Merge "DO NOT MERGE Decoder: Increased allocation and added checks in sei parsing." into mnc-dev

2017-10-31 18:45:31 +00:00 · 2017-10-31 18:45:31 +00:00 · 23e7899124
commit 23e7899124
parent d524ba0310 27e6efc8ec
3 changed files with 13 additions and 5 deletions
--- a/decoder/ih264d_api.c
+++ b/decoder/ih264d_api.c
@ -2290,7 +2290,9 @@ WORD32 ih264d_fill_num_mem_rec(void *pv_api_ip, void *pv_api_op)

    memTab[MEM_REC_BITSBUF].u4_mem_alignment = (128 * 8) / CHAR_BIT;
    memTab[MEM_REC_BITSBUF].e_mem_type = IV_EXTERNAL_CACHEABLE_PERSISTENT_MEM;
-    memTab[MEM_REC_BITSBUF].u4_mem_size = MAX(256000, (luma_width * luma_height * 3 / 2));
+    memTab[MEM_REC_BITSBUF].u4_mem_size = MAX(
+                    256000,
+                    (luma_width * luma_height * 3 / 2)) + EXTRA_BS_OFFSET;

    {

@ -2994,7 +2996,9 @@ WORD32 ih264d_video_decode(iv_obj_t *dec_hdl, void *pv_api_ip, void *pv_api_op)
        /* Ignore bytes beyond the allocated size of intermediate buffer */
        /* Since 8 bytes are read ahead, ensure 8 bytes are free at the
        end of the buffer, which will be memset to 0 after emulation prevention */
-        buflen = MIN(buflen, (WORD32)(ps_dec->ps_mem_tab[MEM_REC_BITSBUF].u4_mem_size - 8));
+        buflen = MIN(buflen,
+                     (WORD32)(ps_dec->ps_mem_tab[MEM_REC_BITSBUF].u4_mem_size
+                                     - 8 - EXTRA_BS_OFFSET));

        bytes_consumed = buflen + u4_length_of_start_code;
        ps_dec_op->u4_num_bytes_consumed += bytes_consumed;
--- a/decoder/ih264d_defs.h
+++ b/decoder/ih264d_defs.h
@ -107,6 +107,9 @@
 /* For 420SP */
 #define YUV420SP_FACTOR 2

+/*To prevent buffer overflow access; in case the size of nal unit is
+ *  greater than the allocated buffer size*/
+#define EXTRA_BS_OFFSET 16*16*2

 /**
 ***************************************************************************
--- a/decoder/ih264d_sei.c
+++ b/decoder/ih264d_sei.c
@ -336,7 +336,7 @@ WORD32 ih264d_parse_sei_message(dec_struct_t *ps_dec,
        ui4_payload_type = 0;

        u4_bits = ih264d_get_bits_h264(ps_bitstrm, 8);
-        while(0xff == u4_bits)
+        while(0xff == u4_bits && !EXCEED_OFFSET(ps_bitstrm))
        {
            u4_bits = ih264d_get_bits_h264(ps_bitstrm, 8);
            ui4_payload_type += 255;
@ -345,7 +345,7 @@ WORD32 ih264d_parse_sei_message(dec_struct_t *ps_dec,

        ui4_payload_size = 0;
        u4_bits = ih264d_get_bits_h264(ps_bitstrm, 8);
-        while(0xff == u4_bits)
+        while(0xff == u4_bits && !EXCEED_OFFSET(ps_bitstrm))
        {
            u4_bits = ih264d_get_bits_h264(ps_bitstrm, 8);
            ui4_payload_size += 255;
@ -370,7 +370,8 @@ WORD32 ih264d_parse_sei_message(dec_struct_t *ps_dec,
            {
                H264_DEC_DEBUG_PRINT("\nError in parsing SEI message");
            }
-            while(0 == ih264d_check_byte_aligned(ps_bitstrm))
+            while(0 == ih264d_check_byte_aligned(ps_bitstrm)
+                            && !EXCEED_OFFSET(ps_bitstrm))
            {
                u4_bits = ih264d_get_bit_h264(ps_bitstrm);
                if(u4_bits)