Merge cherrypicks of [2310999, 2310925, 2310891, 2311000, 2310892, 2310858, 2310986, 2310963, 2311043, 2310928, 2311044, 2310990, 2311022, 2311023, 2310917, 2310994, 2311024, 2311045, 2310967, 2310995, 2311003, 2311059, 2311025, 2311060, 2310953, 2311061, 2311004, 2311046, 2311005, 2311047, 2311006, 2311079, 2310954, 2311026, 2310896, 2310898, 2310997, 2311062, 2310955, 2311029, 2310998, 2311080, 2311119, 2311030, 2310933, 2311140, 2311063, 2310934, 2311049, 2311050, 2311084, 2311031, 2311145, 2311164] into nyc-mr2-security-c-release
Change-Id: I9b83449ad14a5f2e347c40eafcb75a06fff4768a
diff --git a/decoder/ihevcd_parse_headers.c b/decoder/ihevcd_parse_headers.c
index b560a39..c0f1564 100644
--- a/decoder/ihevcd_parse_headers.c
+++ b/decoder/ihevcd_parse_headers.c
@@ -644,6 +644,9 @@
if(!ps_hrd->au1_low_delay_hrd_flag[i])
UEV_PARSE("cpb_cnt_minus1[ i ]", ps_hrd->au1_cpb_cnt_minus1[i], ps_bitstrm);
+ if(ps_hrd->au1_cpb_cnt_minus1[i] >= (MAX_CPB_CNT - 1))
+ return IHEVCD_INVALID_PARAMETER;
+
if(ps_hrd->u1_nal_hrd_parameters_present_flag)
ihevcd_parse_sub_layer_hrd_parameters(ps_bitstrm,
&ps_hrd->as_sub_layer_hrd_params[i],
@@ -744,7 +747,10 @@
BITS_PARSE("vui_hrd_parameters_present_flag", ps_vui->u1_vui_hrd_parameters_present_flag, ps_bitstrm, 1);
if(ps_vui->u1_vui_hrd_parameters_present_flag)
- ihevcd_parse_hrd_parameters(ps_bitstrm, &ps_vui->s_vui_hrd_parameters, 1, sps_max_sub_layers_minus1);
+ {
+ ret = ihevcd_parse_hrd_parameters(ps_bitstrm, &ps_vui->s_vui_hrd_parameters, 1, sps_max_sub_layers_minus1);
+ RETURN_IF((ret != (IHEVCD_ERROR_T)IHEVCD_SUCCESS), ret);
+ }
}
BITS_PARSE("bitstream_restriction_flag", ps_vui->u1_bitstream_restriction_flag, ps_bitstrm, 1);
@@ -1224,6 +1230,12 @@
ps_sps = (ps_codec->s_parse.ps_sps_base + MAX_SPS_CNT - 1);
+ /* Reset SPS to zero */
+ {
+ WORD16 *pi2_scaling_mat = ps_sps->pi2_scaling_mat;
+ memset(ps_sps, 0, sizeof(sps_t));
+ ps_sps->pi2_scaling_mat = pi2_scaling_mat;
+ }
ps_sps->i1_sps_id = sps_id;
ps_sps->i1_vps_id = vps_id;
ps_sps->i1_sps_max_sub_layers = sps_max_sub_layers;
@@ -1330,6 +1342,35 @@
UEV_PARSE("max_latency_increase", value, ps_bitstrm);
ps_sps->ai1_sps_max_latency_increase[i] = value;
}
+
+ /* Check if sps_max_dec_pic_buffering or sps_max_num_reorder_pics
+ has changed */
+ if(0 != ps_codec->u4_allocate_dynamic_done)
+ {
+ sps_t *ps_sps_old = ps_codec->s_parse.ps_sps;
+ if(ps_sps_old->ai1_sps_max_dec_pic_buffering[ps_sps_old->i1_sps_max_sub_layers - 1] !=
+ ps_sps->ai1_sps_max_dec_pic_buffering[ps_sps->i1_sps_max_sub_layers - 1])
+ {
+ if(0 == ps_codec->i4_first_pic_done)
+ {
+ return IHEVCD_INVALID_PARAMETER;
+ }
+ ps_codec->i4_reset_flag = 1;
+ return (IHEVCD_ERROR_T)IVD_RES_CHANGED;
+ }
+
+ if(ps_sps_old->ai1_sps_max_num_reorder_pics[ps_sps_old->i1_sps_max_sub_layers - 1] !=
+ ps_sps->ai1_sps_max_num_reorder_pics[ps_sps->i1_sps_max_sub_layers - 1])
+ {
+ if(0 == ps_codec->i4_first_pic_done)
+ {
+ return IHEVCD_INVALID_PARAMETER;
+ }
+ ps_codec->i4_reset_flag = 1;
+ return (IHEVCD_ERROR_T)IVD_RES_CHANGED;
+ }
+ }
+
UEV_PARSE("log2_min_coding_block_size_minus3", value, ps_bitstrm);
ps_sps->i1_log2_min_coding_block_size = value + 3;
@@ -1456,9 +1497,12 @@
ps_sps->i1_vui_parameters_present_flag = value;
if(ps_sps->i1_vui_parameters_present_flag)
- ihevcd_parse_vui_parameters(ps_bitstrm,
- &ps_sps->s_vui_parameters,
- ps_sps->i1_sps_max_sub_layers - 1);
+ {
+ ret = ihevcd_parse_vui_parameters(ps_bitstrm,
+ &ps_sps->s_vui_parameters,
+ ps_sps->i1_sps_max_sub_layers - 1);
+ RETURN_IF((ret != (IHEVCD_ERROR_T)IHEVCD_SUCCESS), ret);
+ }
BITS_PARSE("sps_extension_flag", value, ps_bitstrm, 1);
@@ -1495,10 +1539,14 @@
ps_sps->i2_pic_ht_in_min_cb = numerator /
(1 << ps_sps->i1_log2_min_coding_block_size);
}
- if((0 != ps_codec->i4_first_pic_done) &&
+ if((0 != ps_codec->u4_allocate_dynamic_done) &&
((ps_codec->i4_wd != ps_sps->i2_pic_width_in_luma_samples) ||
(ps_codec->i4_ht != ps_sps->i2_pic_height_in_luma_samples)))
{
+ if(0 == ps_codec->i4_first_pic_done)
+ {
+ return IHEVCD_INVALID_PARAMETER;
+ }
ps_codec->i4_reset_flag = 1;
return (IHEVCD_ERROR_T)IVD_RES_CHANGED;
}
@@ -1926,6 +1974,9 @@
/* Not present in HM */
BITS_PARSE("pps_extension_flag", value, ps_bitstrm, 1);
+ if((UWORD8 *)ps_bitstrm->pu4_buf > ps_bitstrm->pu1_buf_max)
+ return IHEVCD_INVALID_PARAMETER;
+
ps_codec->i4_pps_done = 1;
return ret;
}
diff --git a/decoder/ihevcd_parse_slice_header.c b/decoder/ihevcd_parse_slice_header.c
index 62ad6c8..e1b50b7 100644
--- a/decoder/ihevcd_parse_slice_header.c
+++ b/decoder/ihevcd_parse_slice_header.c
@@ -257,10 +257,11 @@
{
pps_t *ps_pps_ref = ps_codec->ps_pps_base;
while(0 == ps_pps_ref->i1_pps_valid)
+ {
ps_pps_ref++;
-
- if((ps_pps_ref - ps_codec->ps_pps_base >= MAX_PPS_CNT - 1))
- return IHEVCD_INVALID_HEADER;
+ if((ps_pps_ref - ps_codec->ps_pps_base >= MAX_PPS_CNT - 1))
+ return IHEVCD_INVALID_HEADER;
+ }
ihevcd_copy_pps(ps_codec, pps_id, ps_pps_ref->i1_pps_id);
}
@@ -862,6 +863,9 @@
ihevcd_bits_flush_to_byte_boundary(ps_bitstrm);
+ if((UWORD8 *)ps_bitstrm->pu4_buf > ps_bitstrm->pu1_buf_max)
+ return IHEVCD_INVALID_PARAMETER;
+
{
dpb_mgr_t *ps_dpb_mgr = (dpb_mgr_t *)ps_codec->pv_dpb_mgr;
WORD32 r_idx;
