Fix for Segv in impd_down_mix function in xaac.

Enough size was not allocated for DRC payload.
Added appropriate size to persistence memory to accommodate maximum
length of DRC payload data. Also added reset for bit-handler elements
after execute call.

Bug:141290162
Test: poc in bug

Change-Id: I61176076056899310a3306818cd5ad4624a4bab0

decoder/drc_src/impd_drc_api.c

@@ -81,10 +81,10 @@ IA_ERRORCODE impd_process_time_domain(ia_drc_api_struct *p_obj_drc);
    sizeof(ia_drc_sel_proc_output_struct) +                                   \
    sizeof(ia_drc_peak_limiter_struct) + sizeof(ia_drc_peak_limiter_struct) + \
    sizeof(ia_drc_qmf_filt_struct) + ANALY_BUF_SIZE + SYNTH_BUF_SIZE +        \
-   PEAK_LIM_BUF_SIZE + MAX_BS_BUF_SIZE + /*DRC Config Bitstream*/            \
-   MAX_DRC_CONFG_BUF_SIZE +              /*DRC loudness info Bitstream*/     \
-   MAX_LOUD_INFO_BUF_SIZE +              /*DRC interface Bitstream*/         \
-   MAX_INTERFACE_BUF_SIZE +                                                  \
+   PEAK_LIM_BUF_SIZE + MAX_DRC_BS_BUF_SIZE +                                 \
+   MAX_DRC_CONFG_BUF_SIZE + /*DRC Config Bitstream*/                         \
+   MAX_LOUD_INFO_BUF_SIZE + /*DRC loudness info Bitstream*/                  \
+   MAX_INTERFACE_BUF_SIZE + /*DRC interface Bitstream*/                      \
    NUM_GAIN_DEC_INSTANCES *                                                  \
        (SEL_DRC_COUNT * sizeof(ia_interp_buf_struct) * MAX_GAIN_ELE_COUNT +  \
         sizeof(ia_eq_set_struct) + /*non_interleaved_audio*/                 \
@@ -205,11 +205,16 @@ IA_ERRORCODE ia_drc_dec_api(pVOID p_ia_drc_dec_obj, WORD32 i_cmd, WORD32 i_idx,
         }
         case IA_CMD_TYPE_INIT_CPY_BSF_BUFF: {
           memcpy(p_obj_drc->str_bit_handler.it_bit_buf +
-                     p_obj_drc->str_bit_handler.num_bytes_bs,
+                     p_obj_drc->str_bit_handler.num_bytes_offset_bs,
                  p_obj_drc->pp_mem[2], p_obj_drc->str_bit_handler.num_byts_cur);
           p_obj_drc->str_bit_handler.num_bytes_bs =
               p_obj_drc->str_bit_handler.num_bytes_bs +
               p_obj_drc->str_bit_handler.num_byts_cur;
+          p_obj_drc->str_bit_handler.num_bytes_offset_bs =
+              p_obj_drc->str_bit_handler.num_bytes_bs;
+          p_obj_drc->str_bit_handler.num_total_bytes =
+              p_obj_drc->str_bit_handler.num_bytes_bs;
+
           break;
         }
         case IA_CMD_TYPE_INIT_CPY_IC_BSF_BUFF: {
@@ -369,6 +374,11 @@ IA_ERRORCODE ia_drc_dec_api(pVOID p_ia_drc_dec_obj, WORD32 i_cmd, WORD32 i_idx,
           } else if (p_obj_drc->str_config.dec_type == DEC_TYPE_TD_QMF64) {
             error_code = IA_FATAL_ERROR;
           }
+          p_obj_drc->str_bit_handler.byte_index_bs =
+              p_obj_drc->str_bit_handler.num_total_bytes -
+              p_obj_drc->str_bit_handler.num_bytes_bs;
+          p_obj_drc->str_bit_handler.num_bytes_offset_bs = 0;
+
           break;
         }
         case IA_CMD_TYPE_DONE_QUERY: {

decoder/drc_src/impd_drc_api_struct_def.h

@@ -71,6 +71,8 @@ typedef struct bits_handler {
   WORD32 num_bits_read_bs;
   WORD32 num_bytes_read_bs;
   WORD32 num_bytes_bs;
+  WORD32 num_bytes_offset_bs;
+  WORD32 num_total_bytes;
   WORD32 num_bits_offset_bs;
   WORD32 byte_index_bs;
   WORD32 num_byts_cur;

decoder/drc_src/impd_drc_common.h

@@ -53,6 +53,8 @@ extern "C" {
 
 #define NUM_ELE_IN_CPLX_NUM 2
 #define MAX_BS_BUF_SIZE 768
+#define MAX_NUM_DRC_PAYROLL 3
+#define MAX_DRC_BS_BUF_SIZE (MAX_BS_BUF_SIZE * MAX_NUM_DRC_PAYROLL)
 #define MAX_DRC_CONFG_BUF_SIZE MAX_BS_BUF_SIZE
 #define MAX_LOUD_INFO_BUF_SIZE MAX_BS_BUF_SIZE
 #define MAX_INTERFACE_BUF_SIZE MAX_BS_BUF_SIZE

decoder/drc_src/impd_drc_init.c

@@ -276,6 +276,7 @@ IA_ERRORCODE impd_drc_set_default_bitstream_config(
 IA_ERRORCODE impd_drc_set_struct_pointer(ia_drc_api_struct *p_obj_drc) {
   SIZE_T persistant_ptr = (SIZE_T)p_obj_drc->p_state->persistant_ptr;
 
+  SIZE_T persistant_size_consumed = 0;
   p_obj_drc->str_payload.pstr_bitstream_dec =
       (ia_drc_bits_dec_struct *)persistant_ptr;
   persistant_ptr = persistant_ptr + sizeof(ia_drc_bits_dec_struct);
@@ -307,7 +308,7 @@ IA_ERRORCODE impd_drc_set_struct_pointer(ia_drc_api_struct *p_obj_drc) {
   persistant_ptr = persistant_ptr + sizeof(ia_drc_sel_pro_struct);
 
   p_obj_drc->str_bit_handler.it_bit_buf = (UWORD8 *)persistant_ptr;
-  persistant_ptr = persistant_ptr + MAX_BS_BUF_SIZE;
+  persistant_ptr = persistant_ptr + MAX_DRC_BS_BUF_SIZE;
 
   p_obj_drc->str_payload.pstr_drc_sel_proc_params =
       (ia_drc_sel_proc_params_struct *)persistant_ptr;
@@ -345,6 +346,11 @@ IA_ERRORCODE impd_drc_set_struct_pointer(ia_drc_api_struct *p_obj_drc) {
 
   p_obj_drc->str_payload.pstr_qmf_filter->syn_buff = (FLOAT64 *)persistant_ptr;
   persistant_ptr = persistant_ptr + SYNTH_BUF_SIZE;
+  persistant_size_consumed =
+      (UWORD32)persistant_ptr - (UWORD32)p_obj_drc->p_state->persistant_ptr;
+  if (p_obj_drc->p_mem_info[IA_MEMTYPE_PERSIST].ui_size <
+      persistant_size_consumed)
+    return IA_FATAL_ERROR;
 
   p_obj_drc->p_state->persistant_ptr = (pVOID)persistant_ptr;
   return IA_NO_ERROR;