From ae206c1fa51a79736167e5b671fd953eaedbce0b Mon Sep 17 00:00:00 2001 From: Ramesh Katuri Date: Thu, 27 Sep 2018 16:02:31 +0530 Subject: [PATCH] Fix for OOB write in td filter casecade parsing Add bounds checks for values delivered as N-bits in the bitstream but that have smaller allowed range in this implementation. Bug:116617847 Test: vendor Change-Id: Iad0c020ceacd2226d8e1af688a52a46179a39a2d --- decoder/drc_src/impd_drc_dynamic_payload.c | 9 +++++++++ 1 file changed, 9 insertions(+) diff --git a/decoder/drc_src/impd_drc_dynamic_payload.c b/decoder/drc_src/impd_drc_dynamic_payload.c index 3c5e0cb..576bc45 100644 --- a/decoder/drc_src/impd_drc_dynamic_payload.c +++ b/decoder/drc_src/impd_drc_dynamic_payload.c @@ -638,6 +638,8 @@ WORD32 impd_parse_filt_block(ia_bit_buf_struct* it_bit_buff, if (it_bit_buff->error) return it_bit_buff->error; str_filter_element->filt_ele_idx = (temp & 0x7E) >> 1; + if (str_filter_element->filt_ele_idx >= FILTER_ELEMENT_COUNT_MAX) + return (UNEXPECTED_ERROR); str_filter_element->filt_ele_gain_flag = temp & 1; ; @@ -1016,10 +1018,17 @@ WORD32 impd_parser_td_filter_cascade( str_filter_block_refs->filter_block_count = impd_read_bits_buf(it_bit_buff, 4); if (it_bit_buff->error) return it_bit_buff->error; + if (str_filter_block_refs->filter_block_count > EQ_FILTER_BLOCK_COUNT_MAX) { + return (UNEXPECTED_ERROR); + } + for (ii = 0; ii < str_filter_block_refs->filter_block_count; ii++) { str_filter_block_refs->filter_block_index[ii] = impd_read_bits_buf(it_bit_buff, 7); if (it_bit_buff->error) return it_bit_buff->error; + if (str_filter_block_refs->filter_block_index[ii] >= + FILTER_BLOCK_COUNT_MAX) + return (UNEXPECTED_ERROR); } str_filter_block_refs++; }