diff options
| author | Jean-Michel Trivi <jmtrivi@google.com> | 2017-10-24 17:39:19 -0700 |
|---|---|---|
| committer | Jean-Michel Trivi <jmtrivi@google.com> | 2017-11-02 16:25:34 +0000 |
| commit | 51f38b3a6d49eaa2b7b90e5ac79d13b97c3decbb (patch) | |
| tree | 442735a9cd9bf28a587c0ecb853bc80ffb9823b2 /libFDK | |
| parent | 9d4702f2d9ecec00c4e28de638b1f79afb5d696c (diff) | |
| download | fdk-aac-51f38b3a6d49eaa2b7b90e5ac79d13b97c3decbb.tar.gz fdk-aac-51f38b3a6d49eaa2b7b90e5ac79d13b97c3decbb.tar.bz2 fdk-aac-51f38b3a6d49eaa2b7b90e5ac79d13b97c3decbb.zip | |
DO NOT MERGE Prevent out of bound memory access in GetInvInt
In GetInvInt(int) function, malicious content can access memory
outside of the invCount array. Always bound access to valid
indices.
Test: see bug for malicious content, decoded with "stagefright -s -a"
Bug: 65025048
Change-Id: I92d4a14519f45d5a329d7f69f21f2aef0a8c6daa
Diffstat (limited to 'libFDK')
| -rw-r--r-- | libFDK/include/fixpoint_math.h | 12 |
1 files changed, 8 insertions, 4 deletions
diff --git a/libFDK/include/fixpoint_math.h b/libFDK/include/fixpoint_math.h index 0d50f0a..6aa0a90 100644 --- a/libFDK/include/fixpoint_math.h +++ b/libFDK/include/fixpoint_math.h @@ -479,15 +479,19 @@ inline FIXP_DBL fAddSaturate(const FIXP_DBL a, const FIXP_DBL b) /** * \brief Calculate the value of 1/i where i is a integer value. It supports - * input values from 1 upto 80. + * input values from 0 upto 79. * \param intValue Integer input value. * \param FIXP_DBL representation of 1/intValue */ inline FIXP_DBL GetInvInt(int intValue) { - FDK_ASSERT((intValue > 0) && (intValue < 80)); - FDK_ASSERT(intValue<80); - return invCount[intValue]; + FDK_ASSERT((intValue >= 0) && (intValue < 80)); + if (intValue > 79) + return invCount[79]; + else if (intValue < 0) + return invCount[0]; + else + return invCount[intValue]; } |