wrapper/libxaac
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

Fix for OOB write in filter block parsing in drc

Browse source 
Bug: 116467350
Bug: 116469592
Test: vendor
Change-Id: I2f7bff1cec3d0d60e9d43217290392bf4e23d207
(cherry picked from commit 69a69acbc9)
This commit is contained in:
Ramesh Katuri 2018-09-27 15:46:40 +05:30 committed by android-build-team Robot
parent 6741db7ec8
commit dbf5e31aac
1 changed files with 6 additions and 1 deletions
Download patch file Download diff file Expand all files Collapse all files

7
decoder/drc_src/impd_drc_dynamic_payload.c
View file

@ -625,7 +625,8 @@ WORD32 impd_parse_filt_block(ia_bit_buf_struct* it_bit_buff,
for (j = 0; j < block_count; j++) {
str_filter_block->filter_element_count = impd_read_bits_buf(it_bit_buff, 6);
if (it_bit_buff->error) return it_bit_buff->error;
if (str_filter_block->filter_element_count > FILTER_ELEMENT_COUNT_MAX)
return UNEXPECTED_ERROR;
str_filter_element = &str_filter_block->str_filter_element[0];
for (k = 0; k < str_filter_block->filter_element_count; k++) {
temp = impd_read_bits_buf(it_bit_buff, 7);
@ -923,6 +924,10 @@ WORD32 impd_parse_eq_coefficients(ia_bit_buf_struct* it_bit_buff,
str_eq_coeff->unique_filter_block_count = impd_read_bits_buf(it_bit_buff, 6);
if (it_bit_buff->error) return it_bit_buff->error;
if (str_eq_coeff->unique_filter_block_count > FILTER_BLOCK_COUNT_MAX) {
return (UNEXPECTED_ERROR);
}
err = impd_parse_filt_block(it_bit_buff, &(str_eq_coeff->str_filter_block[0]),
str_eq_coeff->unique_filter_block_count);
if (err) return (err);