wrapper/libavc
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

Fix stack buffer overflow in ih264d_process_intra_mb

Browse source 
Aligned the sizes of au1_ngbr_pels to ensure SSE42 functions do not
result in stack buffer overflow

Bug: 36490809

Change-Id: I0bfe493f94647046013759b3ec9db3c627ac471e
This commit is contained in:
Harish Mahendrakar 2016-04-18 16:38:54 +05:30 committed by Marco Nelissen
parent 0015860fdc
commit f69e34419b
1 changed files with 9 additions and 3 deletions
Download patch file Download diff file Expand all files Collapse all files

12
decoder/ih264d_process_intra_mb.c
View file

@ -930,7 +930,9 @@ WORD32 ih264d_process_intra_mb(dec_struct_t * ps_dec,
}
}
{
UWORD8 au1_ngbr_pels[33];
/* Align the size to multiple of 8, so that SIMD functions
can read 64 bits at a time. Only 33 bytes are actaully used */
UWORD8 au1_ngbr_pels[40];
/* Get neighbour pixels */
/* left pels */
if(u2_use_left_mb)
@ -1175,7 +1177,9 @@ WORD32 ih264d_process_intra_mb(dec_struct_t * ps_dec,
/* Scan the sub-blocks in Raster Scan Order */
for(u1_sub_mb_num = 0; u1_sub_mb_num < 16; u1_sub_mb_num++)
{
UWORD8 au1_ngbr_pels[13];
/* Align the size to multiple of 8, so that SIMD functions
can read 64 bits at a time. Only 13 bytes are actaully used */
UWORD8 au1_ngbr_pels[16];
u1_sub_blk_x = u1_sub_mb_num & 0x3;
u1_sub_blk_y = u1_sub_mb_num >> 2;
@ -1664,7 +1668,9 @@ WORD32 ih264d_process_intra_mb(dec_struct_t * ps_dec,
}
{
UWORD8 au1_ngbr_pels[25];
/* Align the size to multiple of 8, so that SIMD functions
can read 64 bits at a time. Only 25 bytes are actaully used */
UWORD8 au1_ngbr_pels[32];
WORD32 ngbr_avail;
ngbr_avail = u1_is_left_sub_block << 0;
ngbr_avail |= u1_is_top_sub_block << 2;