From 6d56d0914fe07d9a454827fef9c4e8ea2295d9e5 Mon Sep 17 00:00:00 2001
From: Ramesh Katuri <ramesh.katuri@ittiam.com>
Date: Wed, 5 Sep 2018 11:59:10 +0530
Subject: [PATCH] Fix for heap buffer overflow in read section data

compare parsed values against array dimensions, since fields can hold
larger numbers than the array's are dimensioned to handle.

Bug: 112611363
Test: poc
Change-Id: I56b1c738cade376a39e8e9c588fc73f9602567f2
---
 decoder/ixheaacd_defines.h   | 1 +
 decoder/ixheaacd_longblock.c | 5 +++--
 2 files changed, 4 insertions(+), 2 deletions(-)

diff --git a/decoder/ixheaacd_defines.h b/decoder/ixheaacd_defines.h
index 3ff42dd..d631473 100644
--- a/decoder/ixheaacd_defines.h
+++ b/decoder/ixheaacd_defines.h
@@ -28,6 +28,7 @@
 #define MAX_BINS_LONG 1024
 #define MAX_BINS_SHORT 128
 #define MAX_SCALE_FACTOR_BANDS_SHORT 16
+#define MAX_SCALE_FACTOR_BANDS_LONG (52)
 
 #define ZERO_HCB 0
 
diff --git a/decoder/ixheaacd_longblock.c b/decoder/ixheaacd_longblock.c
index 18a62ec..e5582f7 100644
--- a/decoder/ixheaacd_longblock.c
+++ b/decoder/ixheaacd_longblock.c
@@ -113,10 +113,11 @@ WORD16 ixheaacd_read_section_data(
         sect_len_incr = 1;
 
       sect_len = (sect_len + sect_len_incr);
-      top = (sfb + sect_len);
 
       if (aac_spect_data_resil_flag) {
-        if (num_lines_sec_idx >= MAX_SFB_HCR) {
+        top = (sfb + sect_len);
+        if ((num_lines_sec_idx >= MAX_SFB_HCR) ||
+            (top >= MAX_SCALE_FACTOR_BANDS_LONG)) {
           return -1;
         }
         ptr_num_sect_lines[num_lines_sec_idx] =