Fix OOB read in impd_drc_uni_sel_proc_process

pstr_drc_uni_sel_proc->drc_config.str_drc_instruction_str and pstr_drc_uni_sel_proc->drc_config.str_drc_config_ext .str_eq_instructions arrays were accessed with -1 indexes, which is implemented as default configuration for no updation. Since we have already initialized all the structures to zero before itself, this assignment is not needed when the indexes are -1, so the check has been added. Bug: 122330975 Test: atest android.media.cts.DecoderTestAacDrc Change-Id: I841c748c53c057db38379c97def6b28fb6421482
2019-01-08 11:06:35 +05:30 · 2019-01-08 11:06:35 +05:30 · c300f50cf1
commit c300f50cf1
parent cdce0be099
1 changed files with 15 additions and 14 deletions
--- a/decoder/drc_src/impd_drc_selection_process.c
+++ b/decoder/drc_src/impd_drc_selection_process.c
@ -170,27 +170,26 @@ impd_drc_uni_sel_proc_process(
      for (i = SUB_DRC_COUNT - 1; i >= 0; i--) {
        WORD32 drc_instructions_index =
            pstr_drc_uni_sel_proc->drc_instructions_index[i];
-        ia_drc_instructions_struct str_drc_instruction_str;
+        if (drc_instructions_index < 0) continue;

-        str_drc_instruction_str =
-            pstr_drc_uni_sel_proc->drc_config
-                .str_drc_instruction_str[drc_instructions_index];
+        ia_drc_instructions_struct* str_drc_instruction_str =
+            &(pstr_drc_uni_sel_proc->drc_config
+                  .str_drc_instruction_str[drc_instructions_index]);

-        if (drc_instructions_index >= 0 &&
-            str_drc_instruction_str.drc_set_id > 0) {
+        if (str_drc_instruction_str->drc_set_id > 0) {
          pstr_drc_uni_sel_proc->uni_drc_sel_proc_output
              .sel_drc_set_ids[activeDrcSetIndex] =
-              str_drc_instruction_str.drc_set_id;
+              str_drc_instruction_str->drc_set_id;

-          if ((i == 3) && (str_drc_instruction_str.drc_set_effect &
+          if ((i == 3) && (str_drc_instruction_str->drc_set_effect &
                           (EFFECT_BIT_DUCK_SELF | EFFECT_BIT_DUCK_OTHER))) {
            pstr_drc_uni_sel_proc->uni_drc_sel_proc_output
                .sel_downmix_ids[activeDrcSetIndex] = 0;
          } else {
-            if (str_drc_instruction_str.drc_apply_to_dwnmix == 1) {
+            if (str_drc_instruction_str->drc_apply_to_dwnmix == 1) {
              pstr_drc_uni_sel_proc->uni_drc_sel_proc_output
                  .sel_downmix_ids[activeDrcSetIndex] =
-                  str_drc_instruction_str.downmix_id[0];
+                  str_drc_instruction_str->downmix_id[0];
            } else {
              pstr_drc_uni_sel_proc->uni_drc_sel_proc_output
                  .sel_downmix_ids[activeDrcSetIndex] = 0;
@ -235,10 +234,12 @@ impd_drc_uni_sel_proc_process(
            .loudness_norm_gain_modification_db;
  }
  for (i = 0; i < 2; i++) {
-    pstr_drc_uni_sel_proc->uni_drc_sel_proc_output.sel_eq_set_ids[i] =
-        pstr_drc_uni_sel_proc->drc_config.str_drc_config_ext
-            .str_eq_instructions[pstr_drc_uni_sel_proc->eq_inst_index[i]]
-            .eq_set_id;
+    if (pstr_drc_uni_sel_proc->eq_inst_index[i] >= 0) {
+      pstr_drc_uni_sel_proc->uni_drc_sel_proc_output.sel_eq_set_ids[i] =
+          pstr_drc_uni_sel_proc->drc_config.str_drc_config_ext
+              .str_eq_instructions[pstr_drc_uni_sel_proc->eq_inst_index[i]]
+              .eq_set_id;
+    }
  }
  if (pstr_drc_uni_sel_proc->loud_eq_inst_index_sel >= 0) {
    pstr_drc_uni_sel_proc->uni_drc_sel_proc_output.sel_loud_eq_id =