Fix integer overflow error in deinterlacer

In deinterlacer, in few cases previous fields pointer was derived
using some uninitialized strides. This value was never used later.

Avoiding the unnecessary pointer increment fixes the integer overflow.

Bug: 136697219
Test: poc in bug

Change-Id: I79805694aef5c4923cd4459bebbd13462be039ce
(cherry picked from commit c8911af17e9bfdf456ea4b5c6d2addd54f938f9c)

1 files changed, 10 insertions, 5 deletions

diff --git a/common/ideint.c b/common/ideint.c
index 24e4e72..af6d15e 100644
--- a/common/ideint.c
+++ b/common/ideint.c
@@ -206,7 +206,7 @@ IDEINT_ERROR_T ideint_process(void *pv_ctxt,
 
     for(i = 0; i < num_comp; i++)
     {
-        UWORD8 *pu1_prv, *pu1_out;
+        UWORD8 *pu1_prv = NULL, *pu1_out;
         UWORD8 *pu1_top, *pu1_bot, *pu1_dst;
         WORD32 cur_strd, out_strd, dst_strd;
 
@@ -255,14 +255,16 @@ IDEINT_ERROR_T ideint_process(void *pv_ctxt,
         {
             disable_cac_sad = 1;
         }
-
         for(row = comp_row_start; row < comp_row_end; row++)
         {
             pu1_out = ps_out_frm->apu1_buf[i];
             pu1_out += (ps_out_frm->ai4_strd[i] * row << 3);
 
-            pu1_prv = ps_prv_fld->apu1_buf[i];
-            pu1_prv += (ps_prv_fld->ai4_strd[i] * row << 2);
+            if(0 == disable_cac_sad)
+            {
+                pu1_prv = ps_prv_fld->apu1_buf[i];
+                pu1_prv += (ps_prv_fld->ai4_strd[i] * row << 2);
+            }
 
             if(ps_ctxt->s_params.i4_cur_fld_top)
             {
@@ -408,7 +410,10 @@ IDEINT_ERROR_T ideint_process(void *pv_ctxt,
                         memcpy(pu1_out + j * out_strd, au1_dst + j * BLK_WD, blk_wd);
                     }
                 }
-                pu1_prv += 8;
+                if(NULL != pu1_prv)
+                {
+                    pu1_prv += 8;
+                }
                 pu1_top += 8;
                 pu1_bot += 8;
                 pu1_out += 8;