From 599ca4428a8a357f0b47116a710f474c5ec51356 Mon Sep 17 00:00:00 2001
From: Ramesh Katuri <ramesh.katuri@ittiam.com>
Date: Thu, 27 Sep 2018 16:23:14 +0530
Subject: [PATCH] Fix for OOB write in split drc characteristic parsing

added bounds check on values parsed from input stream.

Bug: 116619337
Test: vendor
Change-Id: Ia938ce45cb0503c1ddcbeaa5d036c0f57521a38f
---
 decoder/drc_src/impd_drc_static_payload.c | 9 +++++++++
 1 file changed, 9 insertions(+)

diff --git a/decoder/drc_src/impd_drc_static_payload.c b/decoder/drc_src/impd_drc_static_payload.c
index 1bf677c..d62db45 100644
--- a/decoder/drc_src/impd_drc_static_payload.c
+++ b/decoder/drc_src/impd_drc_static_payload.c
@@ -1696,6 +1696,11 @@ impd_drc_parse_coeff(
       str_p_loc_drc_coefficients_uni_drc->characteristic_left_count =
           impd_read_bits_buf(it_bit_buff, 4);
       if (it_bit_buff->error) return it_bit_buff->error;
+
+      if (str_p_loc_drc_coefficients_uni_drc->characteristic_left_count >
+          SPLIT_CHARACTERISTIC_COUNT_MAX)
+        return (UNEXPECTED_ERROR);
+
       for (i = 1;
            i <= str_p_loc_drc_coefficients_uni_drc->characteristic_left_count;
            i++) {
@@ -1713,6 +1718,10 @@ impd_drc_parse_coeff(
       str_p_loc_drc_coefficients_uni_drc->characteristic_right_count =
           impd_read_bits_buf(it_bit_buff, 4);
       if (it_bit_buff->error) return it_bit_buff->error;
+
+      if (str_p_loc_drc_coefficients_uni_drc->characteristic_right_count >
+          SPLIT_CHARACTERISTIC_COUNT_MAX)
+        return (UNEXPECTED_ERROR);
       for (i = 1;
            i <= str_p_loc_drc_coefficients_uni_drc->characteristic_right_count;
            i++) {