release-request-224b654d-e3ad-4f05-a95d-d10d1516b3f6-for-git_oc-release-4075622 snap-temp-L17600000071371496

Change-Id: I0f57b414d69bb794fc12d61521dda02a12fb6b50
diff --git a/decoder/impeg2d_dec_hdr.c b/decoder/impeg2d_dec_hdr.c
index c8fa447..19de4c8 100644
--- a/decoder/impeg2d_dec_hdr.c
+++ b/decoder/impeg2d_dec_hdr.c
@@ -717,11 +717,12 @@
 *  Arguments       :
 *  dec             : Decoder context
 *
-*  Values Returned : None
+*  Values Returned : Error
 *******************************************************************************/
-void impeg2d_dec_pic_coding_ext(dec_state_t *ps_dec)
+IMPEG2D_ERROR_CODES_T impeg2d_dec_pic_coding_ext(dec_state_t *ps_dec)
 {
     stream_t *ps_stream;
+    IMPEG2D_ERROR_CODES_T e_error = (IMPEG2D_ERROR_CODES_T) IV_SUCCESS;
 
     ps_stream = &ps_dec->s_bit_stream;
     impeg2d_bit_stream_flush(ps_stream,START_CODE_LEN);
@@ -734,6 +735,11 @@
     ps_dec->au2_f_code[1][1]             = impeg2d_bit_stream_get(ps_stream,4);
     ps_dec->u2_intra_dc_precision        = impeg2d_bit_stream_get(ps_stream,2);
     ps_dec->u2_picture_structure            = impeg2d_bit_stream_get(ps_stream,2);
+    if (ps_dec->u2_picture_structure < TOP_FIELD ||
+                    ps_dec->u2_picture_structure > FRAME_PICTURE)
+    {
+        return IMPEG2D_FRM_HDR_DECODE_ERR;
+    }
     ps_dec->u2_top_field_first              = impeg2d_bit_stream_get_bit(ps_stream);
     ps_dec->u2_frame_pred_frame_dct         = impeg2d_bit_stream_get_bit(ps_stream);
     ps_dec->u2_concealment_motion_vectors   = impeg2d_bit_stream_get_bit(ps_stream);
@@ -761,6 +767,7 @@
     {
         ps_dec->pu1_inv_scan_matrix = (UWORD8 *)gau1_impeg2_inv_scan_zig_zag;
     }
+    return e_error;
 }
 
 /*******************************************************************************
@@ -811,6 +818,12 @@
     {
         ps_dec->u2_mb_y    = u4_slice_vertical_position;
         ps_dec->u2_mb_x    = 0;
+
+        /* Update the number of MBs left, since we have probably missed a slice
+         * (that's why we see a mismatch between u2_mb_y and current position).
+         */
+        ps_dec->u2_num_mbs_left = (ps_dec->u2_num_vert_mb - ps_dec->u2_mb_y)
+                        * ps_dec->u2_num_horiz_mb;
     }
     ps_dec->u2_first_mb = 1;
 
@@ -1724,7 +1737,11 @@
                 {
                     return e_error;
                 }
-                impeg2d_dec_pic_coding_ext(ps_dec);
+                e_error = impeg2d_dec_pic_coding_ext(ps_dec);
+                if ((IMPEG2D_ERROR_CODES_T)IVD_ERROR_NONE != e_error)
+                {
+                    return e_error;
+                }
                 e_error = impeg2d_dec_pic_ext_data(ps_dec);
                 if ((IMPEG2D_ERROR_CODES_T)IVD_ERROR_NONE != e_error)
                 {
diff --git a/decoder/impeg2d_vld.c b/decoder/impeg2d_vld.c
index 12bb617..80ee403 100644
--- a/decoder/impeg2d_vld.c
+++ b/decoder/impeg2d_vld.c
@@ -655,7 +655,11 @@
                 {
                     u4_run = ((DecodedValue >> 4) & 0x1f);
                     u4_numCoeffs       += u4_run;
-                    u4_pos             = pu1_scan[u4_numCoeffs++ & 63];
+                    if (u4_numCoeffs >= NUM_COEFFS)
+                    {
+                        return IMPEG2D_MB_TEX_DECODE_ERR;
+                    }
+                    u4_pos             = pu1_scan[u4_numCoeffs++];
                     pu1_pos[*pi4_num_coeffs]    = u4_pos;
 
                     FLUSH_BITS(u4_offset,u4_buf,u4_buf_nxt,u4_sym_len,pu4_buf_aligned)
@@ -701,7 +705,11 @@
                             u4_level = ((WORD16) DecodedValue) >> 9;
 
                             u4_numCoeffs       += u4_run;
-                            u4_pos             = pu1_scan[u4_numCoeffs++ & 63];
+                            if (u4_numCoeffs >= NUM_COEFFS)
+                            {
+                                return IMPEG2D_MB_TEX_DECODE_ERR;
+                            }
+                            u4_pos             = pu1_scan[u4_numCoeffs++];
                             pu1_pos[*pi4_num_coeffs]    = u4_pos;
                             pi2_outAddr[*pi4_num_coeffs]    = u4_level;
                             (*pi4_num_coeffs)++;
@@ -722,7 +730,11 @@
                                 u4_level = (u4_level - ((u4_level & 0x0800) << 1));
 
                             u4_numCoeffs       += u4_run;
-                            u4_pos             = pu1_scan[u4_numCoeffs++ & 63];
+                            if (u4_numCoeffs >= NUM_COEFFS)
+                            {
+                                return IMPEG2D_MB_TEX_DECODE_ERR;
+                            }
+                            u4_pos             = pu1_scan[u4_numCoeffs++];
                             pu1_pos[*pi4_num_coeffs]    = u4_pos;
                             pi2_outAddr[*pi4_num_coeffs]    = u4_level;
                             (*pi4_num_coeffs)++;
@@ -785,8 +797,12 @@
                                 u4_level = (u4_level - (u4_level_first_byte << 1));
                             }
                             u4_numCoeffs += u4_run;
+                            if (u4_numCoeffs >= NUM_COEFFS)
+                            {
+                                return IMPEG2D_MB_TEX_DECODE_ERR;
+                            }
 
-                            u4_pos = pu1_scan[u4_numCoeffs++ & 63];
+                            u4_pos = pu1_scan[u4_numCoeffs++];
 
                             pu1_pos[*pi4_num_coeffs]    = u4_pos;
                             pi2_outAddr[*pi4_num_coeffs]    = u4_level;
@@ -798,11 +814,6 @@
                 u4_nz_cols |= 1 << (u4_pos & 0x7);
                 u4_nz_rows |= 1 << (u4_pos >> 0x3);
 
-                if (u4_numCoeffs > 64)
-                {
-                    return IMPEG2D_MB_TEX_DECODE_ERR;
-                }
-
             }
             IBITS_GET(u4_buf,u4_buf_nxt,u4_offset,u4_bits,pu4_buf_aligned,u4_sym_len)
         }
@@ -836,8 +847,12 @@
                     u4_run = BITS(DecodedValue, 8,4);
 
                     u4_numCoeffs       += u4_run;
+                    if (u4_numCoeffs >= NUM_COEFFS)
+                    {
+                        return IMPEG2D_MB_TEX_DECODE_ERR;
+                    }
 
-                    u4_pos                 = pu1_scan[u4_numCoeffs++ & 63];
+                    u4_pos                 = pu1_scan[u4_numCoeffs++];
                     pu1_pos[*pi4_num_coeffs]    = u4_pos;
 
                     FLUSH_BITS(u4_offset,u4_buf,u4_buf_nxt,u4_sym_len,pu4_buf_aligned)
@@ -872,8 +887,12 @@
                             u4_level = ((WORD16) DecodedValue) >> 9;
 
                             u4_numCoeffs       += u4_run;
+                            if (u4_numCoeffs >= NUM_COEFFS)
+                            {
+                                return IMPEG2D_MB_TEX_DECODE_ERR;
+                            }
 
-                            u4_pos                 = pu1_scan[u4_numCoeffs++ & 63];
+                            u4_pos                 = pu1_scan[u4_numCoeffs++];
                             pu1_pos[*pi4_num_coeffs]    = u4_pos;
                             if (1 == lead_zeros)
                                 u4_sym_len--;
@@ -897,8 +916,12 @@
                                 u4_level = (u4_level - ((u4_level & 0x0800) << 1));
 
                             u4_numCoeffs           += u4_run;
+                            if (u4_numCoeffs >= NUM_COEFFS)
+                            {
+                                return IMPEG2D_MB_TEX_DECODE_ERR;
+                            }
 
-                            u4_pos                 = pu1_scan[u4_numCoeffs++ & 63];
+                            u4_pos                 = pu1_scan[u4_numCoeffs++];
                             pu1_pos[*pi4_num_coeffs]    = u4_pos;
                             pi2_outAddr[*pi4_num_coeffs]    = u4_level;
 
@@ -962,8 +985,12 @@
                                 u4_level = (u4_level - (u4_level_first_byte << 1));
                             }
                             u4_numCoeffs           += u4_run;
+                            if (u4_numCoeffs >= NUM_COEFFS)
+                            {
+                                return IMPEG2D_MB_TEX_DECODE_ERR;
+                            }
 
-                            u4_pos                 = pu1_scan[u4_numCoeffs++ & 63];
+                            u4_pos                 = pu1_scan[u4_numCoeffs++];
                             pu1_pos[*pi4_num_coeffs]    = u4_pos;
                             pi2_outAddr[*pi4_num_coeffs]    = u4_level;
 
@@ -974,10 +1001,6 @@
 
                 u4_nz_cols |= 1 << (u4_pos & 0x7);
                 u4_nz_rows |= 1 << (u4_pos >> 0x3);
-                if (u4_numCoeffs > 64)
-                {
-                    return IMPEG2D_MB_TEX_DECODE_ERR;
-                }
 
             }