diff options
author | Harish Mahendrakar <harish.mahendrakar@ittiam.com> | 2016-01-07 22:34:46 +0000 |
---|---|---|
committer | android-build-merger <android-build-merger@google.com> | 2016-01-07 22:34:46 +0000 |
commit | 30f52764023ae9bffb6834c1754a6b622d224dfa (patch) | |
tree | fc53e35ae898b83412abf0aa96253e073cf51439 | |
parent | 773383e1f969899a37cd9faafd1dfdb0b80e71e6 (diff) | |
parent | 3997a42818c08bfad4ddf8ed147c099f1f94c166 (diff) | |
download | libmpeg2-30f52764023ae9bffb6834c1754a6b622d224dfa.tar.gz |
Fixed bit stream access to make sure that it is not read beyond the allocated size. am: ffab15eb80
am: 3997a42818
* commit '3997a42818c08bfad4ddf8ed147c099f1f94c166':
Fixed bit stream access to make sure that it is not read beyond the allocated size.
-rw-r--r-- | decoder/impeg2d_bitstream.c | 13 | ||||
-rw-r--r-- | decoder/impeg2d_d_pic.c | 3 | ||||
-rw-r--r-- | decoder/impeg2d_dec_hdr.c | 27 | ||||
-rw-r--r-- | decoder/impeg2d_pic_proc.c | 3 |
4 files changed, 31 insertions, 15 deletions
diff --git a/decoder/impeg2d_bitstream.c b/decoder/impeg2d_bitstream.c index 92d3785..b67161d 100644 --- a/decoder/impeg2d_bitstream.c +++ b/decoder/impeg2d_bitstream.c @@ -164,9 +164,12 @@ INLINE UWORD8 impeg2d_bit_stream_get_bit(stream_t *ps_stream) if (u4_curr_bit == 31) { ps_stream->u4_buf = ps_stream->u4_buf_nxt; - u4_temp = *(ps_stream->pu4_buf_aligned)++; - CONV_LE_TO_BE(ps_stream->u4_buf_nxt,u4_temp) + if (ps_stream->u4_offset < ps_stream->u4_max_offset) + { + u4_temp = *(ps_stream->pu4_buf_aligned)++; + CONV_LE_TO_BE(ps_stream->u4_buf_nxt,u4_temp) + } } ps_stream->u4_offset = u4_offset; @@ -189,7 +192,11 @@ INLINE void impeg2d_bit_stream_flush(void* pv_ctxt, UWORD32 u4_no_of_bits) { stream_t *ps_stream = (stream_t *)pv_ctxt; - FLUSH_BITS(ps_stream->u4_offset,ps_stream->u4_buf,ps_stream->u4_buf_nxt,u4_no_of_bits,ps_stream->pu4_buf_aligned) + + if (ps_stream->u4_offset < ps_stream->u4_max_offset) + { + FLUSH_BITS(ps_stream->u4_offset,ps_stream->u4_buf,ps_stream->u4_buf_nxt,u4_no_of_bits,ps_stream->pu4_buf_aligned) + } return; } /****************************************************************************** diff --git a/decoder/impeg2d_d_pic.c b/decoder/impeg2d_d_pic.c index 6fcf1f4..23c393f 100644 --- a/decoder/impeg2d_d_pic.c +++ b/decoder/impeg2d_d_pic.c @@ -172,7 +172,8 @@ IMPEG2D_ERROR_CODES_T impeg2d_dec_d_slice(dec_state_t *ps_dec) /*------------------------------------------------------------------*/ /* Discard the Macroblock stuffing in case of MPEG-1 stream */ /*------------------------------------------------------------------*/ - while(impeg2d_bit_stream_nxt(ps_stream,MB_STUFFING_CODE_LEN) == MB_STUFFING_CODE) + while(impeg2d_bit_stream_nxt(ps_stream,MB_STUFFING_CODE_LEN) == MB_STUFFING_CODE && + ps_stream->u4_offset < ps_stream->u4_max_offset) impeg2d_bit_stream_flush(ps_stream,MB_STUFFING_CODE_LEN); /*------------------------------------------------------------------*/ diff --git a/decoder/impeg2d_dec_hdr.c b/decoder/impeg2d_dec_hdr.c index 752731d..0abd528 100644 --- a/decoder/impeg2d_dec_hdr.c +++ b/decoder/impeg2d_dec_hdr.c @@ -83,8 +83,8 @@ void impeg2d_next_code(dec_state_t *ps_dec, UWORD32 u4_start_code_val) ps_stream = &ps_dec->s_bit_stream; impeg2d_bit_stream_flush_to_byte_boundary(ps_stream); - while ((impeg2d_bit_stream_nxt(ps_stream,START_CODE_LEN) != u4_start_code_val) - && (ps_dec->s_bit_stream.u4_offset <= ps_dec->s_bit_stream.u4_max_offset)) + while ((impeg2d_bit_stream_nxt(ps_stream,START_CODE_LEN) != u4_start_code_val) && + (ps_dec->s_bit_stream.u4_offset < ps_dec->s_bit_stream.u4_max_offset)) { if (impeg2d_bit_stream_get(ps_stream,8) != 0) @@ -112,7 +112,7 @@ void impeg2d_peek_next_start_code(dec_state_t *ps_dec) impeg2d_bit_stream_flush_to_byte_boundary(ps_stream); while ((impeg2d_bit_stream_nxt(ps_stream,START_CODE_PREFIX_LEN) != START_CODE_PREFIX) - && (ps_dec->s_bit_stream.u4_offset <= ps_dec->s_bit_stream.u4_max_offset)) + && (ps_dec->s_bit_stream.u4_offset < ps_dec->s_bit_stream.u4_max_offset)) { impeg2d_bit_stream_get(ps_stream,8); } @@ -670,7 +670,8 @@ IMPEG2D_ERROR_CODES_T impeg2d_dec_pic_hdr(dec_state_t *ps_dec) /* } */ /* extra_bit_picture 1 */ /*-----------------------------------------------------------------------*/ - while (impeg2d_bit_stream_nxt(ps_stream,1) == 1) + while (impeg2d_bit_stream_nxt(ps_stream,1) == 1 && + ps_stream->u4_offset < ps_stream->u4_max_offset) { impeg2d_bit_stream_get(ps_stream,9); } @@ -801,7 +802,8 @@ IMPEG2D_ERROR_CODES_T impeg2d_dec_slice(dec_state_t *ps_dec) { impeg2d_bit_stream_flush(ps_stream,9); /* Flush extra bit information */ - while (impeg2d_bit_stream_nxt(ps_stream,1) == 1) + while (impeg2d_bit_stream_nxt(ps_stream,1) == 1 && + ps_stream->u4_offset < ps_stream->u4_max_offset) { impeg2d_bit_stream_flush(ps_stream,9); } @@ -1365,10 +1367,12 @@ void impeg2d_flush_ext_and_user_data(dec_state_t *ps_dec) ps_stream = &ps_dec->s_bit_stream; u4_start_code = impeg2d_bit_stream_nxt(ps_stream,START_CODE_LEN); - while(u4_start_code == EXTENSION_START_CODE || u4_start_code == USER_DATA_START_CODE) + while((u4_start_code == EXTENSION_START_CODE || u4_start_code == USER_DATA_START_CODE) && + (ps_stream->u4_offset < ps_stream->u4_max_offset)) { impeg2d_bit_stream_flush(ps_stream,START_CODE_LEN); - while(impeg2d_bit_stream_nxt(ps_stream,START_CODE_PREFIX_LEN) != START_CODE_PREFIX) + while(impeg2d_bit_stream_nxt(ps_stream,START_CODE_PREFIX_LEN) != START_CODE_PREFIX && + (ps_stream->u4_offset < ps_stream->u4_max_offset)) { impeg2d_bit_stream_flush(ps_stream,8); } @@ -1397,7 +1401,8 @@ void impeg2d_dec_user_data(dec_state_t *ps_dec) while(u4_start_code == USER_DATA_START_CODE) { impeg2d_bit_stream_flush(ps_stream,START_CODE_LEN); - while(impeg2d_bit_stream_nxt(ps_stream,START_CODE_PREFIX_LEN) != START_CODE_PREFIX) + while((impeg2d_bit_stream_nxt(ps_stream,START_CODE_PREFIX_LEN) != START_CODE_PREFIX) && + (ps_stream->u4_offset < ps_stream->u4_max_offset)) { impeg2d_bit_stream_flush(ps_stream,8); } @@ -1427,7 +1432,8 @@ IMPEG2D_ERROR_CODES_T impeg2d_dec_seq_ext_data(dec_state_t *ps_dec) u4_start_code = impeg2d_bit_stream_nxt(ps_stream,START_CODE_LEN); while( (u4_start_code == EXTENSION_START_CODE || u4_start_code == USER_DATA_START_CODE) && - (IMPEG2D_ERROR_CODES_T)IVD_ERROR_NONE == e_error) + (IMPEG2D_ERROR_CODES_T)IVD_ERROR_NONE == e_error && + (ps_stream->u4_offset < ps_stream->u4_max_offset)) { if(u4_start_code == USER_DATA_START_CODE) { @@ -1479,7 +1485,8 @@ IMPEG2D_ERROR_CODES_T impeg2d_dec_pic_ext_data(dec_state_t *ps_dec) u4_start_code = impeg2d_bit_stream_nxt(ps_stream,START_CODE_LEN); while ( (u4_start_code == EXTENSION_START_CODE || u4_start_code == USER_DATA_START_CODE) && - (IMPEG2D_ERROR_CODES_T)IVD_ERROR_NONE == e_error) + (IMPEG2D_ERROR_CODES_T)IVD_ERROR_NONE == e_error && + (ps_stream->u4_offset < ps_stream->u4_max_offset)) { if(u4_start_code == USER_DATA_START_CODE) { diff --git a/decoder/impeg2d_pic_proc.c b/decoder/impeg2d_pic_proc.c index 82da137..029f1bf 100644 --- a/decoder/impeg2d_pic_proc.c +++ b/decoder/impeg2d_pic_proc.c @@ -223,7 +223,8 @@ void impeg2d_get_bottom_field_buf(yuv_buf_t *ps_src_buf,yuv_buf_t *ps_dst_buf, UWORD16 impeg2d_get_mb_addr_incr(stream_t *ps_stream) { UWORD16 u2_mb_addr_incr = 0; - while (impeg2d_bit_stream_nxt(ps_stream,MB_ESCAPE_CODE_LEN) == MB_ESCAPE_CODE) + while (impeg2d_bit_stream_nxt(ps_stream,MB_ESCAPE_CODE_LEN) == MB_ESCAPE_CODE && + ps_stream->u4_offset < ps_stream->u4_max_offset) { impeg2d_bit_stream_flush(ps_stream,MB_ESCAPE_CODE_LEN); u2_mb_addr_incr += 33; |