diff options
| author | Fraunhofer IIS FDK <audio-fdk@iis.fraunhofer.de> | 2021-03-16 14:47:41 +0100 |
|---|---|---|
| committer | Jean-Michel Trivi <jmtrivi@google.com> | 2021-04-29 13:04:17 -0700 |
| commit | 27c3a2bd1cc08b0096813474410c667468077d6e (patch) | |
| tree | e993a2171b4ddf748111802d28b574e4fccaac55 /libAACdec/src | |
| parent | a1edc32174933c375f84f202dddadd5dfb862060 (diff) | |
| download | fdk-aac-27c3a2bd1cc08b0096813474410c667468077d6e.tar.gz fdk-aac-27c3a2bd1cc08b0096813474410c667468077d6e.tar.bz2 fdk-aac-27c3a2bd1cc08b0096813474410c667468077d6e.zip | |
Check the number of available escapes in rvlcDecodeBackward() to avoid out-of-bounds access.
Bug: 186777497
Test: atest android.media.cts.DecoderTestAacFormat android.media.cts.DecoderTestXheAac android.media.cts.DecoderTestAacDrc
Change-Id: I42956a9fd7a8e78c3c0f4f553370ac5a9f1ac2ca
Diffstat (limited to 'libAACdec/src')
| -rw-r--r-- | libAACdec/src/rvlc.cpp | 15 |
1 files changed, 8 insertions, 7 deletions
diff --git a/libAACdec/src/rvlc.cpp b/libAACdec/src/rvlc.cpp index b7a9be1..0b80364 100644 --- a/libAACdec/src/rvlc.cpp +++ b/libAACdec/src/rvlc.cpp @@ -1,7 +1,7 @@ /* ----------------------------------------------------------------------------- Software License for The Fraunhofer FDK AAC Codec Library for Android -© Copyright 1995 - 2018 Fraunhofer-Gesellschaft zur Förderung der angewandten +© Copyright 1995 - 2021 Fraunhofer-Gesellschaft zur Förderung der angewandten Forschung e.V. All rights reserved. 1. INTRODUCTION @@ -628,7 +628,7 @@ static void rvlcDecodeBackward(CErRvlcInfo *pRvlc, SHORT *pScfBwd = pAacDecoderChannelInfo->pComData->overlay.aac.aRvlcScfBwd; SHORT *pScfEsc = pAacDecoderChannelInfo->pComData->overlay.aac.aRvlcScfEsc; - UCHAR *pEscEscCnt = &(pRvlc->numDecodedEscapeWordsEsc); + UCHAR escEscCnt = pRvlc->numDecodedEscapeWordsEsc; UCHAR *pEscBwdCnt = &(pRvlc->numDecodedEscapeWordsBwd); pRvlc->pRvlBitCnt_RVL = &(pRvlc->length_of_rvlc_sf_bwd); @@ -636,7 +636,7 @@ static void rvlcDecodeBackward(CErRvlcInfo *pRvlc, *pEscBwdCnt = 0; pRvlc->direction = BWD; - pScfEsc += *pEscEscCnt - 1; /* set pScfEsc to last entry */ + pScfEsc += escEscCnt - 1; /* set pScfEsc to last entry */ pRvlc->firstScf = 0; pRvlc->firstNrg = 0; pRvlc->firstIs = 0; @@ -651,7 +651,7 @@ static void rvlcDecodeBackward(CErRvlcInfo *pRvlc, } dpcm -= TABLE_OFFSET; if ((dpcm == MIN_RVL) || (dpcm == MAX_RVL)) { - if (pRvlc->length_of_rvlc_escapes) { + if ((pRvlc->length_of_rvlc_escapes) || (*pEscBwdCnt >= escEscCnt)) { pRvlc->conceal_min = bnds; return; } else { @@ -694,7 +694,7 @@ static void rvlcDecodeBackward(CErRvlcInfo *pRvlc, } dpcm -= TABLE_OFFSET; if ((dpcm == MIN_RVL) || (dpcm == MAX_RVL)) { - if (pRvlc->length_of_rvlc_escapes) { + if ((pRvlc->length_of_rvlc_escapes) || (*pEscBwdCnt >= escEscCnt)) { pScfBwd[bnds] = position; pRvlc->conceal_min = fMax(0, bnds - offset); return; @@ -731,7 +731,8 @@ static void rvlcDecodeBackward(CErRvlcInfo *pRvlc, } dpcm -= TABLE_OFFSET; if ((dpcm == MIN_RVL) || (dpcm == MAX_RVL)) { - if (pRvlc->length_of_rvlc_escapes) { + if ((pRvlc->length_of_rvlc_escapes) || + (*pEscBwdCnt >= escEscCnt)) { pScfBwd[bnds] = noisenrg; pRvlc->conceal_min = fMax(0, bnds - offset); return; @@ -762,7 +763,7 @@ static void rvlcDecodeBackward(CErRvlcInfo *pRvlc, } dpcm -= TABLE_OFFSET; if ((dpcm == MIN_RVL) || (dpcm == MAX_RVL)) { - if (pRvlc->length_of_rvlc_escapes) { + if ((pRvlc->length_of_rvlc_escapes) || (*pEscBwdCnt >= escEscCnt)) { pScfBwd[bnds] = factor; pRvlc->conceal_min = fMax(0, bnds - offset); return; |