shithub: openh264

Download patch

ref: 7cbc31a0bff0f8403b4ddc2a239de65822936dcc
parent: 10179539cf10988573d77f770bf488e0534a5663
parent: 4bafe1c430eba6480a4a2913e584c4c68632a232
author: HaiboZhu <haibozhu@cisco.com>
date: Fri Oct 16 12:50:26 EDT 2015

Merge pull request #2161 from huili2/MMCO_overflow

prevent too many MMCO num overflow

--- a/codec/decoder/core/inc/error_code.h
+++ b/codec/decoder/core/inc/error_code.h
@@ -186,6 +186,7 @@
 ERR_INFO_EC_NO_ENOUGH_NEIGHBOUR_MBS,
 ERR_INFO_DUPLICATE_FRAME_NUM,
 //for LTR
+ERR_INFO_INVALID_MMCO_NUM,
 ERR_INFO_INVALID_MMCO_OPCODE_BASE,
 ERR_INFO_INVALID_MMCO_SHORT2UNUSED,
 EER_INFO_INVALID_MMCO_LONG2UNUSED,
--- a/codec/decoder/core/src/manage_dec_ref.cpp
+++ b/codec/decoder/core/src/manage_dec_ref.cpp
@@ -337,7 +337,7 @@
   PSps pSps = pCtx->pCurDqLayer->sLayerInfo.pSps;
   int32_t i = 0;
   int32_t iRet = ERR_NONE;
-  for (i = 0; pRefPicMarking->sMmcoRef[i].uiMmcoType != MMCO_END; i++) {
+  for (i = 0; i < MAX_MMCO_COUNT && pRefPicMarking->sMmcoRef[i].uiMmcoType != MMCO_END; i++) {
     uint32_t uiMmcoType = pRefPicMarking->sMmcoRef[i].uiMmcoType;
     int32_t iShortFrameNum = (pCtx->iFrameNum - pRefPicMarking->sMmcoRef[i].iDiffOfPicNum) & ((
                                1 << pSps->uiLog2MaxFrameNum) - 1);
@@ -351,6 +351,9 @@
     if (iRet != ERR_NONE) {
       return iRet;
     }
+  }
+  if (i == MAX_MMCO_COUNT) { //although Rec does not handle this condition, we here prohibit too many MMCO op
+    return ERR_INFO_INVALID_MMCO_NUM;
   }
 
   return ERR_NONE;