decoder: Fix integer overflow while parsing num_long_term_pics
Bug: 143826590
Test: poc in bug
Change-Id: I190a8e27a400f686cba88edd5c8721404e53b9cb
diff --git a/decoder/ihevcd_parse_slice_header.c b/decoder/ihevcd_parse_slice_header.c
index c161fc4..46f2f5f 100644
--- a/decoder/ihevcd_parse_slice_header.c
+++ b/decoder/ihevcd_parse_slice_header.c
@@ -471,7 +471,8 @@
ps_slice_hdr->i1_num_long_term_sps = value;
}
UEV_PARSE("num_long_term_pics", value, ps_bitstrm);
- if((value + ps_slice_hdr->i1_num_long_term_sps + num_neg_pics + num_pos_pics) > (MAX_DPB_SIZE - 1))
+ if(((ULWORD64)value + ps_slice_hdr->i1_num_long_term_sps + num_neg_pics +
+ num_pos_pics) > (MAX_DPB_SIZE - 1))
{
return IHEVCD_INVALID_PARAMETER;
}
@@ -487,6 +488,10 @@
{
WORD32 num_bits = 32 - CLZ(ps_sps->i1_num_long_term_ref_pics_sps - 1);
BITS_PARSE("lt_idx_sps[ i ]", value, ps_bitstrm, num_bits);
+ if(value >= ps_sps->i1_num_long_term_ref_pics_sps)
+ {
+ return IHEVCD_INVALID_PARAMETER;
+ }
}
else
{