aboutsummaryrefslogtreecommitdiffstats
path: root/libAACdec
diff options
context:
space:
mode:
authorFraunhofer IIS FDK <audio-fdk@iis.fraunhofer.de>2021-03-16 14:47:41 +0100
committerJean-Michel Trivi <jmtrivi@google.com>2021-04-29 13:04:17 -0700
commit27c3a2bd1cc08b0096813474410c667468077d6e (patch)
treee993a2171b4ddf748111802d28b574e4fccaac55 /libAACdec
parenta1edc32174933c375f84f202dddadd5dfb862060 (diff)
downloadfdk-aac-27c3a2bd1cc08b0096813474410c667468077d6e.tar.gz
fdk-aac-27c3a2bd1cc08b0096813474410c667468077d6e.tar.bz2
fdk-aac-27c3a2bd1cc08b0096813474410c667468077d6e.zip
Check the number of available escapes in rvlcDecodeBackward() to avoid out-of-bounds access.
Bug: 186777497 Test: atest android.media.cts.DecoderTestAacFormat android.media.cts.DecoderTestXheAac android.media.cts.DecoderTestAacDrc Change-Id: I42956a9fd7a8e78c3c0f4f553370ac5a9f1ac2ca
Diffstat (limited to 'libAACdec')
-rw-r--r--libAACdec/src/rvlc.cpp15
1 files changed, 8 insertions, 7 deletions
diff --git a/libAACdec/src/rvlc.cpp b/libAACdec/src/rvlc.cpp
index b7a9be1..0b80364 100644
--- a/libAACdec/src/rvlc.cpp
+++ b/libAACdec/src/rvlc.cpp
@@ -1,7 +1,7 @@
/* -----------------------------------------------------------------------------
Software License for The Fraunhofer FDK AAC Codec Library for Android
-© Copyright 1995 - 2018 Fraunhofer-Gesellschaft zur Förderung der angewandten
+© Copyright 1995 - 2021 Fraunhofer-Gesellschaft zur Förderung der angewandten
Forschung e.V. All rights reserved.
1. INTRODUCTION
@@ -628,7 +628,7 @@ static void rvlcDecodeBackward(CErRvlcInfo *pRvlc,
SHORT *pScfBwd = pAacDecoderChannelInfo->pComData->overlay.aac.aRvlcScfBwd;
SHORT *pScfEsc = pAacDecoderChannelInfo->pComData->overlay.aac.aRvlcScfEsc;
- UCHAR *pEscEscCnt = &(pRvlc->numDecodedEscapeWordsEsc);
+ UCHAR escEscCnt = pRvlc->numDecodedEscapeWordsEsc;
UCHAR *pEscBwdCnt = &(pRvlc->numDecodedEscapeWordsBwd);
pRvlc->pRvlBitCnt_RVL = &(pRvlc->length_of_rvlc_sf_bwd);
@@ -636,7 +636,7 @@ static void rvlcDecodeBackward(CErRvlcInfo *pRvlc,
*pEscBwdCnt = 0;
pRvlc->direction = BWD;
- pScfEsc += *pEscEscCnt - 1; /* set pScfEsc to last entry */
+ pScfEsc += escEscCnt - 1; /* set pScfEsc to last entry */
pRvlc->firstScf = 0;
pRvlc->firstNrg = 0;
pRvlc->firstIs = 0;
@@ -651,7 +651,7 @@ static void rvlcDecodeBackward(CErRvlcInfo *pRvlc,
}
dpcm -= TABLE_OFFSET;
if ((dpcm == MIN_RVL) || (dpcm == MAX_RVL)) {
- if (pRvlc->length_of_rvlc_escapes) {
+ if ((pRvlc->length_of_rvlc_escapes) || (*pEscBwdCnt >= escEscCnt)) {
pRvlc->conceal_min = bnds;
return;
} else {
@@ -694,7 +694,7 @@ static void rvlcDecodeBackward(CErRvlcInfo *pRvlc,
}
dpcm -= TABLE_OFFSET;
if ((dpcm == MIN_RVL) || (dpcm == MAX_RVL)) {
- if (pRvlc->length_of_rvlc_escapes) {
+ if ((pRvlc->length_of_rvlc_escapes) || (*pEscBwdCnt >= escEscCnt)) {
pScfBwd[bnds] = position;
pRvlc->conceal_min = fMax(0, bnds - offset);
return;
@@ -731,7 +731,8 @@ static void rvlcDecodeBackward(CErRvlcInfo *pRvlc,
}
dpcm -= TABLE_OFFSET;
if ((dpcm == MIN_RVL) || (dpcm == MAX_RVL)) {
- if (pRvlc->length_of_rvlc_escapes) {
+ if ((pRvlc->length_of_rvlc_escapes) ||
+ (*pEscBwdCnt >= escEscCnt)) {
pScfBwd[bnds] = noisenrg;
pRvlc->conceal_min = fMax(0, bnds - offset);
return;
@@ -762,7 +763,7 @@ static void rvlcDecodeBackward(CErRvlcInfo *pRvlc,
}
dpcm -= TABLE_OFFSET;
if ((dpcm == MIN_RVL) || (dpcm == MAX_RVL)) {
- if (pRvlc->length_of_rvlc_escapes) {
+ if ((pRvlc->length_of_rvlc_escapes) || (*pEscBwdCnt >= escEscCnt)) {
pScfBwd[bnds] = factor;
pRvlc->conceal_min = fMax(0, bnds - offset);
return;