'[Datatype-cvs] mdf/video/format/h264 mdfh264payloadformat.cpp, 1.21.10.9, 1.21.10.10'

[prev in list] [next in list] [prev in thread] [next in thread] 

List:       helix-datatype-cvs
Subject:    [Datatype-cvs] mdf/video/format/h264 mdfh264payloadformat.cpp, 1.21.10.9, 1.21.10.10
From:       jcroker () helixcommunity ! org
Date:       2012-06-14 16:45:13
[Download RAW message or body]

Update of /cvsroot/datatype/mdf/video/format/h264
In directory cvs01.internal.helixcommunity.org:/tmp/cvs-serv24578

Modified Files:
      Tag: hxclient_4_2_0_brizo
	mdfh264payloadformat.cpp 
Log Message:
"Nokia submits this code under the terms of a commercial contribution agreement with \
Real Networks, and I am authorized to contribute this code under said agreement."

Modified by: ext-stephen.lilly@nokia.com

Reviewed by: ext-antti.ju.turunen@nokia.com, ext-debashis.2.panigrahi@nokia.com, \
qluo@realnetworks.com

RC ID: 999754

Change Id: 1004358 

Date: 06/06/2012

Project: SymbianMmf_wm 

Synopsis: Bounds check on source memory region in CH264PayloadFormatPluginDevice

Overview:
The CH264PayloadFormatPluginDevice::FillBuffer() transfers data into the DevVideo \
input buffer. In one mode it will convert between NALs delimited by their length \
encoded in the bitstream into NALs delimited by a start code. In corrupt cases the \
sum of the NAL lengths in the buffer exceeds the length of the buffer itself. If this \
crosses a boundary into an unmapped memory page, a read fault will occur inside \
memcpy() when appending to the DevVideo input buffer descriptor.

Fix:
A bounds check is added to avoid memcpy() reading beyond pCodecPacket->dataLength. \
Also the memory reads to for the NAL length and the NAL_TYPE_FILLER_DATA flag are now \
guarded. If a NAL overflows the buffer it will truncated. If reading the NAL header \
would go out of bounds, that NAL is ignored.

Files modified & changes:
datatype/mdf/video/format/h264/mdfh264payloadformat.cpp

Image Size and Heap Use impact: No major impact

Module Release testing (STIF) : Passed

Test case(s) Added : No

Memory leak check performed : N/A

Platforms and Profiles Functionality verified: armv5 

MCL Branch: 420 brizo

Diff: Attached


Index: mdfh264payloadformat.cpp
===================================================================
RCS file: /cvsroot/datatype/mdf/video/format/h264/mdfh264payloadformat.cpp,v
retrieving revision 1.21.10.9
retrieving revision 1.21.10.10
diff -u -d -r1.21.10.9 -r1.21.10.10

--- mdfh264payloadformat.cpp	30 May 2012 13:26:55 -0000	1.21.10.9
+++ mdfh264payloadformat.cpp	14 Jun 2012 16:45:09 -0000	1.21.10.10
@@ -358,22 +358,28 @@
 
         if( inputBuffer.MaxLength() >= length + inputBuffer.Length())
         {
-            for( i = 0; i < pCodecPacket->dataLength; )
+            // we will read at least m_uNalUnitLenInByte plus 1 more byte to check \
for NAL_TYPE_FILLER_DATA +            // (equivalently i + m_uNalUnitLenInByte + 1 <= \
pCodecPacket->dataLength) +            for( i = 0; i + m_uNalUnitLenInByte < \
pCodecPacket->dataLength; )  {
                 ulNALLength = 0;
-                for (ulBytes = 0; ulBytes < m_uNalUnitLenInByte; ulBytes++)
+                for (ulBytes = 0; ulBytes < m_uNalUnitLenInByte; ulBytes++, i++)
                 {
-                    ulNALLength = ulNALLength << 8;
-                    ulNALLength = ulNALLength | temp[i + ulBytes];
+                    ulNALLength = (ulNALLength << 8) | temp[i];
                 }
-
-                if (( temp[i+m_uNalUnitLenInByte] & 0x1f) != NAL_TYPE_FILLER_DATA )
+                if(ulNALLength > pCodecPacket->dataLength - i)
+                {
+                    // NAL length exceeds the remaining input buffer
+                    // Perform a best-effort at handling the frame by truncating to \
the available data +                    ulNALLength = pCodecPacket->dataLength - i;
+                }
+                if (( temp[i] & 0x1f) != NAL_TYPE_FILLER_DATA )
                 {
                    inputBuffer.Append( start_code, sizeof( start_code ) );
-                   inputBuffer.Append( &temp[i + m_uNalUnitLenInByte], ulNALLength \
); +                   inputBuffer.Append( &temp[i], ulNALLength );
                 }
 
-                i += ulNALLength + m_uNalUnitLenInByte;
+                i += ulNALLength;
             }
 
             retVal = HXR_OK;
@@ -401,7 +407,7 @@
 
     UINT8* temp = (UINT8*) pCodecPacket->data;
 
-    for( i = 0; i < pCodecPacket->dataLength; )
+    for( i = 0; i + m_uNalUnitLenInByte <= pCodecPacket->dataLength; )
     {
         ulNALLength = 0;
         for (ulBytes = 0; ulBytes < m_uNalUnitLenInByte; ulBytes++)


_______________________________________________
Datatype-cvs mailing list
Datatype-cvs@helixcommunity.org
http://lists.helixcommunity.org/mailman/listinfo/datatype-cvs


[prev in list] [next in list] [prev in thread] [next in thread] 
