From 7e8303bbaa4e53933330bc01dfd93a60242564b1 Mon Sep 17 00:00:00 2001
From: Ramesh Katuri <ramesh.katuri@ittiam.com>
Date: Fri, 21 Sep 2018 17:45:08 +0530
Subject: [PATCH] Fix for OOB in parsing loud equalizer instruction in drc

Bug:116117112
Test: vendor
Change-Id: I9d69d07dc36e8874d1784b4cf1f1a0a4fc99cee7
---
 decoder/drc_src/impd_drc_dynamic_payload.c |  8 ++++++
 decoder/drc_src/impd_drc_static_payload.c  |  2 ++
 decoder/drc_src/impd_drc_struct.h          | 33 +++++++++++++---------
 3 files changed, 30 insertions(+), 13 deletions(-)

diff --git a/decoder/drc_src/impd_drc_dynamic_payload.c b/decoder/drc_src/impd_drc_dynamic_payload.c
index 68583b2..cf7b93b 100644
--- a/decoder/drc_src/impd_drc_dynamic_payload.c
+++ b/decoder/drc_src/impd_drc_dynamic_payload.c
@@ -1307,12 +1307,20 @@ WORD32 impd_parse_loud_eq_instructions(
   temp = impd_read_bits_buf(it_bit_buff, 8);
   if (it_bit_buff->error) return it_bit_buff->error;
 
+  /* Parsed but unused */
   loud_eq_instructions->loudness_after_drc = (temp >> 7) & 0x01;
 
+  /* Parsed but unused */
   loud_eq_instructions->loudness_after_eq = (temp >> 6) & 0x01;
 
+  /* Parsed but unused */
   loud_eq_instructions->loud_eq_gain_sequence_count = temp & 0x3F;
 
+  if (loud_eq_instructions->loud_eq_gain_sequence_count >
+      LOUD_EQ_GAIN_SEQUENCE_COUNT_MAX)
+    return UNEXPECTED_ERROR;
+
+  /* Section under for loop, Parsed but unused */
   for (i = 0; i < loud_eq_instructions->loud_eq_gain_sequence_count; i++) {
     temp = impd_read_bits_buf(it_bit_buff, 7);
     if (it_bit_buff->error) return it_bit_buff->error;
diff --git a/decoder/drc_src/impd_drc_static_payload.c b/decoder/drc_src/impd_drc_static_payload.c
index de4ceec..675ce8b 100644
--- a/decoder/drc_src/impd_drc_static_payload.c
+++ b/decoder/drc_src/impd_drc_static_payload.c
@@ -2382,7 +2382,9 @@ impd_parse_loudness_info(ia_bit_buf_struct* it_bit_buff, WORD32 version,
     temp = impd_read_bits_buf(it_bit_buff, 6);
     if (it_bit_buff->error) return it_bit_buff->error;
 
+    /* Parsed but unused */
     loudness_info->true_peak_level_measurement_system = (temp >> 2) & 0xf;
+    /* Parsed but unused */
     loudness_info->true_peak_level_reliability = temp & 3;
   }
 
diff --git a/decoder/drc_src/impd_drc_struct.h b/decoder/drc_src/impd_drc_struct.h
index a608da9..0ee8fd8 100644
--- a/decoder/drc_src/impd_drc_struct.h
+++ b/decoder/drc_src/impd_drc_struct.h
@@ -441,8 +441,8 @@ typedef struct {
   FLOAT32 sample_peak_level;
   WORD32 true_peak_level_present;
   FLOAT32 true_peak_level;
-  WORD32 true_peak_level_measurement_system;
-  WORD32 true_peak_level_reliability;
+  WORD32 true_peak_level_measurement_system; /* Parsed but unused */
+  WORD32 true_peak_level_reliability;        /* Parsed but unused */
   WORD32 measurement_count;
   ia_loudness_measure_struct loudness_measure[MEASUREMENT_COUNT_MAX];
 } ia_loudness_info_struct;
@@ -456,17 +456,24 @@ typedef struct {
   WORD32 drc_set_id[DRC_SET_ID_COUNT_MAX];
   WORD32 eq_set_id_count;
   WORD32 eq_set_id[EQ_SET_ID_COUNT_MAX];
-  WORD32 loudness_after_drc;
-  WORD32 loudness_after_eq;
-  WORD32 loud_eq_gain_sequence_count;
-  WORD32 gain_seq_idx[LOUD_EQ_GAIN_SEQUENCE_COUNT_MAX];
-  WORD32 drc_characteristic_format_is_cicp[LOUD_EQ_GAIN_SEQUENCE_COUNT_MAX];
-  WORD32 drc_characteristic[LOUD_EQ_GAIN_SEQUENCE_COUNT_MAX];
-  WORD32 drc_characteristic_left_index[LOUD_EQ_GAIN_SEQUENCE_COUNT_MAX];
-  WORD32 drc_characteristic_right_index[LOUD_EQ_GAIN_SEQUENCE_COUNT_MAX];
-  WORD32 frequency_range_index[LOUD_EQ_GAIN_SEQUENCE_COUNT_MAX];
-  FLOAT32 loud_eq_scaling[LOUD_EQ_GAIN_SEQUENCE_COUNT_MAX];
-  FLOAT32 loud_eq_offset[LOUD_EQ_GAIN_SEQUENCE_COUNT_MAX];
+  WORD32 loudness_after_drc;                            /* Parsed but unused */
+  WORD32 loudness_after_eq;                             /* Parsed but unused */
+  WORD32 loud_eq_gain_sequence_count;                   /* Parsed but unused */
+  WORD32 gain_seq_idx[LOUD_EQ_GAIN_SEQUENCE_COUNT_MAX]; /* Parsed but unused */
+  WORD32 drc_characteristic_format_is_cicp
+      [LOUD_EQ_GAIN_SEQUENCE_COUNT_MAX]; /* Parsed but unused */
+  WORD32 drc_characteristic[LOUD_EQ_GAIN_SEQUENCE_COUNT_MAX]; /* Parsed but
+                                                                 unused */
+  WORD32 drc_characteristic_left_index
+      [LOUD_EQ_GAIN_SEQUENCE_COUNT_MAX]; /* Parsed but unused */
+  WORD32 drc_characteristic_right_index
+      [LOUD_EQ_GAIN_SEQUENCE_COUNT_MAX]; /* Parsed but unused */
+  WORD32 frequency_range_index[LOUD_EQ_GAIN_SEQUENCE_COUNT_MAX]; /* Parsed but
+                                                                    unused */
+  FLOAT32
+  loud_eq_scaling[LOUD_EQ_GAIN_SEQUENCE_COUNT_MAX]; /* Parsed but unused */
+  FLOAT32
+  loud_eq_offset[LOUD_EQ_GAIN_SEQUENCE_COUNT_MAX]; /* Parsed but unused */
 } ia_loud_eq_instructions_struct;
 
 typedef struct {