Merge cherrypicks of [4986743, 4986744, 4987539, 4987168, 4986376, 4986377, 4986378, 4986889, 4986745, 4986746, 4986747, 4986748, 4986749, 4986750, 4986773, 4987169, 4987170, 4987611, 4987631, 4987632, 4987633, 4987634, 4986890, 4987612, 4987651, 4987598, 4987613, 4987614, 4987615, 4987599, 4986379, 4986380, 4987652, 4987653, 4987691, 4986774] into pi-qpr1-release

Change-Id: Ib805bf06d51e2a7e6f0d9bf2676dc1f21b6cbb9e
author: android-build-team Robot <android-build-team-robot@google.com> 2018-09-10 23:21:17 +0000
committer: android-build-team Robot <android-build-team-robot@google.com> 2018-09-10 23:21:17 +0000
commit: b97c2a93f288df43dd7cc0c45640509a17dddb18 (patch)
tree: 66fe1fc4eb2c283bcebf91e53f365c6b22f1b47c /libAACdec/src/aacdecoder.cpp
parent: f19e863cce96cc1e5f4ad7ce512810d5a2843ea6 (diff)
parent: 9744e41c40598c6a0b74440f3b5be63f9f3708a5 (diff)
download: fdk-aac-b97c2a93f288df43dd7cc0c45640509a17dddb18.tar.gz
fdk-aac-b97c2a93f288df43dd7cc0c45640509a17dddb18.tar.bz2
fdk-aac-b97c2a93f288df43dd7cc0c45640509a17dddb18.zip
1 files changed, 24 insertions, 1 deletions
diff --git a/libAACdec/src/aacdecoder.cpp b/libAACdec/src/aacdecoder.cpp
index b8b1327..362e0b6 100644
--- a/libAACdec/src/aacdecoder.cpp
+++ b/libAACdec/src/aacdecoder.cpp
@@ -2519,8 +2519,14 @@ LINKSPEC_CPP AAC_DECODER_ERROR CAacDecoder_DecodeFrame(
     if (!(self->flags[0] &
           (AC_USAC | AC_RSVD50 | AC_RSV603DA | AC_ELD | AC_SCALABLE | AC_ER)))
       type = (MP4_ELEMENT_ID)FDKreadBits(bs, 3);
-    else
+    else {
+      if (element_count >= (3 * ((8) * 2) + (((8) * 2)) / 2 + 4 * (1) + 1)) {
+        self->frameOK = 0;
+        ErrorStatus = AAC_DEC_PARSE_ERROR;
+        break;
+      }
       type = self->elements[element_count];
+    }
 
     if ((self->flags[streamIndex] & (AC_USAC | AC_RSVD50) &&
          element_count == 0) ||
@@ -2564,6 +2570,11 @@ LINKSPEC_CPP AAC_DECODER_ERROR CAacDecoder_DecodeFrame(
       case ID_USAC_SCE:
       case ID_USAC_CPE:
       case ID_USAC_LFE:
+        if (element_count >= (3 * ((8) * 2) + (((8) * 2)) / 2 + 4 * (1) + 1)) {
+          self->frameOK = 0;
+          ErrorStatus = AAC_DEC_PARSE_ERROR;
+          break;
+        }
 
         el_channels = CAacDecoder_GetELChannels(
             type, self->usacStereoConfigIndex[element_count]);
@@ -2795,12 +2806,24 @@ LINKSPEC_CPP AAC_DECODER_ERROR CAacDecoder_DecodeFrame(
       } break;
 
       case ID_EXT:
+        if (element_count >= (3 * ((8) * 2) + (((8) * 2)) / 2 + 4 * (1) + 1)) {
+          self->frameOK = 0;
+          ErrorStatus = AAC_DEC_PARSE_ERROR;
+          break;
+        }
+
         ErrorStatus = aacDecoder_ParseExplicitMpsAndSbr(
             self, bs, previous_element, previous_element_index, element_count,
             el_cnt);
         break;
 
       case ID_USAC_EXT: {
+        if ((element_count - element_count_prev_streams) >=
+            TP_USAC_MAX_ELEMENTS) {
+          self->frameOK = 0;
+          ErrorStatus = AAC_DEC_PARSE_ERROR;
+          break;
+        }
         /* parse extension element payload
            q.v. rsv603daExtElement() ISO/IEC DIS 23008-3  Table 30
            or   UsacExElement() ISO/IEC FDIS 23003-3:2011(E)  Table 21
author	android-build-team Robot <android-build-team-robot@google.com>	2018-09-10 23:21:17 +0000
committer	android-build-team Robot <android-build-team-robot@google.com>	2018-09-10 23:21:17 +0000
commit	b97c2a93f288df43dd7cc0c45640509a17dddb18 (patch)
tree	66fe1fc4eb2c283bcebf91e53f365c6b22f1b47c /libAACdec/src/aacdecoder.cpp
parent	f19e863cce96cc1e5f4ad7ce512810d5a2843ea6 (diff)
parent	9744e41c40598c6a0b74440f3b5be63f9f3708a5 (diff)
download	fdk-aac-b97c2a93f288df43dd7cc0c45640509a17dddb18.tar.gz fdk-aac-b97c2a93f288df43dd7cc0c45640509a17dddb18.tar.bz2 fdk-aac-b97c2a93f288df43dd7cc0c45640509a17dddb18.zip