diff options
author | Jean-Michel Trivi <jmtrivi@google.com> | 2016-03-21 14:12:19 -0700 |
---|---|---|
committer | Jean-Michel Trivi <jmtrivi@google.com> | 2016-03-21 21:59:22 +0000 |
commit | a06d1c2b9af1621037b48557aac42b5ecbdb03b3 (patch) | |
tree | 91a3d02b4e8f917207648edac2f49b2b10f81dcb | |
parent | fa3eba16446cc8f2f5e2dfc20d86a49dbd37299e (diff) | |
download | fdk-aac-a06d1c2b9af1621037b48557aac42b5ecbdb03b3.tar.gz fdk-aac-a06d1c2b9af1621037b48557aac42b5ecbdb03b3.tar.bz2 fdk-aac-a06d1c2b9af1621037b48557aac42b5ecbdb03b3.zip |
Fix stack corruption happening in aacDecoder_drcExtractAndMap()
In the aacDecoder_drcExtractAndMap() function, self->numThreads
can be used after having exceeded its intended max value,
MAX_DRC_THREADS, causing memory to be cleared after the
threadBs[MAX_DRC_THREADS] array.
The crash is prevented by never using self->numThreads with
a value equal to or greater than MAX_DRC_THREADS.
A proper fix will be required as there seems to be an issue as
to which entry in the threadBs array is meant to be initialized
and used.
Bug 26751339
Change-Id: I655cc40c35d4206ab72e83b2bdb751be2fe52b5a
-rw-r--r-- | libAACdec/src/aacdec_drc.cpp | 10 |
1 files changed, 9 insertions, 1 deletions
diff --git a/libAACdec/src/aacdec_drc.cpp b/libAACdec/src/aacdec_drc.cpp index 2666454..f939a1a 100644 --- a/libAACdec/src/aacdec_drc.cpp +++ b/libAACdec/src/aacdec_drc.cpp @@ -2,7 +2,7 @@ /* ----------------------------------------------------------------------------------------------------------- Software License for The Fraunhofer FDK AAC Codec Library for Android -© Copyright 1995 - 2013 Fraunhofer-Gesellschaft zur Förderung der angewandten Forschung e.V. +© Copyright 1995 - 2013 Fraunhofer-Gesellschaft zur Förderung der angewandten Forschung e.V. All rights reserved. 1. INTRODUCTION @@ -680,6 +680,10 @@ static int aacDecoder_drcExtractAndMap ( } self->numPayloads = 0; + if (self->numThreads >= MAX_DRC_THREADS) { + self->numThreads = MAX_DRC_THREADS - 1; + } + if (self->dvbAncDataAvailable) { /* Append a DVB heavy compression payload thread if available. */ int bitsParsed; @@ -706,6 +710,10 @@ static int aacDecoder_drcExtractAndMap ( /* coupling channels not supported */ + if (self->numThreads >= MAX_DRC_THREADS) { + self->numThreads = MAX_DRC_THREADS - 1; + } + /* check for valid threads */ for (thread = 0; thread < self->numThreads; thread++) { CDrcPayload *pThreadBs = &threadBs[thread]; |