diff options
author | TreeHugger Robot <treehugger-gerrit@google.com> | 2019-05-30 17:31:28 +0000 |
---|---|---|
committer | Android (Google) Code Review <android-gerrit@google.com> | 2019-05-30 17:31:28 +0000 |
commit | 6db97fcc8dcc1f7839b48fe92f40523ad6e9ea07 (patch) | |
tree | 582e35304eb40fbe2453197d7a4718861eff2f44 | |
parent | 75cd59e45bff03df01de8857ff55e9a64891ce45 (diff) | |
parent | 89daff526a589a399f409c2dc17237e150d97f20 (diff) | |
download | libavc-android10-dev.tar.gz |
Merge "Decoder: Add error check for expected_poc in ih264d_decode_pic_order_cnt" into qt-devandroid10-dev
-rw-r--r-- | decoder/ih264d_defs.h | 5 | ||||
-rw-r--r-- | decoder/ih264d_error_handler.h | 3 | ||||
-rw-r--r-- | decoder/ih264d_utils.c | 38 |
3 files changed, 39 insertions, 7 deletions
diff --git a/decoder/ih264d_defs.h b/decoder/ih264d_defs.h index ec3f2af..94d0d61 100644 --- a/decoder/ih264d_defs.h +++ b/decoder/ih264d_defs.h @@ -34,6 +34,8 @@ * ************************************************************************ */ +#include <stdint.h> + #define H264_MAX_FRAME_WIDTH 4080 #define H264_MAX_FRAME_HEIGHT 4080 #define H264_MAX_FRAME_SIZE (4096 * 2048) @@ -47,6 +49,9 @@ #define CHECKBIT(a,i) ((a) & (1 << i)) #define CLEARBIT(a,i) ((a) &= ~(1 << i)) +/** Macro to check if a number lies in the valid integer range */ +#define IS_OUT_OF_RANGE_S32(a) (((a) < INT32_MIN) || ((a) > INT32_MAX)) + /** Macro to convert a integer to a boolean value */ #define BOOLEAN(x) (!!(x)) diff --git a/decoder/ih264d_error_handler.h b/decoder/ih264d_error_handler.h index 586fe8a..a3764c6 100644 --- a/decoder/ih264d_error_handler.h +++ b/decoder/ih264d_error_handler.h @@ -113,7 +113,8 @@ typedef enum ERROR_IN_LAST_SLICE_OF_PIC = 0x93, ERROR_NEW_FRAME_EXPECTED = 0x94, ERROR_INCOMPLETE_FRAME = 0x95, - ERROR_VUI_PARAMS_NOT_FOUND = 0x96 + ERROR_VUI_PARAMS_NOT_FOUND = 0x96, + ERROR_INV_POC = 0x97 } h264_decoder_error_code_t; diff --git a/decoder/ih264d_utils.c b/decoder/ih264d_utils.c index 49b9c08..0381763 100644 --- a/decoder/ih264d_utils.c +++ b/decoder/ih264d_utils.c @@ -313,36 +313,62 @@ WORD32 ih264d_decode_pic_order_cnt(UWORD8 u1_is_idr_slice, + ps_seq->i4_ofst_for_ref_frame[i]; } - expected_poc =(WORD32)CLIP_S32(i8_result); + if(IS_OUT_OF_RANGE_S32(i8_result)) + return ERROR_INV_POC; + + expected_poc = (WORD32)i8_result; + } else expected_poc = 0; if(u1_nal_ref_idc == 0) { - expected_poc = expected_poc + i8_result = expected_poc + ps_seq->i4_ofst_for_non_ref_pic; + + if(IS_OUT_OF_RANGE_S32(i8_result)) + return ERROR_INV_POC; + + expected_poc = (WORD32)i8_result; } /* 6. TopFieldOrderCnt or BottomFieldOrderCnt are derived as */ if(!u1_field_pic_flag) { - i4_top_field_order_cnt = expected_poc + i8_result = expected_poc + ps_cur_poc->i4_delta_pic_order_cnt[0]; - i4_bottom_field_order_cnt = i4_top_field_order_cnt + + if(IS_OUT_OF_RANGE_S32(i8_result)) + return ERROR_INV_POC; + i4_top_field_order_cnt = (WORD32)i8_result; + + i8_result = i4_top_field_order_cnt + ps_seq->i4_ofst_for_top_to_bottom_field + ps_cur_poc->i4_delta_pic_order_cnt[1]; + + if(IS_OUT_OF_RANGE_S32(i8_result)) + return ERROR_INV_POC; + i4_bottom_field_order_cnt = (WORD32)i8_result; } else if(!u1_bottom_field_flag) { - i4_top_field_order_cnt = expected_poc + i8_result = expected_poc + ps_cur_poc->i4_delta_pic_order_cnt[0]; + + if(IS_OUT_OF_RANGE_S32(i8_result)) + return ERROR_INV_POC; + i4_top_field_order_cnt = (WORD32)i8_result; } else { - i4_bottom_field_order_cnt = expected_poc + i8_result = expected_poc + ps_seq->i4_ofst_for_top_to_bottom_field + ps_cur_poc->i4_delta_pic_order_cnt[0]; + + if(IS_OUT_OF_RANGE_S32(i8_result)) + return ERROR_INV_POC; + i4_bottom_field_order_cnt = (WORD32)i8_result; } /* Copy the current POC info into Previous POC structure */ ps_cur_poc->i4_prev_frame_num_ofst = frame_num_ofst; |