diff options
Diffstat (limited to 'decoder/mvc/imvcd_api.c')
-rw-r--r-- | decoder/mvc/imvcd_api.c | 22 |
1 files changed, 16 insertions, 6 deletions
diff --git a/decoder/mvc/imvcd_api.c b/decoder/mvc/imvcd_api.c index 45fffd1..1026fc8 100644 --- a/decoder/mvc/imvcd_api.c +++ b/decoder/mvc/imvcd_api.c @@ -731,17 +731,27 @@ static IV_API_CALL_STATUS_T imvcd_view_decode(iv_obj_t *ps_dec_hdl, imvcd_video_ return IV_FAIL; } - /* Ignore bytes beyond the allocated size of intermediate buffer */ - /* Since 8 bytes are read ahead, ensure 8 bytes are free at the - end of the buffer, which will be memset to 0 after emulation prevention */ - i4_nalu_length = MIN((UWORD32) i4_nalu_length, u4_bitstream_buf_size - 8); - if(i4_nalu_length) { + UWORD32 u4_nalu_buf_size = ((UWORD32) i4_nalu_length) + 8; + + if(u4_nalu_buf_size > u4_bitstream_buf_size) + { + /* 64 extra bytes to account for OOB accesses during SEI parsing in */ + /* some fuzzer bitstreams */ + if(IV_SUCCESS != imvcd_bitstream_buf_realloc(ps_view_ctxt, u4_nalu_buf_size + 64)) + { + return IV_FAIL; + } + + pu1_bitstream_buf = ps_view_ctxt->pu1_bits_buf_dynamic; + u4_bitstream_buf_size = ps_view_ctxt->u4_dynamic_bits_buf_size; + } + memcpy(pu1_bitstream_buf, pu1_input_buffer + u4_length_of_start_code, i4_nalu_length); /* Decoder may read extra 8 bytes near end of the frame */ - if(((UWORD32) (i4_nalu_length + 8)) < u4_bitstream_buf_size) + if(u4_nalu_buf_size < u4_bitstream_buf_size) { memset(pu1_bitstream_buf + i4_nalu_length, 0, 8 * sizeof(pu1_bitstream_buf[0])); } |