From ef27433ca86c4084f0cff3e284f9e799c3fdfbec Mon Sep 17 00:00:00 2001 From: Harish Mahendrakar Date: Mon, 16 Jan 2017 17:10:07 +0530 Subject: [PATCH] Decoder: Fix in checking first_mb_in_slice Also, increment slice header only if previous slice had atleast one MB This is to ensure there is no out of bound read for streams with 1 MB, and due to error 2 slices were being accessed. Bug: 33982658 Change-Id: I5f1918c09e922ca39f495f6059dfea3fa1d49448 --- decoder/ih264d_parse_pslice.c | 14 +++++++++----- decoder/ih264d_parse_slice.c | 3 +-- 2 files changed, 10 insertions(+), 7 deletions(-) diff --git a/decoder/ih264d_parse_pslice.c b/decoder/ih264d_parse_pslice.c index d6bea99..a33a03f 100644 --- a/decoder/ih264d_parse_pslice.c +++ b/decoder/ih264d_parse_pslice.c @@ -1663,11 +1663,15 @@ WORD32 ih264d_mark_err_slice_skip(dec_struct_t * ps_dec, return 0; } - // Inserting new slice - ps_dec->u2_cur_slice_num++; - ps_dec->i2_prev_slice_mbx = ps_dec->u2_mbx; - ps_dec->i2_prev_slice_mby = ps_dec->u2_mby; - ps_dec->ps_parse_cur_slice++; + /* Inserting new slice only if the current slice has atleast 1 MB*/ + if(ps_dec->ps_parse_cur_slice->u4_first_mb_in_slice < + (UWORD32)(ps_dec->u2_total_mbs_coded >> ps_slice->u1_mbaff_frame_flag)) + { + ps_dec->i2_prev_slice_mbx = ps_dec->u2_mbx; + ps_dec->i2_prev_slice_mby = ps_dec->u2_mby; + ps_dec->u2_cur_slice_num++; + ps_dec->ps_parse_cur_slice++; + } } else diff --git a/decoder/ih264d_parse_slice.c b/decoder/ih264d_parse_slice.c index 054dd62..c0195d7 100644 --- a/decoder/ih264d_parse_slice.c +++ b/decoder/ih264d_parse_slice.c @@ -1070,8 +1070,7 @@ WORD32 ih264d_parse_decode_slice(UWORD8 u1_is_idr_slice, /*we currently don not support ASO*/ if(((u2_first_mb_in_slice << ps_cur_slice->u1_mbaff_frame_flag) - <= ps_dec->u2_cur_mb_addr) && (ps_dec->u2_cur_mb_addr != 0) - && (ps_dec->u4_first_slice_in_pic != 0)) + <= ps_dec->u2_cur_mb_addr) && (ps_dec->u4_first_slice_in_pic == 0)) { return ERROR_CORRUPTED_SLICE; }