Fixed bit stream access to make sure that it is not read beyond the allocated size.
Bug: 25765591
Change-Id: I98c23a3c3f84f6710f29bffe5ed73adcf51d47f6
diff --git a/decoder/impeg2d_bitstream.c b/decoder/impeg2d_bitstream.c
index 92d3785..b67161d 100644
--- a/decoder/impeg2d_bitstream.c
+++ b/decoder/impeg2d_bitstream.c
@@ -164,9 +164,12 @@
if (u4_curr_bit == 31)
{
ps_stream->u4_buf = ps_stream->u4_buf_nxt;
- u4_temp = *(ps_stream->pu4_buf_aligned)++;
- CONV_LE_TO_BE(ps_stream->u4_buf_nxt,u4_temp)
+ if (ps_stream->u4_offset < ps_stream->u4_max_offset)
+ {
+ u4_temp = *(ps_stream->pu4_buf_aligned)++;
+ CONV_LE_TO_BE(ps_stream->u4_buf_nxt,u4_temp)
+ }
}
ps_stream->u4_offset = u4_offset;
@@ -189,7 +192,11 @@
{
stream_t *ps_stream = (stream_t *)pv_ctxt;
- FLUSH_BITS(ps_stream->u4_offset,ps_stream->u4_buf,ps_stream->u4_buf_nxt,u4_no_of_bits,ps_stream->pu4_buf_aligned)
+
+ if (ps_stream->u4_offset < ps_stream->u4_max_offset)
+ {
+ FLUSH_BITS(ps_stream->u4_offset,ps_stream->u4_buf,ps_stream->u4_buf_nxt,u4_no_of_bits,ps_stream->pu4_buf_aligned)
+ }
return;
}
/******************************************************************************
diff --git a/decoder/impeg2d_d_pic.c b/decoder/impeg2d_d_pic.c
index 6fcf1f4..23c393f 100644
--- a/decoder/impeg2d_d_pic.c
+++ b/decoder/impeg2d_d_pic.c
@@ -172,7 +172,8 @@
/*------------------------------------------------------------------*/
/* Discard the Macroblock stuffing in case of MPEG-1 stream */
/*------------------------------------------------------------------*/
- while(impeg2d_bit_stream_nxt(ps_stream,MB_STUFFING_CODE_LEN) == MB_STUFFING_CODE)
+ while(impeg2d_bit_stream_nxt(ps_stream,MB_STUFFING_CODE_LEN) == MB_STUFFING_CODE &&
+ ps_stream->u4_offset < ps_stream->u4_max_offset)
impeg2d_bit_stream_flush(ps_stream,MB_STUFFING_CODE_LEN);
/*------------------------------------------------------------------*/
diff --git a/decoder/impeg2d_dec_hdr.c b/decoder/impeg2d_dec_hdr.c
index 061bf04..83c1545 100644
--- a/decoder/impeg2d_dec_hdr.c
+++ b/decoder/impeg2d_dec_hdr.c
@@ -82,8 +82,8 @@
ps_stream = &ps_dec->s_bit_stream;
impeg2d_bit_stream_flush_to_byte_boundary(ps_stream);
- while ((impeg2d_bit_stream_nxt(ps_stream,START_CODE_LEN) != u4_start_code_val)
- && (ps_dec->s_bit_stream.u4_offset <= ps_dec->s_bit_stream.u4_max_offset))
+ while ((impeg2d_bit_stream_nxt(ps_stream,START_CODE_LEN) != u4_start_code_val) &&
+ (ps_dec->s_bit_stream.u4_offset < ps_dec->s_bit_stream.u4_max_offset))
{
if (impeg2d_bit_stream_get(ps_stream,8) != 0)
@@ -111,7 +111,7 @@
impeg2d_bit_stream_flush_to_byte_boundary(ps_stream);
while ((impeg2d_bit_stream_nxt(ps_stream,START_CODE_PREFIX_LEN) != START_CODE_PREFIX)
- && (ps_dec->s_bit_stream.u4_offset <= ps_dec->s_bit_stream.u4_max_offset))
+ && (ps_dec->s_bit_stream.u4_offset < ps_dec->s_bit_stream.u4_max_offset))
{
impeg2d_bit_stream_get(ps_stream,8);
}
@@ -669,7 +669,8 @@
/* } */
/* extra_bit_picture 1 */
/*-----------------------------------------------------------------------*/
- while (impeg2d_bit_stream_nxt(ps_stream,1) == 1)
+ while (impeg2d_bit_stream_nxt(ps_stream,1) == 1 &&
+ ps_stream->u4_offset < ps_stream->u4_max_offset)
{
impeg2d_bit_stream_get(ps_stream,9);
}
@@ -800,7 +801,8 @@
{
impeg2d_bit_stream_flush(ps_stream,9);
/* Flush extra bit information */
- while (impeg2d_bit_stream_nxt(ps_stream,1) == 1)
+ while (impeg2d_bit_stream_nxt(ps_stream,1) == 1 &&
+ ps_stream->u4_offset < ps_stream->u4_max_offset)
{
impeg2d_bit_stream_flush(ps_stream,9);
}
@@ -1322,10 +1324,12 @@
ps_stream = &ps_dec->s_bit_stream;
u4_start_code = impeg2d_bit_stream_nxt(ps_stream,START_CODE_LEN);
- while(u4_start_code == EXTENSION_START_CODE || u4_start_code == USER_DATA_START_CODE)
+ while((u4_start_code == EXTENSION_START_CODE || u4_start_code == USER_DATA_START_CODE) &&
+ (ps_stream->u4_offset < ps_stream->u4_max_offset))
{
impeg2d_bit_stream_flush(ps_stream,START_CODE_LEN);
- while(impeg2d_bit_stream_nxt(ps_stream,START_CODE_PREFIX_LEN) != START_CODE_PREFIX)
+ while(impeg2d_bit_stream_nxt(ps_stream,START_CODE_PREFIX_LEN) != START_CODE_PREFIX &&
+ (ps_stream->u4_offset < ps_stream->u4_max_offset))
{
impeg2d_bit_stream_flush(ps_stream,8);
}
@@ -1354,7 +1358,8 @@
while(u4_start_code == USER_DATA_START_CODE)
{
impeg2d_bit_stream_flush(ps_stream,START_CODE_LEN);
- while(impeg2d_bit_stream_nxt(ps_stream,START_CODE_PREFIX_LEN) != START_CODE_PREFIX)
+ while((impeg2d_bit_stream_nxt(ps_stream,START_CODE_PREFIX_LEN) != START_CODE_PREFIX) &&
+ (ps_stream->u4_offset < ps_stream->u4_max_offset))
{
impeg2d_bit_stream_flush(ps_stream,8);
}
@@ -1384,7 +1389,8 @@
u4_start_code = impeg2d_bit_stream_nxt(ps_stream,START_CODE_LEN);
while( (u4_start_code == EXTENSION_START_CODE ||
u4_start_code == USER_DATA_START_CODE) &&
- (IMPEG2D_ERROR_CODES_T)IVD_ERROR_NONE == e_error)
+ (IMPEG2D_ERROR_CODES_T)IVD_ERROR_NONE == e_error &&
+ (ps_stream->u4_offset < ps_stream->u4_max_offset))
{
if(u4_start_code == USER_DATA_START_CODE)
{
@@ -1436,7 +1442,8 @@
u4_start_code = impeg2d_bit_stream_nxt(ps_stream,START_CODE_LEN);
while ( (u4_start_code == EXTENSION_START_CODE ||
u4_start_code == USER_DATA_START_CODE) &&
- (IMPEG2D_ERROR_CODES_T)IVD_ERROR_NONE == e_error)
+ (IMPEG2D_ERROR_CODES_T)IVD_ERROR_NONE == e_error &&
+ (ps_stream->u4_offset < ps_stream->u4_max_offset))
{
if(u4_start_code == USER_DATA_START_CODE)
{
diff --git a/decoder/impeg2d_pic_proc.c b/decoder/impeg2d_pic_proc.c
index e79e87a..b4f88be 100644
--- a/decoder/impeg2d_pic_proc.c
+++ b/decoder/impeg2d_pic_proc.c
@@ -219,7 +219,8 @@
UWORD16 impeg2d_get_mb_addr_incr(stream_t *ps_stream)
{
UWORD16 u2_mb_addr_incr = 0;
- while (impeg2d_bit_stream_nxt(ps_stream,MB_ESCAPE_CODE_LEN) == MB_ESCAPE_CODE)
+ while (impeg2d_bit_stream_nxt(ps_stream,MB_ESCAPE_CODE_LEN) == MB_ESCAPE_CODE &&
+ ps_stream->u4_offset < ps_stream->u4_max_offset)
{
impeg2d_bit_stream_flush(ps_stream,MB_ESCAPE_CODE_LEN);
u2_mb_addr_incr += 33;
