diff options
author | Fraunhofer IIS FDK <audio-fdk@iis.fraunhofer.de> | 2020-09-09 21:44:15 +0000 |
---|---|---|
committer | Automerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com> | 2020-09-09 21:44:15 +0000 |
commit | d20df7ee146e7a0e04043c2d138bb3840a159d4a (patch) | |
tree | df6dc98477c262cdebd31d7adfe35c799c7223e9 | |
parent | 0ff211e4fb39226294e996e58b75bbc8681b416f (diff) | |
parent | 0468e02e5baaa9b0bad96b22aad1622a1ccd887b (diff) | |
download | fdk-aac-d20df7ee146e7a0e04043c2d138bb3840a159d4a.tar.gz fdk-aac-d20df7ee146e7a0e04043c2d138bb3840a159d4a.tar.bz2 fdk-aac-d20df7ee146e7a0e04043c2d138bb3840a159d4a.zip |
[DO NOT MERGE] Fix heap buffer overflow in sbrDecoder_AssignQmfChannels2SbrChannels(). am: 50aa5be388 am: 0468e02e5b
Original change: https://googleplex-android-review.googlesource.com/c/platform/external/aac/+/12088847
Change-Id: I0f5863139bc848401b905625fdc572793755b8cf
-rw-r--r-- | libSBRdec/src/sbrdecoder.cpp | 13 |
1 files changed, 10 insertions, 3 deletions
diff --git a/libSBRdec/src/sbrdecoder.cpp b/libSBRdec/src/sbrdecoder.cpp index f9ded54..2452f8e 100644 --- a/libSBRdec/src/sbrdecoder.cpp +++ b/libSBRdec/src/sbrdecoder.cpp @@ -510,9 +510,6 @@ SBR_ERROR sbrDecoder_InitElement ( self->numSbrChannels -= self->pSbrElement[elementIndex]->nChannels; } - /* Save element ID for sanity checks and to have a fallback for concealment. */ - self->pSbrElement[elementIndex]->elementID = elementID; - /* Determine amount of channels for this element */ switch (elementID) { case ID_NONE: @@ -540,6 +537,16 @@ SBR_ERROR sbrDecoder_InitElement ( } } + /* Sanity check to avoid memory leaks */ + if (elChannels < self->pSbrElement[elementIndex]->nChannels || + (self->numSbrChannels + elChannels) > (8) + (1)) { + self->numSbrChannels += self->pSbrElement[elementIndex]->nChannels; + sbrError = SBRDEC_PARSE_ERROR; + goto bail; + } + + /* Save element ID for sanity checks and to have a fallback for concealment. */ + self->pSbrElement[elementIndex]->elementID = elementID; self->pSbrElement[elementIndex]->nChannels = elChannels; for (ch=0; ch<elChannels; ch++) |