From 4040554b374f3605e65fcd00b6128885700f8cd5 Mon Sep 17 00:00:00 2001
From: Naveen Kumar P <naveenkumar.p@ittiam.com>
Date: Wed, 5 Apr 2017 10:31:08 +0530
Subject: DO NOT MERGE Check for cpb cnt in hrd parsing

Bug: 34896431

The arrays in hrd are of size MAX_CPB_CNT. If cpb cnt is more
than MAX_CPB_CNT, more data is parsed and the subsequent buffer
is corrupted.

Change-Id: I74c01b8c7142b67a358eb5e36b160a7fbf2b69e4
---
 common/ihevc_defs.h            |  2 +-
 decoder/ihevcd_parse_headers.c | 17 +++++++++++++----
 2 files changed, 14 insertions(+), 5 deletions(-)

diff --git a/common/ihevc_defs.h b/common/ihevc_defs.h
index 7f58121..c18ff03 100644
--- a/common/ihevc_defs.h
+++ b/common/ihevc_defs.h
@@ -454,6 +454,6 @@ enum
  */
 #define INTRA_PRED_CHROMA_IDX_NONE  7
 
-
+#define MAX_CPB_CNT 32
 
 #endif /*__IHEVC_DEFS_H_*/
diff --git a/decoder/ihevcd_parse_headers.c b/decoder/ihevcd_parse_headers.c
index 707263c..008be63 100644
--- a/decoder/ihevcd_parse_headers.c
+++ b/decoder/ihevcd_parse_headers.c
@@ -644,6 +644,9 @@ static WORD32 ihevcd_parse_hrd_parameters(bitstrm_t *ps_bitstrm,
         if(!ps_hrd->au1_low_delay_hrd_flag[i])
             UEV_PARSE("cpb_cnt_minus1[ i ]", ps_hrd->au1_cpb_cnt_minus1[i], ps_bitstrm);
 
+        if(ps_hrd->au1_cpb_cnt_minus1[i] >= (MAX_CPB_CNT - 1))
+            return IHEVCD_INVALID_PARAMETER;
+
         if(ps_hrd->u1_nal_hrd_parameters_present_flag)
             ihevcd_parse_sub_layer_hrd_parameters(ps_bitstrm,
                                                   &ps_hrd->as_sub_layer_hrd_params[i],
@@ -742,7 +745,10 @@ static WORD32 ihevcd_parse_vui_parameters(bitstrm_t *ps_bitstrm,
 
         BITS_PARSE("vui_hrd_parameters_present_flag", ps_vui->u1_vui_hrd_parameters_present_flag, ps_bitstrm, 1);
         if(ps_vui->u1_vui_hrd_parameters_present_flag)
-            ihevcd_parse_hrd_parameters(ps_bitstrm, &ps_vui->s_vui_hrd_parameters, 1, sps_max_sub_layers_minus1);
+        {
+            ret = ihevcd_parse_hrd_parameters(ps_bitstrm, &ps_vui->s_vui_hrd_parameters, 1, sps_max_sub_layers_minus1);
+            RETURN_IF((ret != (IHEVCD_ERROR_T)IHEVCD_SUCCESS), ret);
+        }
     }
 
     BITS_PARSE("bitstream_restriction_flag", ps_vui->u1_bitstream_restriction_flag, ps_bitstrm, 1);
@@ -1464,9 +1470,12 @@ IHEVCD_ERROR_T ihevcd_parse_sps(codec_t *ps_codec)
     ps_sps->i1_vui_parameters_present_flag = value;
 
     if(ps_sps->i1_vui_parameters_present_flag)
-        ihevcd_parse_vui_parameters(ps_bitstrm,
-                                    &ps_sps->s_vui_parameters,
-                                    ps_sps->i1_sps_max_sub_layers - 1);
+    {
+        ret = ihevcd_parse_vui_parameters(ps_bitstrm,
+                                          &ps_sps->s_vui_parameters,
+                                          ps_sps->i1_sps_max_sub_layers - 1);
+        RETURN_IF((ret != (IHEVCD_ERROR_T)IHEVCD_SUCCESS), ret);
+    }
 
     BITS_PARSE("sps_extension_flag", value, ps_bitstrm, 1);
 
-- 
cgit v1.2.3