diff options
| author | Harish Mahendrakar <harish.mahendrakar@ittiam.com> | 2019-12-19 14:37:45 -0800 |
|---|---|---|
| committer | Ray Essick <essick@google.com> | 2020-02-11 16:23:38 -0800 |
| commit | 7dcf82ada45d3dfb6e0d77a066c619bb3a411238 (patch) | |
| tree | 633f17b121edc68a6e8ba1455e35ecc31f2fb20d | |
| parent | 75d1ac1026539f82a299ef6cea2b59150098ddbb (diff) | |
| download | libhevc-7dcf82ada45d3dfb6e0d77a066c619bb3a411238.tar.gz | |
decoder: Fix integer overflow while parsing num_long_term_pics
Bug: 143826590
Test: poc in bug
Change-Id: I190a8e27a400f686cba88edd5c8721404e53b9cb
| -rw-r--r-- | decoder/ihevcd_parse_slice_header.c | 7 |
1 files changed, 6 insertions, 1 deletions
diff --git a/decoder/ihevcd_parse_slice_header.c b/decoder/ihevcd_parse_slice_header.c index c161fc4..46f2f5f 100644 --- a/decoder/ihevcd_parse_slice_header.c +++ b/decoder/ihevcd_parse_slice_header.c @@ -471,7 +471,8 @@ IHEVCD_ERROR_T ihevcd_parse_slice_header(codec_t *ps_codec, ps_slice_hdr->i1_num_long_term_sps = value; } UEV_PARSE("num_long_term_pics", value, ps_bitstrm); - if((value + ps_slice_hdr->i1_num_long_term_sps + num_neg_pics + num_pos_pics) > (MAX_DPB_SIZE - 1)) + if(((ULWORD64)value + ps_slice_hdr->i1_num_long_term_sps + num_neg_pics + + num_pos_pics) > (MAX_DPB_SIZE - 1)) { return IHEVCD_INVALID_PARAMETER; } @@ -487,6 +488,10 @@ IHEVCD_ERROR_T ihevcd_parse_slice_header(codec_t *ps_codec, { WORD32 num_bits = 32 - CLZ(ps_sps->i1_num_long_term_ref_pics_sps - 1); BITS_PARSE("lt_idx_sps[ i ]", value, ps_bitstrm, num_bits); + if(value >= ps_sps->i1_num_long_term_ref_pics_sps) + { + return IHEVCD_INVALID_PARAMETER; + } } else { |