wrapper/libxaac
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

Fix for heap buffer overflow in read section data

Browse source 
compare parsed values against array dimensions, since fields can hold
larger numbers than the array's are dimensioned to handle.

Bug: 112611363
Test: poc
Change-Id: I56b1c738cade376a39e8e9c588fc73f9602567f2
This commit is contained in:
Ramesh Katuri 2018-09-05 11:59:10 +05:30 committed by Ray Essick
parent b3c5bcb7bd
commit 6d56d0914f
2 changed files with 4 additions and 2 deletions
Download patch file Download diff file Expand all files Collapse all files

1
decoder/ixheaacd_defines.h
View file

@ -28,6 +28,7 @@
#define MAX_BINS_LONG 1024
#define MAX_BINS_SHORT 128
#define MAX_SCALE_FACTOR_BANDS_SHORT 16
#define MAX_SCALE_FACTOR_BANDS_LONG (52)
#define ZERO_HCB 0

5
decoder/ixheaacd_longblock.c
View file

@ -113,10 +113,11 @@ WORD16 ixheaacd_read_section_data(
sect_len_incr = 1;
sect_len = (sect_len + sect_len_incr);
top = (sfb + sect_len);
if (aac_spect_data_resil_flag) {
if (num_lines_sec_idx >= MAX_SFB_HCR) {
top = (sfb + sect_len);
if ((num_lines_sec_idx >= MAX_SFB_HCR) ||
(top >= MAX_SCALE_FACTOR_BANDS_LONG)) {
return -1;
}
ptr_num_sect_lines[num_lines_sec_idx] =