Fix OOB access in mpeg4/h263 decoder
The decoder does not support an increase in frame width, and
would exceed its buffer if the width increased mid-stream.
There was an existing check to prevent the total frame size
(width*height) from increasing, but in fact the decoder also
does not even support a width increase, even if the height
decreases correspondingly.
Bug: 136175447
Bug: 136173699
Test: manual
Change-Id: Ic2d28bb0503635dadeb69ba3be9412d58684e910
(cherry picked from commit ef4ce157000b2b5bcbf2bcb36a228ec604803547)
diff --git a/media/libstagefright/codecs/m4v_h263/dec/src/vop.cpp b/media/libstagefright/codecs/m4v_h263/dec/src/vop.cpp
index f18f789..679b091 100644
--- a/media/libstagefright/codecs/m4v_h263/dec/src/vop.cpp
+++ b/media/libstagefright/codecs/m4v_h263/dec/src/vop.cpp
@@ -1355,6 +1355,14 @@
int tmpHeight = (tmpDisplayHeight + 15) & -16;
int tmpWidth = (tmpDisplayWidth + 15) & -16;
+ if (tmpWidth > video->width)
+ {
+ // while allowed by the spec, this decoder does not actually
+ // support an increase in size.
+ ALOGE("width increase not supported");
+ status = PV_FAIL;
+ goto return_point;
+ }
if (tmpHeight * tmpWidth > video->size)
{
// This is just possibly "b/37079296".