From 5f84dbecff2acd6b4bfad49f55c44ea75c6470a9 Mon Sep 17 00:00:00 2001
From: Ramesh Katuri <ramesh.katuri@ittiam.com>
Date: Wed, 21 Nov 2018 16:56:27 +0530
Subject: [PATCH] Fix for crash due to negative size passed to memcpy

In DRC, one of the memcpy is called with uninitialized variable as size,
which is resulting a crash during memcpy.

As a fix all the members of structure str_bit_handler are set to zero.

Bug:115780779
Test: vendor
Change-Id: Ib991f7ca6fde9d448b975b4a9fa34234fa54231e
---
 decoder/drc_src/impd_drc_init.c | 15 ++-------------
 1 file changed, 2 insertions(+), 13 deletions(-)

diff --git a/decoder/drc_src/impd_drc_init.c b/decoder/drc_src/impd_drc_init.c
index 5f51a3f..cd6d467 100644
--- a/decoder/drc_src/impd_drc_init.c
+++ b/decoder/drc_src/impd_drc_init.c
@@ -19,6 +19,7 @@
 */
 #include <stdlib.h>
 #include <math.h>
+#include <string.h>
 #include "impd_type_def.h"
 #include "impd_error_standards.h"
 
@@ -111,19 +112,7 @@ IA_ERRORCODE impd_drc_set_default_config(ia_drc_api_struct *p_obj_drc) {
   p_obj_drc->str_config.effect_type = 0;
   p_obj_drc->str_config.target_loudness = -24;
   p_obj_drc->str_config.loud_norm_flag = 0;
-  p_obj_drc->str_bit_handler.byte_index_bs = 0;
-  p_obj_drc->str_bit_handler.num_bytes_bs = 0;
-  p_obj_drc->str_bit_handler.num_bits_offset_bs = 0;
-  p_obj_drc->str_bit_handler.num_bits_read_bs = 0;
-  p_obj_drc->str_bit_handler.cpy_over = 0;
-  p_obj_drc->str_bit_handler.num_bytes_bs_drc_config = 0;
-  p_obj_drc->str_bit_handler.cpy_over_ic = 0;
-  p_obj_drc->str_bit_handler.num_bytes_bs_loudness_info = 0;
-  p_obj_drc->str_bit_handler.cpy_over_il = 0;
-  p_obj_drc->str_bit_handler.num_bytes_bs_unidrc_interface = 0;
-  p_obj_drc->str_bit_handler.num_bits_read_bs_unidrc_interface = 0;
-  p_obj_drc->str_bit_handler.cpy_over_in = 0;
-  p_obj_drc->str_bit_handler.gain_stream_flag = 0;
+  memset(&p_obj_drc->str_bit_handler, 0, sizeof(p_obj_drc->str_bit_handler));
 
   return IA_NO_ERROR;
 }