header.c
index 62ad6c8..a68db25 100644
--- a/decoder/ihevcd_parse_slice_header.c
+++ b/decoder/ihevcd_parse_slice_header.c

@@ -862,6 +862,9 @@
 
     ihevcd_bits_flush_to_byte_boundary(ps_bitstrm);
 
+    if((UWORD8 *)ps_bitstrm->pu4_buf > ps_bitstrm->pu1_buf_max)
+        return IHEVCD_INVALID_PARAMETER;
+
     {
         dpb_mgr_t *ps_dpb_mgr = (dpb_mgr_t *)ps_codec->pv_dpb_mgr;
         WORD32 r_idx;
commit	55ffcfb67ff66fa66d2406ecff5102ae73cfbaea	[log] [tgz]
author	Naveen Kumar P <naveenkumar.p@ittiam.com>	Fri Mar 31 16:45:38 2017 +0530
committer	android-build-team Robot <android-build-team-robot@google.com>	Wed Sep 13 20:21:36 2017 +0000
tree	3da3614ffad3fbf13b082ecd9c87f083ebc3a25f
parent	6076ba9a8b68bef2842b37552ceb8fbbd86db78a [diff]