[prev in list] [next in list] [prev in thread] [next in thread]
List: helix-datatype-cvs
Subject: [Datatype-cvs] mdf/video/format/h264 mdfh264payloadformat.cpp, 1.21.10.9, 1.21.10.10
From: jcroker () helixcommunity ! org
Date: 2012-06-14 16:45:13
[Download RAW message or body]
Update of /cvsroot/datatype/mdf/video/format/h264
In directory cvs01.internal.helixcommunity.org:/tmp/cvs-serv24578
Modified Files:
Tag: hxclient_4_2_0_brizo
mdfh264payloadformat.cpp
Log Message:
"Nokia submits this code under the terms of a commercial contribution agreement with \
Real Networks, and I am authorized to contribute this code under said agreement."
Modified by: ext-stephen.lilly@nokia.com
Reviewed by: ext-antti.ju.turunen@nokia.com, ext-debashis.2.panigrahi@nokia.com, \
qluo@realnetworks.com
RC ID: 999754
Change Id: 1004358
Date: 06/06/2012
Project: SymbianMmf_wm
Synopsis: Bounds check on source memory region in CH264PayloadFormatPluginDevice
Overview:
The CH264PayloadFormatPluginDevice::FillBuffer() transfers data into the DevVideo \
input buffer. In one mode it will convert between NALs delimited by their length \
encoded in the bitstream into NALs delimited by a start code. In corrupt cases the \
sum of the NAL lengths in the buffer exceeds the length of the buffer itself. If this \
crosses a boundary into an unmapped memory page, a read fault will occur inside \
memcpy() when appending to the DevVideo input buffer descriptor.
Fix:
A bounds check is added to avoid memcpy() reading beyond pCodecPacket->dataLength. \
Also the memory reads to for the NAL length and the NAL_TYPE_FILLER_DATA flag are now \
guarded. If a NAL overflows the buffer it will truncated. If reading the NAL header \
would go out of bounds, that NAL is ignored.
Files modified & changes:
datatype/mdf/video/format/h264/mdfh264payloadformat.cpp
Image Size and Heap Use impact: No major impact
Module Release testing (STIF) : Passed
Test case(s) Added : No
Memory leak check performed : N/A
Platforms and Profiles Functionality verified: armv5
MCL Branch: 420 brizo
Diff: Attached
Index: mdfh264payloadformat.cpp
===================================================================
RCS file: /cvsroot/datatype/mdf/video/format/h264/mdfh264payloadformat.cpp,v
retrieving revision 1.21.10.9
retrieving revision 1.21.10.10
diff -u -d -r1.21.10.9 -r1.21.10.10
--- mdfh264payloadformat.cpp 30 May 2012 13:26:55 -0000 1.21.10.9
+++ mdfh264payloadformat.cpp 14 Jun 2012 16:45:09 -0000 1.21.10.10
@@ -358,22 +358,28 @@
if( inputBuffer.MaxLength() >= length + inputBuffer.Length())
{
- for( i = 0; i < pCodecPacket->dataLength; )
+ // we will read at least m_uNalUnitLenInByte plus 1 more byte to check \
for NAL_TYPE_FILLER_DATA + // (equivalently i + m_uNalUnitLenInByte + 1 <= \
pCodecPacket->dataLength) + for( i = 0; i + m_uNalUnitLenInByte < \
pCodecPacket->dataLength; ) {
ulNALLength = 0;
- for (ulBytes = 0; ulBytes < m_uNalUnitLenInByte; ulBytes++)
+ for (ulBytes = 0; ulBytes < m_uNalUnitLenInByte; ulBytes++, i++)
{
- ulNALLength = ulNALLength << 8;
- ulNALLength = ulNALLength | temp[i + ulBytes];
+ ulNALLength = (ulNALLength << 8) | temp[i];
}
-
- if (( temp[i+m_uNalUnitLenInByte] & 0x1f) != NAL_TYPE_FILLER_DATA )
+ if(ulNALLength > pCodecPacket->dataLength - i)
+ {
+ // NAL length exceeds the remaining input buffer
+ // Perform a best-effort at handling the frame by truncating to \
the available data + ulNALLength = pCodecPacket->dataLength - i;
+ }
+ if (( temp[i] & 0x1f) != NAL_TYPE_FILLER_DATA )
{
inputBuffer.Append( start_code, sizeof( start_code ) );
- inputBuffer.Append( &temp[i + m_uNalUnitLenInByte], ulNALLength \
); + inputBuffer.Append( &temp[i], ulNALLength );
}
- i += ulNALLength + m_uNalUnitLenInByte;
+ i += ulNALLength;
}
retVal = HXR_OK;
@@ -401,7 +407,7 @@
UINT8* temp = (UINT8*) pCodecPacket->data;
- for( i = 0; i < pCodecPacket->dataLength; )
+ for( i = 0; i + m_uNalUnitLenInByte <= pCodecPacket->dataLength; )
{
ulNALLength = 0;
for (ulBytes = 0; ulBytes < m_uNalUnitLenInByte; ulBytes++)
_______________________________________________
Datatype-cvs mailing list
Datatype-cvs@helixcommunity.org
http://lists.helixcommunity.org/mailman/listinfo/datatype-cvs
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic