From: Xiang, Haihao <haihao.xiang@intel.com>
Date: Fri, 15 Mar 2013 07:32:01 +0000 (+0800)
Subject: Fix potential buffer overflow for JPEG decoding
X-Git-Tag: submit/upstream/20130321.072122~2
X-Git-Url: http://review.tizen.org/git/?a=commitdiff_plain;h=a38598bfb10429f2a50e7f6f907f06cb7a5c30a7;p=profile%2Fivi%2Fvaapi-intel-driver.git

Fix potential buffer overflow for JPEG decoding

Signed-off-by: Xiang, Haihao <haihao.xiang@intel.com>
---

diff --git a/src/gen75_mfd.c b/src/gen75_mfd.c
index 4f08f38..0ac9d5f 100644
--- a/src/gen75_mfd.c
+++ b/src/gen75_mfd.c
@@ -2406,14 +2406,20 @@ gen75_mfd_jpeg_qm_state(VADriverContextP ctx,
     assert(pic_param->num_components <= 3);
 
     for (index = 0; index < pic_param->num_components; index++) {
-        int qm_type = va_to_gen7_jpeg_qm[pic_param->components[index].component_id - pic_param->components[0].component_id + 1];
+        int id = pic_param->components[index].component_id - pic_param->components[0].component_id + 1;
+        int qm_type;
         unsigned char *qm = iq_matrix->quantiser_table[pic_param->components[index].quantiser_table_selector];
         unsigned char raster_qm[64];
         int j;
 
+        if (id > 4 || id < 1)
+            continue;
+
         if (!iq_matrix->load_quantiser_table[pic_param->components[index].quantiser_table_selector])
             continue;
 
+        qm_type = va_to_gen7_jpeg_qm[id];
+
         for (j = 0; j < 64; j++)
             raster_qm[zigzag_direct[j]] = qm[j];
 
diff --git a/src/gen7_mfd.c b/src/gen7_mfd.c
index c081826..ed463d9 100755
--- a/src/gen7_mfd.c
+++ b/src/gen7_mfd.c
@@ -2035,14 +2035,20 @@ gen7_mfd_jpeg_qm_state(VADriverContextP ctx,
     assert(pic_param->num_components <= 3);
 
     for (index = 0; index < pic_param->num_components; index++) {
-        int qm_type = va_to_gen7_jpeg_qm[pic_param->components[index].component_id - pic_param->components[0].component_id + 1];
+        int id = pic_param->components[index].component_id - pic_param->components[0].component_id + 1;
+        int qm_type;
         unsigned char *qm = iq_matrix->quantiser_table[pic_param->components[index].quantiser_table_selector];
         unsigned char raster_qm[64];
         int j;
 
+        if (id > 4 || id < 1)
+            continue;
+
         if (!iq_matrix->load_quantiser_table[pic_param->components[index].quantiser_table_selector])
             continue;
 
+        qm_type = va_to_gen7_jpeg_qm[id];
+
         for (j = 0; j < 64; j++)
             raster_qm[zigzag_direct[j]] = qm[j];