commit 7dcf82ada45d3dfb6e0d77a066c619bb3a411238
author Harish Mahendrakar <harish.mahendrakar@ittiam.com> Thu Dec 19 14:37:45 2019 -0800
committer Ray Essick <essick@google.com> Tue Feb 11 16:23:38 2020 -0800
tree 633f17b121edc68a6e8ba1455e35ecc31f2fb20d
parent 75d1ac1026539f82a299ef6cea2b59150098ddbb

decoder: Fix integer overflow while parsing num_long_term_pics

Bug: 143826590
Test: poc in bug
Change-Id: I190a8e27a400f686cba88edd5c8721404e53b9cb

decoder/ihevcd_parse_slice_header.c

diff --git a/decoder/ihevcd_parse_slice_header.c b/decoder/ihevcd_parse_slice_header.c
index c161fc4..46f2f5f 100644
--- a/decoder/ihevcd_parse_slice_header.c
+++ b/decoder/ihevcd_parse_slice_header.c
@@ -471,7 +471,8 @@
                     ps_slice_hdr->i1_num_long_term_sps = value;
                 }
                 UEV_PARSE("num_long_term_pics", value, ps_bitstrm);
-                if((value + ps_slice_hdr->i1_num_long_term_sps + num_neg_pics + num_pos_pics) > (MAX_DPB_SIZE - 1))
+                if(((ULWORD64)value + ps_slice_hdr->i1_num_long_term_sps + num_neg_pics +
+                    num_pos_pics) > (MAX_DPB_SIZE - 1))
                 {
                     return IHEVCD_INVALID_PARAMETER;
                 }
@@ -487,6 +488,10 @@
                         {
                             WORD32 num_bits = 32 - CLZ(ps_sps->i1_num_long_term_ref_pics_sps - 1);
                             BITS_PARSE("lt_idx_sps[ i ]", value, ps_bitstrm, num_bits);
+                            if(value >= ps_sps->i1_num_long_term_ref_pics_sps)
+                            {
+                                return IHEVCD_INVALID_PARAMETER;
+                            }
                         }
                         else
                         {