From 7dcf82ada45d3dfb6e0d77a066c619bb3a411238 Mon Sep 17 00:00:00 2001
From: Harish Mahendrakar <harish.mahendrakar@ittiam.com>
Date: Thu, 19 Dec 2019 14:37:45 -0800
Subject: decoder: Fix integer overflow while parsing num_long_term_pics

Bug: 143826590
Test: poc in bug
Change-Id: I190a8e27a400f686cba88edd5c8721404e53b9cb
---
 decoder/ihevcd_parse_slice_header.c | 7 ++++++-
 1 file changed, 6 insertions(+), 1 deletion(-)

diff --git a/decoder/ihevcd_parse_slice_header.c b/decoder/ihevcd_parse_slice_header.c
index c161fc4..46f2f5f 100644
--- a/decoder/ihevcd_parse_slice_header.c
+++ b/decoder/ihevcd_parse_slice_header.c
@@ -471,7 +471,8 @@ IHEVCD_ERROR_T ihevcd_parse_slice_header(codec_t *ps_codec,
                     ps_slice_hdr->i1_num_long_term_sps = value;
                 }
                 UEV_PARSE("num_long_term_pics", value, ps_bitstrm);
-                if((value + ps_slice_hdr->i1_num_long_term_sps + num_neg_pics + num_pos_pics) > (MAX_DPB_SIZE - 1))
+                if(((ULWORD64)value + ps_slice_hdr->i1_num_long_term_sps + num_neg_pics +
+                    num_pos_pics) > (MAX_DPB_SIZE - 1))
                 {
                     return IHEVCD_INVALID_PARAMETER;
                 }
@@ -487,6 +488,10 @@ IHEVCD_ERROR_T ihevcd_parse_slice_header(codec_t *ps_codec,
                         {
                             WORD32 num_bits = 32 - CLZ(ps_sps->i1_num_long_term_ref_pics_sps - 1);
                             BITS_PARSE("lt_idx_sps[ i ]", value, ps_bitstrm, num_bits);
+                            if(value >= ps_sps->i1_num_long_term_ref_pics_sps)
+                            {
+                                return IHEVCD_INVALID_PARAMETER;
+                            }
                         }
                         else
                         {
-- 
cgit v1.2.3