m4v_h263: Fix heap buffer overflow issue in BitstreamFillCache

Check for bitstream buffer overflow in PVLocateM4VFrameBoundary
and PVSearchH263FrameBoundary

Bug: 154058264
Bug: 136173360
Test: POC in bug description

Change-Id: Ied65243a13dc9923e6b9433b5b625db6f8b28556
diff --git a/media/libstagefright/codecs/m4v_h263/dec/src/bitstream.cpp b/media/libstagefright/codecs/m4v_h263/dec/src/bitstream.cpp
index 37250f3..5b19db4 100644
--- a/media/libstagefright/codecs/m4v_h263/dec/src/bitstream.cpp
+++ b/media/libstagefright/codecs/m4v_h263/dec/src/bitstream.cpp
@@ -649,8 +649,11 @@
 
 
 
-void PVLocateM4VFrameBoundary(BitstreamDecVideo *stream)
+PV_STATUS PVLocateM4VFrameBoundary(BitstreamDecVideo *stream)
 {
+    PV_STATUS status = BitstreamCheckEndBuffer(stream);
+    if (status == PV_END_OF_VOP) return status;
+
     uint8 *ptr;
     int32 byte_pos = (stream->bitcnt >> 3);
 
@@ -658,10 +661,14 @@
     ptr = stream->bitstreamBuffer + byte_pos;
 
     stream->data_end_pos = PVLocateFrameHeader(ptr, (int32)stream->data_end_pos - byte_pos) + byte_pos;
+    return PV_SUCCESS;
 }
 
-void PVLocateH263FrameBoundary(BitstreamDecVideo *stream)
+PV_STATUS PVLocateH263FrameBoundary(BitstreamDecVideo *stream)
 {
+    PV_STATUS status = BitstreamCheckEndBuffer(stream);
+    if (status == PV_END_OF_VOP) return status;
+
     uint8 *ptr;
     int32 byte_pos = (stream->bitcnt >> 3);
 
@@ -669,6 +676,7 @@
     ptr = stream->bitstreamBuffer + byte_pos;
 
     stream->data_end_pos = PVLocateH263FrameHeader(ptr, (int32)stream->data_end_pos - byte_pos) + byte_pos;
+    return PV_SUCCESS;
 }
 
 /* ======================================================================== */
@@ -687,7 +695,8 @@
 
     if (stream->searched_frame_boundary == 0)
     {
-        PVLocateM4VFrameBoundary(stream);
+        status = PVLocateM4VFrameBoundary(stream);
+        if (status != PV_SUCCESS) return status;
     }
 
     do
@@ -711,7 +720,8 @@
 
     if (stream->searched_frame_boundary == 0)
     {
-        PVLocateH263FrameBoundary(stream);
+        status = PVLocateH263FrameBoundary(stream);
+        if (status != PV_SUCCESS) return status;
     }
 
     do
@@ -789,7 +799,8 @@
 
     if (stream->searched_frame_boundary == 0)
     {
-        PVLocateM4VFrameBoundary(stream);
+        status = PVLocateM4VFrameBoundary(stream);
+        if (status != PV_SUCCESS) return status;
     }
 
     while (TRUE)
@@ -880,7 +891,8 @@
 
     if (stream->searched_frame_boundary == 0)
     {
-        PVLocateM4VFrameBoundary(stream);
+        status = PVLocateM4VFrameBoundary(stream);
+        if (status != PV_SUCCESS) return status;
     }
 
     while (TRUE)
@@ -956,7 +968,8 @@
 
     if (stream->searched_frame_boundary == 0)
     {
-        PVLocateH263FrameBoundary(stream);
+        status = PVLocateH263FrameBoundary(stream);
+        if (status != PV_SUCCESS) return status;
     }
 
     while (TRUE)
diff --git a/media/libstagefright/codecs/m4v_h263/dec/src/bitstream.h b/media/libstagefright/codecs/m4v_h263/dec/src/bitstream.h
index d52fa87..0cf903d 100644
--- a/media/libstagefright/codecs/m4v_h263/dec/src/bitstream.h
+++ b/media/libstagefright/codecs/m4v_h263/dec/src/bitstream.h
@@ -156,8 +156,8 @@
 
 
     /* for error concealment & soft-decoding */
-    void PVLocateM4VFrameBoundary(BitstreamDecVideo *stream);
-    void PVSearchH263FrameBoundary(BitstreamDecVideo *stream);
+    PV_STATUS PVLocateM4VFrameBoundary(BitstreamDecVideo *stream);
+    PV_STATUS PVSearchH263FrameBoundary(BitstreamDecVideo *stream);
 
     PV_STATUS quickSearchMotionMarker(BitstreamDecVideo *stream);
     PV_STATUS quickSearchDCM(BitstreamDecVideo *stream);