From c9ecca9cd87edee9072fb4a56bcc8f8053e441a6 Mon Sep 17 00:00:00 2001 From: Ramesh Katuri Date: Fri, 5 Oct 2018 18:00:42 +0530 Subject: [PATCH] Fix for OOB write in equalizer instructions parsing. Bound check was missing for eq_ch_group_count. Added as fix. Bug: 117216549 Test: vendor Change-Id: Ie36446a3604ae1cb2471dad0a938a96f2b7fff64 --- decoder/drc_src/impd_drc_dynamic_payload.c | 3 +++ 1 file changed, 3 insertions(+) diff --git a/decoder/drc_src/impd_drc_dynamic_payload.c b/decoder/drc_src/impd_drc_dynamic_payload.c index 3c5e0cb..35a3c37 100644 --- a/decoder/drc_src/impd_drc_dynamic_payload.c +++ b/decoder/drc_src/impd_drc_dynamic_payload.c @@ -1170,6 +1170,9 @@ WORD32 impd_parse_eq_instructions( } } + if (str_eq_instructions->eq_ch_group_count > EQ_CHANNEL_GROUP_COUNT_MAX) + return (UNEXPECTED_ERROR); + str_eq_instructions->td_filter_cascade_present = impd_read_bits_buf(it_bit_buff, 1); if (it_bit_buff->error) return it_bit_buff->error;