Avoid signed integer (POC) overflow in decoder_core.c

Addresses: cisco#3745
tyan0 · Jul 12, 2024 · 49e1455 · 49e1455
1 parent 478e5ab
commit 49e1455
Show file tree

Hide file tree

Showing 2 changed files with 22 additions and 4 deletions.
diff --git a/codec/decoder/core/src/decoder_core.cpp b/codec/decoder/core/src/decoder_core.cpp
@@ -1079,16 +1079,34 @@ int32_t ParseSliceHeaderSyntaxs (PWelsDecoderContext pCtx, PBitStringAux pBs, co
       pCtx->pLastDecPicInfo->iPrevPicOrderCntMsb = 0;
       pCtx->pLastDecPicInfo->iPrevPicOrderCntLsb = 0;
     }
+    /* We shoud not expect that overflow in signed integer returns wrapped-
+       around result. C/C++ standard states the result is undefined. */
     int32_t pocMsb;
     if (pocLsb < pCtx->pLastDecPicInfo->iPrevPicOrderCntLsb
         && pCtx->pLastDecPicInfo->iPrevPicOrderCntLsb - pocLsb >= iMaxPocLsb / 2)
-      pocMsb = pCtx->pLastDecPicInfo->iPrevPicOrderCntMsb + iMaxPocLsb;
+      {
+        if (INT32_MAX - iMaxPocLsb < pCtx->pLastDecPicInfo->iPrevPicOrderCntMsb)
+          /* Will overflow. Emulate wraparound result. */
+          pocMsb = (pCtx->pLastDecPicInfo->iPrevPicOrderCntMsb - INT32_MAX - 1) + (INT32_MIN + iMaxPocLsb);
+        else
+          pocMsb = pCtx->pLastDecPicInfo->iPrevPicOrderCntMsb + iMaxPocLsb;
+      }
     else if (pocLsb > pCtx->pLastDecPicInfo->iPrevPicOrderCntLsb
              && pocLsb - pCtx->pLastDecPicInfo->iPrevPicOrderCntLsb > iMaxPocLsb / 2)
-      pocMsb = pCtx->pLastDecPicInfo->iPrevPicOrderCntMsb - iMaxPocLsb;
+      {
+        if (INT32_MIN + iMaxPocLsb > pCtx->pLastDecPicInfo->iPrevPicOrderCntMsb)
+          /* Will overflow. Emulate wraparound result. */
+          pocMsb = (pCtx->pLastDecPicInfo->iPrevPicOrderCntMsb - INT32_MIN) + (INT32_MAX - iMaxPocLsb + 1);
+        else
+          pocMsb = pCtx->pLastDecPicInfo->iPrevPicOrderCntMsb - iMaxPocLsb;
+      }
     else
       pocMsb = pCtx->pLastDecPicInfo->iPrevPicOrderCntMsb;
-    pSliceHead->iPicOrderCntLsb = pocMsb + pocLsb;
+    if (INT32_MAX - pocLsb < pocMsb)
+      /* Will overflow. Emulate wraparound result. */
+      pSliceHead->iPicOrderCntLsb = (pocMsb - INT32_MAX - 1) + (INT32_MIN + pocLsb);
+    else
+      pSliceHead->iPicOrderCntLsb = pocMsb + pocLsb;
 
     if (pPps->bPicOrderPresentFlag && !pSliceHead->bFieldPicFlag) {
       pSliceHead->iPicOrderCntLsb += pSliceHead->iDeltaPicOrderCntBottom;

diff --git a/codec/decoder/plus/src/welsDecoderExt.cpp b/codec/decoder/plus/src/welsDecoderExt.cpp
@@ -1052,7 +1052,7 @@ void CWelsDecoder::ReleaseBufferedReadyPictureReorder (PWelsDecoderContext pCtx,
       int32_t iLastPOC = pCtx != NULL ? pCtx->pSliceHeader->iPicOrderCntLsb : m_sPictInfoList[m_iLastBufferedIdx].iPOC;
       int32_t iLastSeqNum = pCtx != NULL ? pCtx->iSeqNum : m_sPictInfoList[m_iLastBufferedIdx].iSeqNum;
       isReady = (m_sReoderingStatus.iLastWrittenPOC > IMinInt32
-        && m_sReoderingStatus.iMinPOC - m_sReoderingStatus.iLastWrittenPOC <= 1)
+        && m_sReoderingStatus.iMinPOC <= m_sReoderingStatus.iLastWrittenPOC + 1)
         || m_sReoderingStatus.iMinPOC < iLastPOC
         || m_sReoderingStatus.iMinSeqNum - iLastSeqNum < 0;
     }