diff options
author | Harish Mahendrakar <harish.mahendrakar@ittiam.com> | 2015-11-24 12:15:13 +0530 |
---|---|---|
committer | Marco Nelissen <marcone@google.com> | 2016-01-07 22:29:10 +0000 |
commit | 8b4ed5a23175b7ffa56eea4678db7287f825e985 (patch) | |
tree | a4031d946e739a9855c61458b3c4c0f92d16474e | |
parent | ffab15eb80630dc799eb410855c93525b75233c3 (diff) | |
download | libmpeg2-8b4ed5a23175b7ffa56eea4678db7287f825e985.tar.gz |
Fixed stack buffer overflow
Bugfix: 25812590
Moved check for numCoeffs > 64 inside the coeff decode loop
Change-Id: I444b77ef2a3da9233ec14bb72ac70b7e2fa56bd1
(cherry picked from commit ff3496c45c571da7eb93d6f9f05758813468fc72)
-rw-r--r-- | decoder/impeg2d_vld.c | 17 |
1 files changed, 9 insertions, 8 deletions
diff --git a/decoder/impeg2d_vld.c b/decoder/impeg2d_vld.c index 972f42a..459548b 100644 --- a/decoder/impeg2d_vld.c +++ b/decoder/impeg2d_vld.c @@ -789,13 +789,13 @@ IMPEG2D_ERROR_CODES_T impeg2d_vld_decode( u4_nz_cols |= 1 << (u4_pos & 0x7); u4_nz_rows |= 1 << (u4_pos >> 0x3); + if (u4_numCoeffs > 64) + { + return IMPEG2D_MB_TEX_DECODE_ERR; + } } IBITS_GET(u4_buf,u4_buf_nxt,u4_offset,u4_bits,pu4_buf_aligned,u4_sym_len) - if (u4_numCoeffs > 64) - { - return IMPEG2D_MB_TEX_DECODE_ERR; - } } else { @@ -957,10 +957,11 @@ IMPEG2D_ERROR_CODES_T impeg2d_vld_decode( u4_nz_cols |= 1 << (u4_pos & 0x7); u4_nz_rows |= 1 << (u4_pos >> 0x3); - } - if (u4_numCoeffs > 64) - { - return IMPEG2D_MB_TEX_DECODE_ERR; + if (u4_numCoeffs > 64) + { + return IMPEG2D_MB_TEX_DECODE_ERR; + } + } IBITS_GET(u4_buf,u4_buf_nxt,u4_offset,u4_bits,pu4_buf_aligned,u4_sym_len) |