From 208c74d62a3e1039dc87818306e057877760fbaa Mon Sep 17 00:00:00 2001
From: Hamsalekha S <hamsalekha.s@ittiam.com>
Date: Fri, 8 Sep 2017 14:22:22 +0530
Subject: [PATCH] Decoder: Updated error check while parsing
 num_ref_idx_lx_active.

Added an error check on the lower limit of u1_num_ref_idx_lx_active,
while parsing slice header. The minimum possible value is 1.

Bug: 64836894

Change-Id: I57056851fc135ed00f7a10af5c81eb560e9e12de
---
 decoder/ih264d_parse_bslice.c | 3 ++-
 decoder/ih264d_parse_pslice.c | 2 +-
 2 files changed, 3 insertions(+), 2 deletions(-)

diff --git a/decoder/ih264d_parse_bslice.c b/decoder/ih264d_parse_bslice.c
index 443dec2..f2a1b01 100644
--- a/decoder/ih264d_parse_bslice.c
+++ b/decoder/ih264d_parse_bslice.c
@@ -1398,7 +1398,8 @@ WORD32 ih264d_parse_bslice(dec_struct_t * ps_dec, UWORD16 u2_first_mb_in_slice)
         {
             u1_max_ref_idx = MAX_FRAMES << 1;
         }
-        if((u4_temp > u1_max_ref_idx) || (ui_temp1 > u1_max_ref_idx))
+        if((u4_temp > u1_max_ref_idx) || (ui_temp1 > u1_max_ref_idx)
+                        || (u4_temp < 1) || (ui_temp1 < 1))
         {
             return ERROR_NUM_REF;
         }
diff --git a/decoder/ih264d_parse_pslice.c b/decoder/ih264d_parse_pslice.c
index db71b6a..c6ce916 100644
--- a/decoder/ih264d_parse_pslice.c
+++ b/decoder/ih264d_parse_pslice.c
@@ -1957,7 +1957,7 @@ WORD32 ih264d_parse_pslice(dec_struct_t *ps_dec, UWORD16 u2_first_mb_in_slice)
 
 
         UWORD8 u1_max_ref_idx = MAX_FRAMES << u1_field_pic_flag;
-        if(u4_temp > u1_max_ref_idx)
+        if(u4_temp > u1_max_ref_idx || u4_temp < 1)
         {
             return ERROR_NUM_REF;
         }