DoS error - Bitstream Overflow
The decoder could go into an infinite loop if there was an error
encountered after the bitstream buffer had been exhausted. Adding a check
for the same.
Bug: 63316255
Test: re-ran POC after patching
Change-Id: Iebef469ef663781b741889a055a70f261915b23a
(cherry picked from commit d1a1d7b88203a240488633e3a9b4cde231c3c4e3)
diff --git a/decoder/impeg2d_dec_hdr.c b/decoder/impeg2d_dec_hdr.c
index 5fe795e..84a58bf 100644
--- a/decoder/impeg2d_dec_hdr.c
+++ b/decoder/impeg2d_dec_hdr.c
@@ -978,6 +978,11 @@
if ((IMPEG2D_ERROR_CODES_T)IVD_ERROR_NONE != e_error)
{
impeg2d_next_start_code(ps_dec);
+ if(ps_dec->s_bit_stream.u4_offset >= ps_dec->s_bit_stream.u4_max_offset)
+ {
+ ps_dec->u4_error_code = IMPEG2D_BITSTREAM_BUFF_EXCEEDED_ERR;
+ return;
+ }
}
}
@@ -1364,8 +1369,6 @@
WORD32 i;
dec_state_multi_core_t *ps_dec_state_multi_core;
- UWORD32 u4_error_code;
-
dec_state_t *ps_dec_thd;
WORD32 i4_status;
WORD32 i4_min_mb_y;
@@ -1373,7 +1376,6 @@
/* Resetting the MB address and MB coordinates at the start of the Frame */
ps_dec->u2_mb_x = ps_dec->u2_mb_y = 0;
- u4_error_code = 0;
ps_dec_state_multi_core = ps_dec->ps_dec_state_multi_core;
impeg2d_get_slice_pos(ps_dec_state_multi_core);
@@ -1417,8 +1419,6 @@
}
}
- ps_dec->u4_error_code = u4_error_code;
-
}
/*******************************************************************************
*