Merge "Decoder: Fix unsigned integer overflow"
This commit is contained in:
Treehugger Robot
Gerrit Code Review
commit
f7225b7fa5
3 changed files with 52 additions and 50 deletions
|
|
@ -1355,6 +1355,7 @@ WORD32 ih264d_parse_bslice(dec_struct_t * ps_dec, UWORD16 u2_first_mb_in_slice)
|
|||
UWORD32 *pu4_bitstrm_buf = ps_bitstrm->pu4_buffer;
|
||||
UWORD32 *pu4_bitstrm_ofst = &ps_bitstrm->u4_ofst;
|
||||
|
||||
UWORD64 u8_ref_idx_l0, u8_ref_idx_l1;
|
||||
UWORD32 u4_temp, ui_temp1;
|
||||
WORD32 i_temp;
|
||||
WORD32 ret;
|
||||
|
|
@ -1381,31 +1382,31 @@ WORD32 ih264d_parse_bslice(dec_struct_t * ps_dec, UWORD16 u2_first_mb_in_slice)
|
|||
COPYTHECONTEXT("SH: num_ref_idx_override_flag",
|
||||
ps_slice->u1_num_ref_idx_active_override_flag);
|
||||
|
||||
u4_temp = ps_dec->ps_cur_pps->u1_num_ref_idx_lx_active[0];
|
||||
ui_temp1 = ps_dec->ps_cur_pps->u1_num_ref_idx_lx_active[1];
|
||||
u8_ref_idx_l0 = ps_dec->ps_cur_pps->u1_num_ref_idx_lx_active[0];
|
||||
u8_ref_idx_l1 = ps_dec->ps_cur_pps->u1_num_ref_idx_lx_active[1];
|
||||
if(ps_slice->u1_num_ref_idx_active_override_flag)
|
||||
{
|
||||
u4_temp = 1 + ih264d_uev(pu4_bitstrm_ofst, pu4_bitstrm_buf);
|
||||
u8_ref_idx_l0 = (UWORD64)1 + ih264d_uev(pu4_bitstrm_ofst, pu4_bitstrm_buf);
|
||||
COPYTHECONTEXT("SH: num_ref_idx_l0_active_minus1",
|
||||
u4_temp - 1);
|
||||
ui_temp1 = 1 + ih264d_uev(pu4_bitstrm_ofst, pu4_bitstrm_buf);
|
||||
u8_ref_idx_l0 - 1);
|
||||
|
||||
u8_ref_idx_l1 = (UWORD64)1 + ih264d_uev(pu4_bitstrm_ofst, pu4_bitstrm_buf);
|
||||
COPYTHECONTEXT("SH: num_ref_idx_l1_active_minus1",
|
||||
ui_temp1 - 1);
|
||||
u8_ref_idx_l1 - 1);
|
||||
}
|
||||
|
||||
{
|
||||
UWORD8 u1_max_ref_idx = MAX_FRAMES;
|
||||
UWORD8 u1_max_ref_idx = H264_MAX_REF_PICS;
|
||||
if(ps_slice->u1_field_pic_flag)
|
||||
{
|
||||
u1_max_ref_idx = MAX_FRAMES << 1;
|
||||
u1_max_ref_idx = H264_MAX_REF_PICS << 1;
|
||||
}
|
||||
if((u4_temp > u1_max_ref_idx) || (ui_temp1 > u1_max_ref_idx)
|
||||
|| (u4_temp < 1) || (ui_temp1 < 1))
|
||||
if((u8_ref_idx_l0 > u1_max_ref_idx) || (u8_ref_idx_l1 > u1_max_ref_idx))
|
||||
{
|
||||
return ERROR_NUM_REF;
|
||||
}
|
||||
ps_slice->u1_num_ref_idx_lx_active[0] = u4_temp;
|
||||
ps_slice->u1_num_ref_idx_lx_active[1] = ui_temp1;
|
||||
ps_slice->u1_num_ref_idx_lx_active[0] = u8_ref_idx_l0;
|
||||
ps_slice->u1_num_ref_idx_lx_active[1] = u8_ref_idx_l1;
|
||||
}
|
||||
|
||||
|
||||
|
|
|
|||
|
|
@ -276,6 +276,7 @@ WORD32 ih264d_parse_pps(dec_struct_t * ps_dec, dec_bit_stream_t * ps_bitstrm)
|
|||
UWORD32 *pu4_bitstrm_ofst = &ps_dec->ps_bitstrm->u4_ofst;
|
||||
|
||||
/* Variables used for error resilience checks */
|
||||
UWORD64 u8_temp;
|
||||
UWORD32 u4_temp;
|
||||
WORD32 i_temp;
|
||||
|
||||
|
|
@ -328,30 +329,28 @@ WORD32 ih264d_parse_pps(dec_struct_t * ps_dec, dec_bit_stream_t * ps_bitstrm)
|
|||
/*--------------------------------------------------------------------*/
|
||||
/* Decode num_slice_groups_minus1 */
|
||||
/*--------------------------------------------------------------------*/
|
||||
u4_temp = ih264d_uev(pu4_bitstrm_ofst, pu4_bitstrm_buf) + 1;
|
||||
if(u4_temp != 1)
|
||||
u8_temp = ih264d_uev(pu4_bitstrm_ofst, pu4_bitstrm_buf) + (UWORD64)1;
|
||||
if(u8_temp != 1)
|
||||
{
|
||||
UWORD32 i4_error_code;
|
||||
i4_error_code = ERROR_FEATURE_UNAVAIL;
|
||||
return i4_error_code;
|
||||
return ERROR_FEATURE_UNAVAIL;
|
||||
}
|
||||
ps_pps->u1_num_slice_groups = u4_temp;
|
||||
ps_pps->u1_num_slice_groups = u8_temp;
|
||||
COPYTHECONTEXT("PPS: num_slice_groups_minus1",ps_pps->u1_num_slice_groups -1);
|
||||
|
||||
/*--------------------------------------------------------------------*/
|
||||
/* Other parameter set values */
|
||||
/*--------------------------------------------------------------------*/
|
||||
u4_temp = 1 + ih264d_uev(pu4_bitstrm_ofst, pu4_bitstrm_buf);
|
||||
if(u4_temp > H264_MAX_REF_IDX)
|
||||
u8_temp = (UWORD64)1 + ih264d_uev(pu4_bitstrm_ofst, pu4_bitstrm_buf);
|
||||
if(u8_temp > H264_MAX_REF_IDX)
|
||||
return ERROR_REF_IDX;
|
||||
ps_pps->u1_num_ref_idx_lx_active[0] = u4_temp;
|
||||
ps_pps->u1_num_ref_idx_lx_active[0] = u8_temp;
|
||||
COPYTHECONTEXT("PPS: num_ref_idx_l0_active_minus1",
|
||||
ps_pps->u1_num_ref_idx_lx_active[0] - 1);
|
||||
|
||||
u4_temp = 1 + ih264d_uev(pu4_bitstrm_ofst, pu4_bitstrm_buf);
|
||||
if(u4_temp > H264_MAX_REF_IDX)
|
||||
u8_temp = (UWORD64)1 + ih264d_uev(pu4_bitstrm_ofst, pu4_bitstrm_buf);
|
||||
if(u8_temp > H264_MAX_REF_IDX)
|
||||
return ERROR_REF_IDX;
|
||||
ps_pps->u1_num_ref_idx_lx_active[1] = u4_temp;
|
||||
ps_pps->u1_num_ref_idx_lx_active[1] = u8_temp;
|
||||
COPYTHECONTEXT("PPS: num_ref_idx_l1_active_minus1",
|
||||
ps_pps->u1_num_ref_idx_lx_active[1] - 1);
|
||||
|
||||
|
|
@ -579,6 +578,7 @@ WORD32 ih264d_parse_sps(dec_struct_t *ps_dec, dec_bit_stream_t *ps_bitstrm)
|
|||
UWORD8 u1_frm, uc_constraint_set0_flag, uc_constraint_set1_flag;
|
||||
WORD32 i4_cropped_ht, i4_cropped_wd;
|
||||
UWORD32 u4_temp;
|
||||
UWORD64 u8_temp;
|
||||
UWORD32 u4_pic_height_in_map_units, u4_pic_width_in_mbs;
|
||||
UWORD32 u2_pic_wd = 0;
|
||||
UWORD32 u2_pic_ht = 0;
|
||||
|
|
@ -773,12 +773,12 @@ WORD32 ih264d_parse_sps(dec_struct_t *ps_dec, dec_bit_stream_t *ps_bitstrm)
|
|||
/*--------------------------------------------------------------------*/
|
||||
/* Decode MaxFrameNum */
|
||||
/*--------------------------------------------------------------------*/
|
||||
u4_temp = 4 + ih264d_uev(pu4_bitstrm_ofst, pu4_bitstrm_buf);
|
||||
if(u4_temp > MAX_BITS_IN_FRAME_NUM)
|
||||
u8_temp = (UWORD64)4 + ih264d_uev(pu4_bitstrm_ofst, pu4_bitstrm_buf);
|
||||
if(u8_temp > MAX_BITS_IN_FRAME_NUM)
|
||||
{
|
||||
return ERROR_INV_SPS_PPS_T;
|
||||
}
|
||||
ps_seq->u1_bits_in_frm_num = u4_temp;
|
||||
ps_seq->u1_bits_in_frm_num = u8_temp;
|
||||
COPYTHECONTEXT("SPS: log2_max_frame_num_minus4",
|
||||
(ps_seq->u1_bits_in_frm_num - 4));
|
||||
|
||||
|
|
@ -799,14 +799,14 @@ WORD32 ih264d_parse_sps(dec_struct_t *ps_dec, dec_bit_stream_t *ps_bitstrm)
|
|||
ps_seq->u1_num_ref_frames_in_pic_order_cnt_cycle = 1;
|
||||
if(ps_seq->u1_pic_order_cnt_type == 0)
|
||||
{
|
||||
u4_temp = 4 + ih264d_uev(pu4_bitstrm_ofst, pu4_bitstrm_buf);
|
||||
if(u4_temp > MAX_BITS_IN_POC_LSB)
|
||||
u8_temp = (UWORD64)4 + ih264d_uev(pu4_bitstrm_ofst, pu4_bitstrm_buf);
|
||||
if(u8_temp > MAX_BITS_IN_POC_LSB)
|
||||
{
|
||||
return ERROR_INV_SPS_PPS_T;
|
||||
}
|
||||
ps_seq->u1_log2_max_pic_order_cnt_lsb_minus = u4_temp;
|
||||
ps_seq->i4_max_pic_order_cntLsb = (1 << u4_temp);
|
||||
COPYTHECONTEXT("SPS: log2_max_pic_order_cnt_lsb_minus4",(u4_temp - 4));
|
||||
ps_seq->u1_log2_max_pic_order_cnt_lsb_minus = u8_temp;
|
||||
ps_seq->i4_max_pic_order_cntLsb = (1 << u8_temp);
|
||||
COPYTHECONTEXT("SPS: log2_max_pic_order_cnt_lsb_minus4",(u8_temp - 4));
|
||||
}
|
||||
else if(ps_seq->u1_pic_order_cnt_type == 1)
|
||||
{
|
||||
|
|
@ -866,20 +866,23 @@ WORD32 ih264d_parse_sps(dec_struct_t *ps_dec, dec_bit_stream_t *ps_bitstrm)
|
|||
/*--------------------------------------------------------------------*/
|
||||
/* Decode FrameWidth and FrameHeight and related values */
|
||||
/*--------------------------------------------------------------------*/
|
||||
u4_pic_width_in_mbs = 1
|
||||
+ ih264d_uev(pu4_bitstrm_ofst, pu4_bitstrm_buf);
|
||||
COPYTHECONTEXT("SPS: pic_width_in_mbs_minus1",
|
||||
u4_pic_width_in_mbs - 1);
|
||||
|
||||
u4_pic_height_in_map_units = 1 + ih264d_uev(pu4_bitstrm_ofst,
|
||||
pu4_bitstrm_buf);
|
||||
|
||||
u8_temp = (UWORD64)1 + ih264d_uev(pu4_bitstrm_ofst, pu4_bitstrm_buf);
|
||||
/* Check for unsupported resolutions*/
|
||||
if((u4_pic_width_in_mbs > (H264_MAX_FRAME_WIDTH >> 4)) ||
|
||||
(u4_pic_height_in_map_units > (H264_MAX_FRAME_HEIGHT >> 4)))
|
||||
if(u8_temp > (H264_MAX_FRAME_WIDTH >> 4))
|
||||
{
|
||||
return IVD_STREAM_WIDTH_HEIGHT_NOT_SUPPORTED;
|
||||
}
|
||||
u4_pic_width_in_mbs = u8_temp;
|
||||
COPYTHECONTEXT("SPS: pic_width_in_mbs_minus1",
|
||||
u4_pic_width_in_mbs - 1);
|
||||
|
||||
u8_temp = (UWORD64)1 + ih264d_uev(pu4_bitstrm_ofst, pu4_bitstrm_buf);
|
||||
if (u8_temp > (H264_MAX_FRAME_HEIGHT >> 4))
|
||||
{
|
||||
return IVD_STREAM_WIDTH_HEIGHT_NOT_SUPPORTED;
|
||||
}
|
||||
u4_pic_height_in_map_units = u8_temp;
|
||||
|
||||
ps_seq->u2_frm_wd_in_mbs = u4_pic_width_in_mbs;
|
||||
ps_seq->u2_frm_ht_in_mbs = u4_pic_height_in_map_units;
|
||||
|
||||
|
|
|
|||
|
|
@ -1927,6 +1927,7 @@ WORD32 ih264d_parse_pslice(dec_struct_t *ps_dec, UWORD16 u2_first_mb_in_slice)
|
|||
UWORD8 u1_mbaff = ps_dec->ps_cur_slice->u1_mbaff_frame_flag; //ps_dec->ps_cur_sps->u1_mb_aff_flag;
|
||||
UWORD8 u1_field_pic_flag = ps_cur_slice->u1_field_pic_flag;
|
||||
|
||||
UWORD64 u8_ref_idx_l0;
|
||||
UWORD32 u4_temp;
|
||||
WORD32 i_temp;
|
||||
WORD32 ret;
|
||||
|
|
@ -1955,22 +1956,19 @@ WORD32 ih264d_parse_pslice(dec_struct_t *ps_dec, UWORD16 u2_first_mb_in_slice)
|
|||
COPYTHECONTEXT("SH: num_ref_idx_override_flag",
|
||||
ps_cur_slice->u1_num_ref_idx_active_override_flag);
|
||||
|
||||
u4_temp = ps_dec->ps_cur_pps->u1_num_ref_idx_lx_active[0];
|
||||
u8_ref_idx_l0 = ps_dec->ps_cur_pps->u1_num_ref_idx_lx_active[0];
|
||||
if(ps_cur_slice->u1_num_ref_idx_active_override_flag)
|
||||
{
|
||||
u4_temp = ih264d_uev(pu4_bitstrm_ofst, pu4_bitstrm_buf) + 1;
|
||||
u8_ref_idx_l0 = ih264d_uev(pu4_bitstrm_ofst, pu4_bitstrm_buf) + (UWORD64)1;
|
||||
}
|
||||
|
||||
{
|
||||
|
||||
|
||||
|
||||
UWORD8 u1_max_ref_idx = MAX_FRAMES << u1_field_pic_flag;
|
||||
if(u4_temp > u1_max_ref_idx || u4_temp < 1)
|
||||
UWORD8 u1_max_ref_idx = H264_MAX_REF_PICS << u1_field_pic_flag;
|
||||
if(u8_ref_idx_l0 > u1_max_ref_idx)
|
||||
{
|
||||
return ERROR_NUM_REF;
|
||||
}
|
||||
ps_cur_slice->u1_num_ref_idx_lx_active[0] = u4_temp;
|
||||
ps_cur_slice->u1_num_ref_idx_lx_active[0] = u8_ref_idx_l0;
|
||||
COPYTHECONTEXT("SH: num_ref_idx_l0_active_minus1",
|
||||
ps_cur_slice->u1_num_ref_idx_lx_active[0] - 1);
|
||||
|
||||
|
|
|
|||
Loading…
Add table
Add a link
Reference in a new issue