Decoder: Fix in checking first_mb_in_slice

Also, increment slice header only if previous slice had atleast one MB This is to ensure there is no out of bound read for streams with 1 MB, and due to error 2 slices were being accessed. Bug: 33982658 Change-Id: I5f1918c09e922ca39f495f6059dfea3fa1d49448
2017-01-16 17:10:07 +05:30 · 2017-01-16 17:10:07 +05:30 · ef27433ca8
commit ef27433ca8
parent c4f317b873
2 changed files with 10 additions and 7 deletions
--- a/decoder/ih264d_parse_pslice.c
+++ b/decoder/ih264d_parse_pslice.c
@ -1663,11 +1663,15 @@ WORD32 ih264d_mark_err_slice_skip(dec_struct_t * ps_dec,
                return 0;
            }

-            // Inserting new slice
-            ps_dec->u2_cur_slice_num++;
-             ps_dec->i2_prev_slice_mbx = ps_dec->u2_mbx;
-            ps_dec->i2_prev_slice_mby = ps_dec->u2_mby;
-            ps_dec->ps_parse_cur_slice++;
+            /* Inserting new slice only if the current slice has atleast 1 MB*/
+            if(ps_dec->ps_parse_cur_slice->u4_first_mb_in_slice <
+                    (UWORD32)(ps_dec->u2_total_mbs_coded >> ps_slice->u1_mbaff_frame_flag))
+            {
+                ps_dec->i2_prev_slice_mbx = ps_dec->u2_mbx;
+                ps_dec->i2_prev_slice_mby = ps_dec->u2_mby;
+                ps_dec->u2_cur_slice_num++;
+                ps_dec->ps_parse_cur_slice++;
+            }

        }
        else
--- a/decoder/ih264d_parse_slice.c
+++ b/decoder/ih264d_parse_slice.c
@ -1070,8 +1070,7 @@ WORD32 ih264d_parse_decode_slice(UWORD8 u1_is_idr_slice,

    /*we currently don not support ASO*/
    if(((u2_first_mb_in_slice << ps_cur_slice->u1_mbaff_frame_flag)
-                    <= ps_dec->u2_cur_mb_addr) && (ps_dec->u2_cur_mb_addr != 0)
-                    && (ps_dec->u4_first_slice_in_pic != 0))
+                    <= ps_dec->u2_cur_mb_addr) && (ps_dec->u4_first_slice_in_pic == 0))
    {
        return ERROR_CORRUPTED_SLICE;
    }