From 69f8d42a89866d5ff18df83ea46bf2dd10a2d2cc Mon Sep 17 00:00:00 2001 From: Ramesh Katuri Date: Fri, 31 Aug 2018 16:40:42 +0530 Subject: [PATCH] Fix for stack buffer underflow in sbr Sbr frame size is not getting updated in all the sbr decoder calling paths, because of which in one of the paths the number of samples are passed as 0 to sbr decode call. Inside the sbr decode call one of the buffer is accessed with (shifted value of this number of samples - offset), which is becoming negative in this cause. This negative offset is causing OOB read access. Bug:113263695 Test: poc from bug Change-Id: I8fb5391a6ba9dd4919f8b761de295d02dda685b4 --- decoder/ixheaacd_api.c | 10 ++++++---- 1 file changed, 6 insertions(+), 4 deletions(-) diff --git a/decoder/ixheaacd_api.c b/decoder/ixheaacd_api.c index afc4510..31031d2 100644 --- a/decoder/ixheaacd_api.c +++ b/decoder/ixheaacd_api.c @@ -1786,6 +1786,9 @@ IA_ERRORCODE ixheaacd_dec_init( p_state_enhaacplus_dec->b_n_raw_data_blk--; } + sample_rate_2 = sample_rate_1; + frame_size_2 = frame_size_1; + if (!p_state_enhaacplus_dec->str_sbr_dec_info[ch_idx] && p_state_enhaacplus_dec->pstr_stream_sbr[0][0].no_elements) { if ((p_obj_exhaacplus_dec->aac_config.flag_16khz_out == 1) && @@ -1793,9 +1796,6 @@ IA_ERRORCODE ixheaacd_dec_init( p_obj_exhaacplus_dec->aac_config.flag_16khz_out = 0; } - sample_rate_2 = sample_rate_1; - frame_size_2 = frame_size_1; - p_state_enhaacplus_dec->str_sbr_dec_info[ch_idx] = ixheaacd_init_sbr( sample_rate_1, frame_size_1, (FLAG *)&p_obj_exhaacplus_dec->aac_config.down_sample_flag, @@ -1807,7 +1807,8 @@ IA_ERRORCODE ixheaacd_dec_init( } else { } - if (p_state_enhaacplus_dec->str_sbr_dec_info[ch_idx]) { + if (p_state_enhaacplus_dec->str_sbr_dec_info[ch_idx] && + p_state_enhaacplus_dec->pstr_stream_sbr[0][0].no_elements) { ia_sbr_scr_struct sbr_scratch_struct; WORD16 num_channels_1_t = num_channels_1; ixheaacd_allocate_sbr_scr( @@ -1895,6 +1896,7 @@ IA_ERRORCODE ixheaacd_dec_init( WORD max_ch_num = p_obj_exhaacplus_dec->aac_config.ui_max_channels; i = 0; + p_obj_exhaacplus_dec->aac_config.ui_n_channels = ch_idx; while (p_obj_exhaacplus_dec->aac_config.element_type[ch_idx_err] <= 3 && p_obj_exhaacplus_dec->aac_config.element_type[ch_idx_err] >= 0) { ch_idx_err++;