From 69e4cbac1cbe2d4c5d3fc92b1b5c731078e8ba13 Mon Sep 17 00:00:00 2001
From: Dongwon Kang <dwkang@google.com>
Date: Fri, 21 Jun 2019 14:17:58 -0700
Subject: [PATCH] m4v_h263: add a test for invalid/negative value

Test: run poc with and without the patch.
Bug: 134578122
Change-Id: I2d11826d1d9e2669aa5627065dc627729ddc823b
(cherry picked from commit 7802c68aebf7908983508fd4a52a7d53746a80eb)
---
 .../libstagefright/codecs/m4v_h263/dec/src/packet_util.cpp  | 6 +++++-
 1 file changed, 5 insertions(+), 1 deletion(-)

diff --git a/media/libstagefright/codecs/m4v_h263/dec/src/packet_util.cpp b/media/libstagefright/codecs/m4v_h263/dec/src/packet_util.cpp
index 48414d7b32..5880e3260d 100644
--- a/media/libstagefright/codecs/m4v_h263/dec/src/packet_util.cpp
+++ b/media/libstagefright/codecs/m4v_h263/dec/src/packet_util.cpp
@@ -52,7 +52,11 @@ PV_STATUS PV_ReadVideoPacketHeader(VideoDecData *video, int *next_MB)
         PV_BitstreamByteAlign(stream);
         BitstreamReadBits32(stream, resync_marker_length);
 
-        *next_MB = (int) BitstreamReadBits16(stream, nbits);
+        int mbnum = (int) BitstreamReadBits16(stream, nbits);
+        if (mbnum < 0) {
+            return PV_FAIL;
+        }
+        *next_MB = mbnum;
 //      if (*next_MB <= video->mbnum)   /*  needs more investigation */
 //          *next_MB = video->mbnum+1;