From 7b81de0dc84e8213f05c190d6aeee1144c1c385d Mon Sep 17 00:00:00 2001
From: Ashwin Natesan <ashwin.natesan@ittiam.com>
Date: Fri, 13 Oct 2023 11:47:02 +0530
Subject: [PATCH] mvcdec: Integer overflow in imvcd_parse_subset_sps

The cases where the value for log2MaxPocLsb was exceeding
'MAX_BITS_IN_POC_LSB' was not being handled correctly,
which was resulting in an integer overflow. This has been
fixed.

Test: mvc_dec_fuzzer
---
 decoder/mvc/imvcd_nalu_parser.c | 9 ++++++---
 1 file changed, 6 insertions(+), 3 deletions(-)

diff --git a/decoder/mvc/imvcd_nalu_parser.c b/decoder/mvc/imvcd_nalu_parser.c
index 26999125..db09138f 100644
--- a/decoder/mvc/imvcd_nalu_parser.c
+++ b/decoder/mvc/imvcd_nalu_parser.c
@@ -217,14 +217,17 @@ static WORD32 imvcd_parse_subset_sps(mvc_dec_ctxt_t *ps_mvcd_ctxt, dec_bit_strea
 
     if(ps_subset_sps->s_sps_data.u1_pic_order_cnt_type == 0)
     {
-        ps_subset_sps->s_sps_data.u1_log2_max_pic_order_cnt_lsb_minus =
-            4 + ih264d_uev(pu4_bitstrm_ofst, pu4_bitstrm_buf);
+        UWORD32 u1_log2_max_pic_order_cnt_lsb_minus4 =
+            ih264d_uev(pu4_bitstrm_ofst, pu4_bitstrm_buf);
 
-        if(ps_subset_sps->s_sps_data.u1_log2_max_pic_order_cnt_lsb_minus > MAX_BITS_IN_POC_LSB)
+        if(u1_log2_max_pic_order_cnt_lsb_minus4 > (MAX_BITS_IN_POC_LSB - 4))
         {
             return ERROR_INV_SPS_PPS_T;
         }
 
+        ps_subset_sps->s_sps_data.u1_log2_max_pic_order_cnt_lsb_minus =
+            4 + u1_log2_max_pic_order_cnt_lsb_minus4;
+
         ps_subset_sps->s_sps_data.i4_max_pic_order_cntLsb =
             (1 << ps_subset_sps->s_sps_data.u1_log2_max_pic_order_cnt_lsb_minus);
     }