Decoder: Fixes an out of bound write in bitstream buffer

[for mnc-dr-dev and later; mnc-dev gets a different patch] After emulation prevention, data is written as an int, so at least 3 additional bytes should be available. And since bitstream functions read 8 bytes ahead, 8 extra bytes should be available in the bitstream buffer. Bug: 33934721 Change-Id: I444ec6f85d01b0bade9f827e15c4b476779d6c69
2016-12-23 15:29:14 +05:30 · 2016-12-23 15:29:14 +05:30 · 33ef7de9dd
commit 33ef7de9dd
parent ab0e425406
1 changed files with 3 additions and 1 deletions
--- a/decoder/ih264d_api.c
+++ b/decoder/ih264d_api.c
@ -1956,7 +1956,9 @@ WORD32 ih264d_video_decode(iv_obj_t *dec_hdl, void *pv_api_ip, void *pv_api_op)
        if(buflen == -1)
            buflen = 0;
        /* Ignore bytes beyond the allocated size of intermediate buffer */
-        buflen = MIN(buflen, buf_size);
+        /* Since 8 bytes are read ahead, ensure 8 bytes are free at the
+        end of the buffer, which will be memset to 0 after emulation prevention */
+        buflen = MIN(buflen, buf_size - 8);

        bytes_consumed = buflen + u4_length_of_start_code;
        ps_dec_op->u4_num_bytes_consumed += bytes_consumed;