Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit 502b917d authored by Neelkamal Semwal's avatar Neelkamal Semwal Committed by Ray Essick
Browse files

m4v_h263: Fix heap buffer overflow issue in BitstreamFillCache 

Check for bitstream buffer overflow in PVLocateM4VFrameBoundary
and PVSearchH263FrameBoundary

Bug: 154058264
Bug: 136173360
Test: POC in bug description

Change-Id: Ied65243a13dc9923e6b9433b5b625db6f8b28556
parent e5dd4048

media/libstagefright/codecs/m4v_h263/dec/src/bitstream.cpp

+20 −7
Original line number Original line Diff line number Diff line
@@ -649,8 +649,11 @@ PV_STATUS PVSearchNextM4VFrame(BitstreamDecVideo *stream) 












void PVLocateM4VFrameBoundary(BitstreamDecVideo *stream)

PV_STATUS PVLocateM4VFrameBoundary(BitstreamDecVideo *stream)

{

{

    PV_STATUS status = BitstreamCheckEndBuffer(stream);

    if (status == PV_END_OF_VOP) return status;



    uint8 *ptr;

    uint8 *ptr;

    int32 byte_pos = (stream->bitcnt >> 3);

    int32 byte_pos = (stream->bitcnt >> 3);
@@ -658,10 +661,14 @@ void PVLocateM4VFrameBoundary(BitstreamDecVideo *stream) 
    ptr = stream->bitstreamBuffer + byte_pos;

    ptr = stream->bitstreamBuffer + byte_pos;





    stream->data_end_pos = PVLocateFrameHeader(ptr, (int32)stream->data_end_pos - byte_pos) + byte_pos;

    stream->data_end_pos = PVLocateFrameHeader(ptr, (int32)stream->data_end_pos - byte_pos) + byte_pos;

    return PV_SUCCESS;

}

}





void PVLocateH263FrameBoundary(BitstreamDecVideo *stream)

PV_STATUS PVLocateH263FrameBoundary(BitstreamDecVideo *stream)

{

{

    PV_STATUS status = BitstreamCheckEndBuffer(stream);

    if (status == PV_END_OF_VOP) return status;



    uint8 *ptr;

    uint8 *ptr;

    int32 byte_pos = (stream->bitcnt >> 3);

    int32 byte_pos = (stream->bitcnt >> 3);
@@ -669,6 +676,7 @@ void PVLocateH263FrameBoundary(BitstreamDecVideo *stream) 
    ptr = stream->bitstreamBuffer + byte_pos;

    ptr = stream->bitstreamBuffer + byte_pos;





    stream->data_end_pos = PVLocateH263FrameHeader(ptr, (int32)stream->data_end_pos - byte_pos) + byte_pos;

    stream->data_end_pos = PVLocateH263FrameHeader(ptr, (int32)stream->data_end_pos - byte_pos) + byte_pos;

    return PV_SUCCESS;

}

}





/* ======================================================================== */

/* ======================================================================== */
@@ -687,7 +695,8 @@ PV_STATUS quickSearchVideoPacketHeader(BitstreamDecVideo *stream, int marker_len 




    if (stream->searched_frame_boundary == 0)

    if (stream->searched_frame_boundary == 0)

    {

    {

        PVLocateM4VFrameBoundary(stream);

        status = PVLocateM4VFrameBoundary(stream);

        if (status != PV_SUCCESS) return status;

    }

    }





    do

    do
@@ -711,7 +720,8 @@ PV_STATUS quickSearchH263SliceHeader(BitstreamDecVideo *stream) 




    if (stream->searched_frame_boundary == 0)

    if (stream->searched_frame_boundary == 0)

    {

    {

        PVLocateH263FrameBoundary(stream);

        status = PVLocateH263FrameBoundary(stream);

        if (status != PV_SUCCESS) return status;

    }

    }





    do

    do
@@ -789,7 +799,8 @@ PV_STATUS quickSearchMotionMarker(BitstreamDecVideo *stream) 




    if (stream->searched_frame_boundary == 0)

    if (stream->searched_frame_boundary == 0)

    {

    {

        PVLocateM4VFrameBoundary(stream);

        status = PVLocateM4VFrameBoundary(stream);

        if (status != PV_SUCCESS) return status;

    }

    }





    while (TRUE)

    while (TRUE)
@@ -880,7 +891,8 @@ PV_STATUS quickSearchDCM(BitstreamDecVideo *stream) 




    if (stream->searched_frame_boundary == 0)

    if (stream->searched_frame_boundary == 0)

    {

    {

        PVLocateM4VFrameBoundary(stream);

        status = PVLocateM4VFrameBoundary(stream);

        if (status != PV_SUCCESS) return status;

    }

    }





    while (TRUE)

    while (TRUE)
@@ -956,7 +968,8 @@ PV_STATUS quickSearchGOBHeader(BitstreamDecVideo *stream) 




    if (stream->searched_frame_boundary == 0)

    if (stream->searched_frame_boundary == 0)

    {

    {

        PVLocateH263FrameBoundary(stream);

        status = PVLocateH263FrameBoundary(stream);

        if (status != PV_SUCCESS) return status;

    }

    }





    while (TRUE)

    while (TRUE)

media/libstagefright/codecs/m4v_h263/dec/src/bitstream.h

+2 −2
Original line number Original line Diff line number Diff line
@@ -156,8 +156,8 @@ extern "C" 








    /* for error concealment & soft-decoding */

    /* for error concealment & soft-decoding */

    void PVLocateM4VFrameBoundary(BitstreamDecVideo *stream);

    PV_STATUS PVLocateM4VFrameBoundary(BitstreamDecVideo *stream);

    void PVSearchH263FrameBoundary(BitstreamDecVideo *stream);

    PV_STATUS PVSearchH263FrameBoundary(BitstreamDecVideo *stream);





    PV_STATUS quickSearchMotionMarker(BitstreamDecVideo *stream);

    PV_STATUS quickSearchMotionMarker(BitstreamDecVideo *stream);

    PV_STATUS quickSearchDCM(BitstreamDecVideo *stream);

    PV_STATUS quickSearchDCM(BitstreamDecVideo *stream);