wrapper/libavc
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

Fix integer overflows in computing poc and pic numbers

Browse source 
Test: poc in bug
Bug: 135303936
Bug: 136568141

Change-Id: Ie426c678b60f2d078d0b39e73a44d42d931d7fe3
This commit is contained in:
Harish Mahendrakar 2019-07-03 10:12:53 -07:00
parent 47d5e6bb93
commit 1d672d2bea
3 changed files with 37 additions and 8 deletions
Download patch file Download diff file Expand all files Collapse all files

16
decoder/ih264d_dpb_mgr.c
View file

@ -1176,10 +1176,16 @@ WORD32 ih264d_do_mmco_buffer(dpb_commands_t *ps_dpb_cmds,
{
UWORD32 i4_cur_pic_num = u4_cur_pic_num;
WORD64 i8_pic_num;
u4_diff_pic_num = ps_mmc_params->u4_diff_pic_num; //Get absDiffPicnumMinus1
if(u1_fld_pic_flag)
i4_cur_pic_num = i4_cur_pic_num * 2 + 1;
i4_pic_num = ((WORD32)i4_cur_pic_num - ((WORD32)u4_diff_pic_num + 1));
i8_pic_num = ((WORD64)i4_cur_pic_num - ((WORD64)u4_diff_pic_num + 1));
if(IS_OUT_OF_RANGE_S32(i8_pic_num))
{
return ERROR_DBP_MANAGER_T;
}
i4_pic_num = i8_pic_num;
}
if(ps_dpb_mgr->u1_num_st_ref_bufs > 0)
@ -1223,11 +1229,17 @@ WORD32 ih264d_do_mmco_buffer(dpb_commands_t *ps_dpb_cmds,
{
{
UWORD32 i4_cur_pic_num = u4_cur_pic_num;
WORD64 i8_pic_num;
u4_diff_pic_num = ps_mmc_params->u4_diff_pic_num; //Get absDiffPicnumMinus1
if(u1_fld_pic_flag)
i4_cur_pic_num = i4_cur_pic_num * 2 + 1;
i4_pic_num = (WORD32)i4_cur_pic_num - ((WORD32)u4_diff_pic_num + 1);
i8_pic_num = (WORD64)i4_cur_pic_num - ((WORD64)u4_diff_pic_num + 1);
if(IS_OUT_OF_RANGE_S32(i8_pic_num))
{
return ERROR_DBP_MANAGER_T;
}
i4_pic_num = i8_pic_num;
}
u4_lt_idx = ps_mmc_params->u4_lt_idx; //Get long term index

10
decoder/ih264d_parse_slice.c
View file

@ -825,7 +825,15 @@ WORD32 ih264d_end_of_pic_dispbuf_mgr(dec_struct_t * ps_dec)
ps_cur_pic->u2_crop_offset_y = ps_dec->u2_crop_offset_y;
ps_cur_pic->u2_crop_offset_uv = ps_dec->u2_crop_offset_uv;
ps_cur_pic->u1_pic_type = 0;
{
UWORD64 i8_display_poc;
i8_display_poc = (UWORD64)ps_dec->i4_prev_max_display_seq +
ps_dec->ps_cur_pic->i4_poc;
if(IS_OUT_OF_RANGE_S32(i8_display_poc))
{
ps_dec->i4_prev_max_display_seq = 0;
}
}
ret = ih264d_insert_pic_in_display_list(
ps_dec->ps_dpb_mgr,
ps_dec->u1_pic_buf_id,

19
decoder/ih264d_utils.c
View file

@ -324,7 +324,7 @@ WORD32 ih264d_decode_pic_order_cnt(UWORD8 u1_is_idr_slice,
if(u1_nal_ref_idc == 0)
{
i8_result = expected_poc
i8_result = (WORD64)expected_poc
+ ps_seq->i4_ofst_for_non_ref_pic;
if(IS_OUT_OF_RANGE_S32(i8_result))
@ -336,14 +336,14 @@ WORD32 ih264d_decode_pic_order_cnt(UWORD8 u1_is_idr_slice,
/* 6. TopFieldOrderCnt or BottomFieldOrderCnt are derived as */
if(!u1_field_pic_flag)
{
i8_result = expected_poc
i8_result = (WORD64)expected_poc
+ ps_cur_poc->i4_delta_pic_order_cnt[0];
if(IS_OUT_OF_RANGE_S32(i8_result))
return ERROR_INV_POC;
i4_top_field_order_cnt = (WORD32)i8_result;
i8_result = i4_top_field_order_cnt
i8_result = (WORD64)i4_top_field_order_cnt
+ ps_seq->i4_ofst_for_top_to_bottom_field
+ ps_cur_poc->i4_delta_pic_order_cnt[1];
@ -353,7 +353,7 @@ WORD32 ih264d_decode_pic_order_cnt(UWORD8 u1_is_idr_slice,
}
else if(!u1_bottom_field_flag)
{
i8_result = expected_poc
i8_result = (WORD64)expected_poc
+ ps_cur_poc->i4_delta_pic_order_cnt[0];
if(IS_OUT_OF_RANGE_S32(i8_result))
@ -362,7 +362,7 @@ WORD32 ih264d_decode_pic_order_cnt(UWORD8 u1_is_idr_slice,
}
else
{
i8_result = expected_poc
i8_result = (WORD64)expected_poc
+ ps_seq->i4_ofst_for_top_to_bottom_field
+ ps_cur_poc->i4_delta_pic_order_cnt[0];
@ -1638,6 +1638,15 @@ WORD32 ih264d_decode_gaps_in_frame_num(dec_struct_t *ps_dec,
return ret;
}
{
UWORD64 i8_display_poc;
i8_display_poc = (UWORD64)ps_dec->i4_prev_max_display_seq +
i4_poc;
if(IS_OUT_OF_RANGE_S32(i8_display_poc))
{
ps_dec->i4_prev_max_display_seq = 0;
}
}
ret = ih264d_insert_pic_in_display_list(
ps_dec->ps_dpb_mgr, (WORD8) DO_NOT_DISP,
(WORD32)(ps_dec->i4_prev_max_display_seq + i4_poc),