Check Number of Skip MBs
Adding check to make sure the number of skip MBs do not exceed the total
number of MBs left to decode.
Bug: 34231163
Change-Id: I62ceffdafcbc0c6d580f6ae1b5b9ab0708a7134f
(cherry picked from commit f217b853e7527552290bd047381338f934bccdd6)
diff --git a/decoder/impeg2d_pnb_pic.c b/decoder/impeg2d_pnb_pic.c
index a6c2351..5540044 100644
--- a/decoder/impeg2d_pnb_pic.c
+++ b/decoder/impeg2d_pnb_pic.c
@@ -106,6 +106,14 @@
u2_mb_addr_incr = ps_dec->u2_num_horiz_mb - ps_dec->u2_mb_x;
}
+ if ((u2_mb_addr_incr - 1) > ps_dec->u2_num_mbs_left)
+ {
+ /* If the number of skip MBs are more than the number of MBs
+ * left, indicate error.
+ */
+ return IV_FAIL;
+ }
+
impeg2d_dec_skip_mbs(ps_dec, (UWORD16)(u2_mb_addr_incr - 1));
}
@@ -297,6 +305,13 @@
u2_mb_addr_incr = ps_dec->u2_num_horiz_mb - ps_dec->u2_mb_x;
}
+ if ((u2_mb_addr_incr - 1) > ps_dec->u2_num_mbs_left)
+ {
+ /* If the number of skip MBs are more than the number of MBs
+ * left, indicate error.
+ */
+ return IV_FAIL;
+ }
impeg2d_dec_skip_mbs(ps_dec, (UWORD16)(u2_mb_addr_incr - 1));
}
@@ -488,7 +503,6 @@
IMPEG2D_TRACE_MB_START(ps_dec->u2_mb_x, ps_dec->u2_mb_y);
-
if(ps_dec->e_pic_type == B_PIC)
ret = impeg2d_dec_pnb_mb_params(ps_dec);
else
@@ -687,7 +701,6 @@
}
}
-
ps_dec->u2_num_mbs_left--;
ps_dec->u2_first_mb = 0;
ps_dec->u2_mb_x++;