From 794c8370365aff2824cf2e49f2f2f3bd6e92bcf3 Mon Sep 17 00:00:00 2001 From: Rajat kumar Date: Sun, 26 Jul 2020 17:00:49 +0530 Subject: [PATCH] Fix for array out of bound access in impd_drc_get_gain Add necessary checks to avoid any possible array out of bounds operation in the impd_drc_get_gain function. Bug: 161820233 Test: poc in bug Change-Id: Ie55fbbc18c76f224983d1032641de4df4dce3fb3 --- decoder/drc_src/impd_drc_static_payload.c | 12 ++++++++---- 1 file changed, 8 insertions(+), 4 deletions(-) diff --git a/decoder/drc_src/impd_drc_static_payload.c b/decoder/drc_src/impd_drc_static_payload.c index 6eb5a23..e389c24 100644 --- a/decoder/drc_src/impd_drc_static_payload.c +++ b/decoder/drc_src/impd_drc_static_payload.c @@ -1414,17 +1414,21 @@ impd_dec_gain_modifiers(ia_bit_buf_struct* it_bit_buff, WORD32 version, impd_read_bits_buf(it_bit_buff, 1); if (it_bit_buff->error) return it_bit_buff->error; if (pstr_gain_modifiers->target_characteristic_left_present[b]) { - pstr_gain_modifiers->target_characteristic_left_index[b] = - impd_read_bits_buf(it_bit_buff, 4); + WORD32 tmp_index = impd_read_bits_buf(it_bit_buff, 4); if (it_bit_buff->error) return it_bit_buff->error; + if (tmp_index >= SPLIT_CHARACTERISTIC_COUNT_MAX) + return (UNEXPECTED_ERROR); + pstr_gain_modifiers->target_characteristic_left_index[b] = tmp_index; } pstr_gain_modifiers->target_characteristic_right_present[b] = impd_read_bits_buf(it_bit_buff, 1); if (it_bit_buff->error) return it_bit_buff->error; if (pstr_gain_modifiers->target_characteristic_right_present[b]) { - pstr_gain_modifiers->target_characteristic_right_index[b] = - impd_read_bits_buf(it_bit_buff, 4); + WORD32 tmp_index = impd_read_bits_buf(it_bit_buff, 4); if (it_bit_buff->error) return it_bit_buff->error; + if (tmp_index >= SPLIT_CHARACTERISTIC_COUNT_MAX) + return (UNEXPECTED_ERROR); + pstr_gain_modifiers->target_characteristic_right_index[b] = tmp_index; } pstr_gain_modifiers->gain_scaling_flag[b] = impd_read_bits_buf(it_bit_buff, 1);