Error Check for VLD Symbols Read
The maximum number of lead zeros in a VLD symbol (17 bits long) is 11.
Bug: 34093073
Change-Id: Ifd3f64a3a5199d6e4c33ca65449fc396cfb2f3fc
(cherry picked from commit 75e0ad5127752ce37e3fc78a156652e5da435f14)
(cherry picked from commit 227c1f829127405e21dab1664393050c652ef71e)
diff --git a/decoder/impeg2d_vld.c b/decoder/impeg2d_vld.c
index 459548b..12bb617 100644
--- a/decoder/impeg2d_vld.c
+++ b/decoder/impeg2d_vld.c
@@ -638,6 +638,15 @@
u4_sym_len = 17;
IBITS_NXT(u4_buf,u4_buf_nxt,u4_offset,u4_bits,u4_sym_len)
+ /* There cannot be more than 11 leading zeros in the decoded
+ * symbol. The symbol is only 17 bits long, so we subtract 15.
+ */
+ lead_zeros = CLZ(u4_bits) - 15;
+ if (lead_zeros > 11)
+ {
+ return IMPEG2D_MB_DATA_DECODE_ERR;
+ }
+
DecodedValue = gau2_impeg2d_tab_one_1_9[u4_bits >> 8];
u4_sym_len = (DecodedValue & 0xf);
u4_level = DecodedValue >> 9;
@@ -809,6 +818,14 @@
u4_sym_len = 17;
IBITS_NXT(u4_buf, u4_buf_nxt, u4_offset, u4_bits, u4_sym_len)
+ /* There cannot be more than 11 leading zeros in the decoded
+ * symbol. The symbol is only 17 bits long, so we subtract 15.
+ */
+ lead_zeros = CLZ(u4_bits) - 15;
+ if (lead_zeros > 11)
+ {
+ return IMPEG2D_MB_DATA_DECODE_ERR;
+ }
DecodedValue = gau2_impeg2d_tab_zero_1_9[u4_bits >> 8];
u4_sym_len = BITS(DecodedValue, 3, 0);