summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorHarish Mahendrakar <harish.mahendrakar@ittiam.com>2015-11-24 12:15:13 +0530
committerMarco Nelissen <marcone@google.com>2015-12-07 15:47:11 -0800
commitff3496c45c571da7eb93d6f9f05758813468fc72 (patch)
treecfb787553df38f77531786bfb07188d8ec13eb1d
parent773383e1f969899a37cd9faafd1dfdb0b80e71e6 (diff)
downloadlibmpeg2-ff3496c45c571da7eb93d6f9f05758813468fc72.tar.gz
Fixed stack buffer overflow
Bugfix: 25812590 Moved check for numCoeffs > 64 inside the coeff decode loop Change-Id: I444b77ef2a3da9233ec14bb72ac70b7e2fa56bd1
-rw-r--r--decoder/impeg2d_vld.c17
1 files changed, 9 insertions, 8 deletions
diff --git a/decoder/impeg2d_vld.c b/decoder/impeg2d_vld.c
index 972f42a..459548b 100644
--- a/decoder/impeg2d_vld.c
+++ b/decoder/impeg2d_vld.c
@@ -789,13 +789,13 @@ IMPEG2D_ERROR_CODES_T impeg2d_vld_decode(
u4_nz_cols |= 1 << (u4_pos & 0x7);
u4_nz_rows |= 1 << (u4_pos >> 0x3);
+ if (u4_numCoeffs > 64)
+ {
+ return IMPEG2D_MB_TEX_DECODE_ERR;
+ }
}
IBITS_GET(u4_buf,u4_buf_nxt,u4_offset,u4_bits,pu4_buf_aligned,u4_sym_len)
- if (u4_numCoeffs > 64)
- {
- return IMPEG2D_MB_TEX_DECODE_ERR;
- }
}
else
{
@@ -957,10 +957,11 @@ IMPEG2D_ERROR_CODES_T impeg2d_vld_decode(
u4_nz_cols |= 1 << (u4_pos & 0x7);
u4_nz_rows |= 1 << (u4_pos >> 0x3);
- }
- if (u4_numCoeffs > 64)
- {
- return IMPEG2D_MB_TEX_DECODE_ERR;
+ if (u4_numCoeffs > 64)
+ {
+ return IMPEG2D_MB_TEX_DECODE_ERR;
+ }
+
}
IBITS_GET(u4_buf,u4_buf_nxt,u4_offset,u4_bits,pu4_buf_aligned,u4_sym_len)