From f2d380ca2e8a256236744eb29082f1955b79da9c Mon Sep 17 00:00:00 2001 From: Rajat kumar Date: Sun, 26 Jul 2020 17:21:02 +0530 Subject: [PATCH] Fix to handle segv in impd_filter_banks_process Added check to ensure array size of buf_interpolation->lpcm_gains does not exceed allotted size. Bug: 161819862 Test: poc in bug Change-Id: I7e554d70ada8d92ee3496c0fbdfc78cee55e4697 --- decoder/drc_src/impd_drc_dynamic_payload.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/decoder/drc_src/impd_drc_dynamic_payload.c b/decoder/drc_src/impd_drc_dynamic_payload.c index a8a15a9..f8a1aa9 100644 --- a/decoder/drc_src/impd_drc_dynamic_payload.c +++ b/decoder/drc_src/impd_drc_dynamic_payload.c @@ -231,6 +231,8 @@ WORD32 impd_dec_times(ia_bit_buf_struct* it_bit_buff, } } node_time_tmp = time_offs + time_delta * delta_tmin; + if (node_time_tmp >= (2 * AUDIO_CODEC_FRAME_SIZE_MAX - drc_frame_size)) + return UNEXPECTED_ERROR; if (node_time_tmp > drc_frame_size + time_offset) { if (node_res_flag == 0) { str_node[k].time = drc_frame_size + time_offset;