Google Git
Sign in
android / platform / hardware / intel / common / libmix / 23427acb70a50e0b91bac64e35b54935e98e45eb^! / .
commit23427acb70a50e0b91bac64e35b54935e98e45eb[log] [tgz]
authorwfeng6 <wei.feng@intel.com>Fri Aug 09 18:51:43 2013 +0800
committerPatrick Tjin <pattjin@google.com>Mon Jul 21 21:51:39 2014 -0700
tree86f62e412e070bef1227b1f38c187b979499c1b0
parentd384ba5cdd182643350b38f6ca23ac72c7bb6f19 [diff]
To fix two critical Klocwork issues in libmix

BZ: 129623

Two critical issues in libmix:
1. Null pointer 'data' that comes from line 160
    may be dereferenced at line 182. Also there
    is one similar error on line 190.
    File: libmix/videodecoder/securevideo/
    baytrail/VideoDecoderAVCSecure.cpp:182 | decode()

2.  Array 'op' of size 16 may use index value(s) 16.
    Also there are 6 similar errors on line(s) 542,
    547, 552, 556, 557, 562.
    File: libmix/mix_vbp/viddec_fw/fw/codecs/
    h264/parser/viddec_h264secure_parse.c:538
    | h264secure_Parse_Dec_Ref_Pic_Marking()

Fix:
1.  Check the 'data' pointer before dereference it
2.  Limit the idx value to be smaller than 16

Change-Id: Iba48665147822a23873ca8ef3c0fc5b0f3de03ee
Signed-off-by: wfeng6 <wei.feng@intel.com>
Reviewed-on: http://android.intel.com:8080/124651
Reviewed-by: Shi, PingX <pingx.shi@intel.com>
Reviewed-by: Guo, Nana N <nana.n.guo@intel.com>
Tested-by: Ding, Haitao <haitao.ding@intel.com>
Reviewed-by: cactus <cactus@intel.com>
Tested-by: cactus <cactus@intel.com>

diff --git a/mix_vbp/viddec_fw/fw/codecs/h264/parser/viddec_h264secure_parse.c b/mix_vbp/viddec_fw/fw/codecs/h264/parser/viddec_h264secure_parse.c
index 55225ed..753618a 100644
--- a/mix_vbp/viddec_fw/fw/codecs/h264/parser/viddec_h264secure_parse.c
+++ b/mix_vbp/viddec_fw/fw/codecs/h264/parser/viddec_h264secure_parse.c

@@ -533,7 +533,7 @@
         {
             do
             {
-                if (i < NUM_MMCO_OPERATIONS)
+                if (i < MAX_OP)
                 {
                     code = sliceheader_p->ref_pic_marking.op[i].memory_management_control_operation;
                     SliceHeader->sh_dec_refpic.memory_management_control_operation[i] = code;
@@ -568,7 +568,7 @@
                     }
                 }
 
-                if (i >= NUM_MMCO_OPERATIONS) {
+                if (i >= MAX_OP) {
                     return H264_STATUS_ERROR;
                 }
             } while (SliceHeader->sh_dec_refpic.memory_management_control_operation[i++] != 0);

diff --git a/videodecoder/securevideo/baytrail/VideoDecoderAVCSecure.cpp b/videodecoder/securevideo/baytrail/VideoDecoderAVCSecure.cpp
index 4ded53f..675b37a 100644
--- a/videodecoder/securevideo/baytrail/VideoDecoderAVCSecure.cpp
+++ b/videodecoder/securevideo/baytrail/VideoDecoderAVCSecure.cpp

@@ -178,6 +178,11 @@
         CHECK_STATUS("VideoDecoderBase::updateBuffer");
     }
 
+    if (data == NULL) {
+        ETRACE("Invalid data returned by parser!");
+        return DECODE_MEMORY_FAIL;
+    }
+
     if (!mVAStarted) {
          if (data->has_sps && data->has_pps) {
             status = startVA(data);