m4v_h263: Fix heap buffer overflow issue in BitstreamFillCache
Check for bitstream buffer overflow in PVLocateM4VFrameBoundary
and PVSearchH263FrameBoundary
Bug: 154058264
Bug: 136173360
Test: POC in bug description
Change-Id: Ied65243a13dc9923e6b9433b5b625db6f8b28556
(cherry picked from commit 502b917de8d94a652c75adb0ca7d6644698f46d6)
diff --git a/media/libstagefright/codecs/m4v_h263/dec/src/bitstream.cpp b/media/libstagefright/codecs/m4v_h263/dec/src/bitstream.cpp
index 37250f3..5b19db4 100644
--- a/media/libstagefright/codecs/m4v_h263/dec/src/bitstream.cpp
+++ b/media/libstagefright/codecs/m4v_h263/dec/src/bitstream.cpp
@@ -649,8 +649,11 @@
-void PVLocateM4VFrameBoundary(BitstreamDecVideo *stream)
+PV_STATUS PVLocateM4VFrameBoundary(BitstreamDecVideo *stream)
{
+ PV_STATUS status = BitstreamCheckEndBuffer(stream);
+ if (status == PV_END_OF_VOP) return status;
+
uint8 *ptr;
int32 byte_pos = (stream->bitcnt >> 3);
@@ -658,10 +661,14 @@
ptr = stream->bitstreamBuffer + byte_pos;
stream->data_end_pos = PVLocateFrameHeader(ptr, (int32)stream->data_end_pos - byte_pos) + byte_pos;
+ return PV_SUCCESS;
}
-void PVLocateH263FrameBoundary(BitstreamDecVideo *stream)
+PV_STATUS PVLocateH263FrameBoundary(BitstreamDecVideo *stream)
{
+ PV_STATUS status = BitstreamCheckEndBuffer(stream);
+ if (status == PV_END_OF_VOP) return status;
+
uint8 *ptr;
int32 byte_pos = (stream->bitcnt >> 3);
@@ -669,6 +676,7 @@
ptr = stream->bitstreamBuffer + byte_pos;
stream->data_end_pos = PVLocateH263FrameHeader(ptr, (int32)stream->data_end_pos - byte_pos) + byte_pos;
+ return PV_SUCCESS;
}
/* ======================================================================== */
@@ -687,7 +695,8 @@
if (stream->searched_frame_boundary == 0)
{
- PVLocateM4VFrameBoundary(stream);
+ status = PVLocateM4VFrameBoundary(stream);
+ if (status != PV_SUCCESS) return status;
}
do
@@ -711,7 +720,8 @@
if (stream->searched_frame_boundary == 0)
{
- PVLocateH263FrameBoundary(stream);
+ status = PVLocateH263FrameBoundary(stream);
+ if (status != PV_SUCCESS) return status;
}
do
@@ -789,7 +799,8 @@
if (stream->searched_frame_boundary == 0)
{
- PVLocateM4VFrameBoundary(stream);
+ status = PVLocateM4VFrameBoundary(stream);
+ if (status != PV_SUCCESS) return status;
}
while (TRUE)
@@ -880,7 +891,8 @@
if (stream->searched_frame_boundary == 0)
{
- PVLocateM4VFrameBoundary(stream);
+ status = PVLocateM4VFrameBoundary(stream);
+ if (status != PV_SUCCESS) return status;
}
while (TRUE)
@@ -956,7 +968,8 @@
if (stream->searched_frame_boundary == 0)
{
- PVLocateH263FrameBoundary(stream);
+ status = PVLocateH263FrameBoundary(stream);
+ if (status != PV_SUCCESS) return status;
}
while (TRUE)
diff --git a/media/libstagefright/codecs/m4v_h263/dec/src/bitstream.h b/media/libstagefright/codecs/m4v_h263/dec/src/bitstream.h
index d52fa87..0cf903d 100644
--- a/media/libstagefright/codecs/m4v_h263/dec/src/bitstream.h
+++ b/media/libstagefright/codecs/m4v_h263/dec/src/bitstream.h
@@ -156,8 +156,8 @@
/* for error concealment & soft-decoding */
- void PVLocateM4VFrameBoundary(BitstreamDecVideo *stream);
- void PVSearchH263FrameBoundary(BitstreamDecVideo *stream);
+ PV_STATUS PVLocateM4VFrameBoundary(BitstreamDecVideo *stream);
+ PV_STATUS PVSearchH263FrameBoundary(BitstreamDecVideo *stream);
PV_STATUS quickSearchMotionMarker(BitstreamDecVideo *stream);
PV_STATUS quickSearchDCM(BitstreamDecVideo *stream);