[DO NOT MERGE] Fix heap buffer overflow in sbrDecoder_AssignQmfChannels2SbrChannels(). am: 50aa5be388

Original change: https://googleplex-android-review.googlesource.com/c/platform/external/aac/+/12088847

Change-Id: I40c07a02e1528540b24a5380cff1249ed5076193

1 files changed, 10 insertions, 3 deletions

diff --git a/libSBRdec/src/sbrdecoder.cpp b/libSBRdec/src/sbrdecoder.cpp
index f9ded54..2452f8e 100644
--- a/libSBRdec/src/sbrdecoder.cpp
+++ b/libSBRdec/src/sbrdecoder.cpp
@@ -510,9 +510,6 @@ SBR_ERROR sbrDecoder_InitElement (
       self->numSbrChannels -= self->pSbrElement[elementIndex]->nChannels;
     }
 
-    /* Save element ID for sanity checks and to have a fallback for concealment. */
-    self->pSbrElement[elementIndex]->elementID = elementID;
-
     /* Determine amount of channels for this element */
     switch (elementID) {
       case ID_NONE:
@@ -540,6 +537,16 @@ SBR_ERROR sbrDecoder_InitElement (
       }
     }
 
+    /* Sanity check to avoid memory leaks */
+    if (elChannels < self->pSbrElement[elementIndex]->nChannels ||
+        (self->numSbrChannels + elChannels) > (8) + (1)) {
+      self->numSbrChannels += self->pSbrElement[elementIndex]->nChannels;
+      sbrError = SBRDEC_PARSE_ERROR;
+      goto bail;
+    }
+
+    /* Save element ID for sanity checks and to have a fallback for concealment. */
+    self->pSbrElement[elementIndex]->elementID = elementID;
     self->pSbrElement[elementIndex]->nChannels = elChannels;
 
     for (ch=0; ch<elChannels; ch++)