From 1d672d2beac004bd6afe7f74b346262bb0176e9e Mon Sep 17 00:00:00 2001 From: Harish Mahendrakar Date: Wed, 3 Jul 2019 10:12:53 -0700 Subject: [PATCH] Fix integer overflows in computing poc and pic numbers Test: poc in bug Bug: 135303936 Bug: 136568141 Change-Id: Ie426c678b60f2d078d0b39e73a44d42d931d7fe3 --- decoder/ih264d_dpb_mgr.c | 16 ++++++++++++++-- decoder/ih264d_parse_slice.c | 10 +++++++++- decoder/ih264d_utils.c | 19 ++++++++++++++----- 3 files changed, 37 insertions(+), 8 deletions(-) diff --git a/decoder/ih264d_dpb_mgr.c b/decoder/ih264d_dpb_mgr.c index af414a5..0b8426b 100644 --- a/decoder/ih264d_dpb_mgr.c +++ b/decoder/ih264d_dpb_mgr.c @@ -1176,10 +1176,16 @@ WORD32 ih264d_do_mmco_buffer(dpb_commands_t *ps_dpb_cmds, { UWORD32 i4_cur_pic_num = u4_cur_pic_num; + WORD64 i8_pic_num; u4_diff_pic_num = ps_mmc_params->u4_diff_pic_num; //Get absDiffPicnumMinus1 if(u1_fld_pic_flag) i4_cur_pic_num = i4_cur_pic_num * 2 + 1; - i4_pic_num = ((WORD32)i4_cur_pic_num - ((WORD32)u4_diff_pic_num + 1)); + i8_pic_num = ((WORD64)i4_cur_pic_num - ((WORD64)u4_diff_pic_num + 1)); + if(IS_OUT_OF_RANGE_S32(i8_pic_num)) + { + return ERROR_DBP_MANAGER_T; + } + i4_pic_num = i8_pic_num; } if(ps_dpb_mgr->u1_num_st_ref_bufs > 0) @@ -1223,11 +1229,17 @@ WORD32 ih264d_do_mmco_buffer(dpb_commands_t *ps_dpb_cmds, { { UWORD32 i4_cur_pic_num = u4_cur_pic_num; + WORD64 i8_pic_num; u4_diff_pic_num = ps_mmc_params->u4_diff_pic_num; //Get absDiffPicnumMinus1 if(u1_fld_pic_flag) i4_cur_pic_num = i4_cur_pic_num * 2 + 1; - i4_pic_num = (WORD32)i4_cur_pic_num - ((WORD32)u4_diff_pic_num + 1); + i8_pic_num = (WORD64)i4_cur_pic_num - ((WORD64)u4_diff_pic_num + 1); + if(IS_OUT_OF_RANGE_S32(i8_pic_num)) + { + return ERROR_DBP_MANAGER_T; + } + i4_pic_num = i8_pic_num; } u4_lt_idx = ps_mmc_params->u4_lt_idx; //Get long term index diff --git a/decoder/ih264d_parse_slice.c b/decoder/ih264d_parse_slice.c index 8d50f9a..08b4281 100644 --- a/decoder/ih264d_parse_slice.c +++ b/decoder/ih264d_parse_slice.c @@ -825,7 +825,15 @@ WORD32 ih264d_end_of_pic_dispbuf_mgr(dec_struct_t * ps_dec) ps_cur_pic->u2_crop_offset_y = ps_dec->u2_crop_offset_y; ps_cur_pic->u2_crop_offset_uv = ps_dec->u2_crop_offset_uv; ps_cur_pic->u1_pic_type = 0; - + { + UWORD64 i8_display_poc; + i8_display_poc = (UWORD64)ps_dec->i4_prev_max_display_seq + + ps_dec->ps_cur_pic->i4_poc; + if(IS_OUT_OF_RANGE_S32(i8_display_poc)) + { + ps_dec->i4_prev_max_display_seq = 0; + } + } ret = ih264d_insert_pic_in_display_list( ps_dec->ps_dpb_mgr, ps_dec->u1_pic_buf_id, diff --git a/decoder/ih264d_utils.c b/decoder/ih264d_utils.c index 0381763..ea3a404 100644 --- a/decoder/ih264d_utils.c +++ b/decoder/ih264d_utils.c @@ -324,7 +324,7 @@ WORD32 ih264d_decode_pic_order_cnt(UWORD8 u1_is_idr_slice, if(u1_nal_ref_idc == 0) { - i8_result = expected_poc + i8_result = (WORD64)expected_poc + ps_seq->i4_ofst_for_non_ref_pic; if(IS_OUT_OF_RANGE_S32(i8_result)) @@ -336,14 +336,14 @@ WORD32 ih264d_decode_pic_order_cnt(UWORD8 u1_is_idr_slice, /* 6. TopFieldOrderCnt or BottomFieldOrderCnt are derived as */ if(!u1_field_pic_flag) { - i8_result = expected_poc + i8_result = (WORD64)expected_poc + ps_cur_poc->i4_delta_pic_order_cnt[0]; if(IS_OUT_OF_RANGE_S32(i8_result)) return ERROR_INV_POC; i4_top_field_order_cnt = (WORD32)i8_result; - i8_result = i4_top_field_order_cnt + i8_result = (WORD64)i4_top_field_order_cnt + ps_seq->i4_ofst_for_top_to_bottom_field + ps_cur_poc->i4_delta_pic_order_cnt[1]; @@ -353,7 +353,7 @@ WORD32 ih264d_decode_pic_order_cnt(UWORD8 u1_is_idr_slice, } else if(!u1_bottom_field_flag) { - i8_result = expected_poc + i8_result = (WORD64)expected_poc + ps_cur_poc->i4_delta_pic_order_cnt[0]; if(IS_OUT_OF_RANGE_S32(i8_result)) @@ -362,7 +362,7 @@ WORD32 ih264d_decode_pic_order_cnt(UWORD8 u1_is_idr_slice, } else { - i8_result = expected_poc + i8_result = (WORD64)expected_poc + ps_seq->i4_ofst_for_top_to_bottom_field + ps_cur_poc->i4_delta_pic_order_cnt[0]; @@ -1638,6 +1638,15 @@ WORD32 ih264d_decode_gaps_in_frame_num(dec_struct_t *ps_dec, return ret; } + { + UWORD64 i8_display_poc; + i8_display_poc = (UWORD64)ps_dec->i4_prev_max_display_seq + + i4_poc; + if(IS_OUT_OF_RANGE_S32(i8_display_poc)) + { + ps_dec->i4_prev_max_display_seq = 0; + } + } ret = ih264d_insert_pic_in_display_list( ps_dec->ps_dpb_mgr, (WORD8) DO_NOT_DISP, (WORD32)(ps_dec->i4_prev_max_display_seq + i4_poc),