[amlogic-decoder][h264] Cap maximum dimensions
These dimensions come directly from the bitstream, so catch them early
before they can cause arbitrarily-large allocations or sysmem-related
failures.
Bug: 41492
Change-Id: Ie43efeb6b22d09a708690c5b3ca7547638384e65
diff --git a/garnet/drivers/video/amlogic-decoder/h264_decoder.cc b/garnet/drivers/video/amlogic-decoder/h264_decoder.cc
index 80f20fd..7a0d7fe 100644
--- a/garnet/drivers/video/amlogic-decoder/h264_decoder.cc
+++ b/garnet/drivers/video/amlogic-decoder/h264_decoder.cc
@@ -566,6 +566,15 @@
}
uint32_t mb_height = stream_info.total_mbs() / mb_width;
+ constexpr uint32_t kMaxDimension = 4096;
+ constexpr uint32_t kMacroblockPixels = 16;
+
+ if (mb_width > kMaxDimension / kMacroblockPixels ||
+ mb_height > kMaxDimension / kMacroblockPixels) {
+ DECODE_ERROR("Unsupported dimensions %dx%d macroblocks\n", mb_width, mb_height);
+ return ZX_ERR_INTERNAL;
+ }
+
uint32_t max_dpb_size = GetMaxDpbSize(level_idc, mb_width, mb_height);
if (max_dpb_size == 0) {
LOG(WARN, "mb_width and/or mb_height invalid? - mb_width: %u mb_height: %u", mb_width,
diff --git a/garnet/drivers/video/amlogic-decoder/tests/integration/test_h264.cc b/garnet/drivers/video/amlogic-decoder/tests/integration/test_h264.cc
index e47b712..bdf7d4f 100644
--- a/garnet/drivers/video/amlogic-decoder/tests/integration/test_h264.cc
+++ b/garnet/drivers/video/amlogic-decoder/tests/integration/test_h264.cc
@@ -396,3 +396,9 @@
// Parameters found through fuzzing.
TestH264::DecodeMalformed(638, 44);
}
+
+TEST(H264, DecodeMalformedTooLarge) {
+ // Parameters found through fuzzing - causes mb_width=3 and total_mbs=4986, so the height is
+ // calculated as 26592 pixels.
+ TestH264::DecodeMalformed(593, 176);
+}
