diff options
author | Ashwin Natesan <ashwin.natesan@ittiam.com> | 2023-10-13 11:47:02 +0530 |
---|---|---|
committer | Harish Mahendrakar <harish.mahendrakar@ittiam.com> | 2023-10-13 07:13:14 -0700 |
commit | 812165111060f8f293aed92263ea1451de5766fc (patch) | |
tree | 25a774bec1283adb0262aec21871b4721340e53f | |
parent | ea694873e05631415ba7047159775a81ad4c1306 (diff) | |
download | libavc-812165111060f8f293aed92263ea1451de5766fc.tar.gz |
mvcdec: Integer overflow in imvcd_parse_subset_sps
The cases where the value for log2MaxPocLsb was exceeding
'MAX_BITS_IN_POC_LSB' was not being handled correctly,
which was resulting in an integer overflow. This has been
fixed.
Test: mvc_dec_fuzzer
-rw-r--r-- | decoder/mvc/imvcd_nalu_parser.c | 9 |
1 files changed, 6 insertions, 3 deletions
diff --git a/decoder/mvc/imvcd_nalu_parser.c b/decoder/mvc/imvcd_nalu_parser.c index 2699912..db09138 100644 --- a/decoder/mvc/imvcd_nalu_parser.c +++ b/decoder/mvc/imvcd_nalu_parser.c @@ -217,14 +217,17 @@ static WORD32 imvcd_parse_subset_sps(mvc_dec_ctxt_t *ps_mvcd_ctxt, dec_bit_strea if(ps_subset_sps->s_sps_data.u1_pic_order_cnt_type == 0) { - ps_subset_sps->s_sps_data.u1_log2_max_pic_order_cnt_lsb_minus = - 4 + ih264d_uev(pu4_bitstrm_ofst, pu4_bitstrm_buf); + UWORD32 u1_log2_max_pic_order_cnt_lsb_minus4 = + ih264d_uev(pu4_bitstrm_ofst, pu4_bitstrm_buf); - if(ps_subset_sps->s_sps_data.u1_log2_max_pic_order_cnt_lsb_minus > MAX_BITS_IN_POC_LSB) + if(u1_log2_max_pic_order_cnt_lsb_minus4 > (MAX_BITS_IN_POC_LSB - 4)) { return ERROR_INV_SPS_PPS_T; } + ps_subset_sps->s_sps_data.u1_log2_max_pic_order_cnt_lsb_minus = + 4 + u1_log2_max_pic_order_cnt_lsb_minus4; + ps_subset_sps->s_sps_data.i4_max_pic_order_cntLsb = (1 << ps_subset_sps->s_sps_data.u1_log2_max_pic_order_cnt_lsb_minus); } |