wrapper/libavc
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

Decoder: Fixed an out of bound read in intra pred buffers

Browse source 
Bug: 23453762
Change-Id: I129e5a2ac8b9a28f3c894ebca0aef7063ca5934e
(cherry picked from commit 040ec939c6)
This commit is contained in:
Harish Mahendrakar 2015-08-26 08:58:53 +05:30 committed by Wei Jia
parent 251b007ecc
commit 07ae78bd27
1 changed files with 20 additions and 3 deletions
Download patch file Download diff file Expand all files Collapse all files

23
decoder/ih264d_utils.c
View file

@ -1930,23 +1930,26 @@ WORD16 ih264d_allocate_dynamic_bufs(dec_struct_t * ps_dec)
}
}
size = sizeof(UWORD8) * ((u4_wd_mbs + 1) * MB_SIZE) * 2;
size = sizeof(UWORD8) * ((u4_wd_mbs + 2) * MB_SIZE) * 2;
pv_buf = ps_dec->pf_aligned_alloc(pv_mem_ctxt, 128, size);
RETURN_IF((NULL == pv_buf), IV_FAIL);
ps_dec->pu1_y_intra_pred_line = pv_buf;
memset(ps_dec->pu1_y_intra_pred_line, 0, size);
ps_dec->pu1_y_intra_pred_line += MB_SIZE;
size = sizeof(UWORD8) * ((u4_wd_mbs + 1) * MB_SIZE) * 2;
size = sizeof(UWORD8) * ((u4_wd_mbs + 2) * MB_SIZE) * 2;
pv_buf = ps_dec->pf_aligned_alloc(pv_mem_ctxt, 128, size);
RETURN_IF((NULL == pv_buf), IV_FAIL);
ps_dec->pu1_u_intra_pred_line = pv_buf;
memset(ps_dec->pu1_u_intra_pred_line, 0, size);
ps_dec->pu1_u_intra_pred_line += MB_SIZE;
size = sizeof(UWORD8) * ((u4_wd_mbs + 1) * MB_SIZE) * 2;
size = sizeof(UWORD8) * ((u4_wd_mbs + 2) * MB_SIZE) * 2;
pv_buf = ps_dec->pf_aligned_alloc(pv_mem_ctxt, 128, size);
RETURN_IF((NULL == pv_buf), IV_FAIL);
ps_dec->pu1_v_intra_pred_line = pv_buf;
memset(ps_dec->pu1_v_intra_pred_line, 0, size);
ps_dec->pu1_v_intra_pred_line += MB_SIZE;
if(ps_dec->u1_separate_parse)
{
@ -2215,8 +2218,22 @@ WORD16 ih264d_free_dynamic_bufs(dec_struct_t * ps_dec)
}
}
if(ps_dec->pu1_y_intra_pred_line)
{
ps_dec->pu1_y_intra_pred_line -= MB_SIZE;
}
PS_DEC_ALIGNED_FREE(ps_dec, ps_dec->pu1_y_intra_pred_line);
if(ps_dec->pu1_u_intra_pred_line)
{
ps_dec->pu1_u_intra_pred_line -= MB_SIZE;
}
PS_DEC_ALIGNED_FREE(ps_dec, ps_dec->pu1_u_intra_pred_line);
if(ps_dec->pu1_v_intra_pred_line)
{
ps_dec->pu1_v_intra_pred_line -= MB_SIZE;
}
PS_DEC_ALIGNED_FREE(ps_dec, ps_dec->pu1_v_intra_pred_line);
PS_DEC_ALIGNED_FREE(ps_dec, ps_dec->ps_nbr_mb_row);
PS_DEC_ALIGNED_FREE(ps_dec, ps_dec->pu1_mv_bank_buf_base);