From 883c1143990c6d41abdadcb18cf8d084aeb8630d Mon Sep 17 00:00:00 2001
From: Fraunhofer IIS FDK <audio-fdk@iis.fraunhofer.de>
Date: Thu, 9 Apr 2020 17:54:33 +0200
Subject: Validate DRC compression factor and DRC boost factor value range in
 aacDecoder_SetParam().

Bug: 176246647
Test: atest DecoderTestXheAac DecoderTestAacDrc
Change-Id: I1d8534145bcf400c5da58d64d3b7e73a87cb43be
---
 libAACdec/src/aacdecoder_lib.cpp | 6 ++++++
 1 file changed, 6 insertions(+)

diff --git a/libAACdec/src/aacdecoder_lib.cpp b/libAACdec/src/aacdecoder_lib.cpp
index 0f281eb..4c0d347 100644
--- a/libAACdec/src/aacdecoder_lib.cpp
+++ b/libAACdec/src/aacdecoder_lib.cpp
@@ -822,6 +822,9 @@ LINKSPEC_CPP AAC_DECODER_ERROR aacDecoder_SetParam(
 
     case AAC_DRC_ATTENUATION_FACTOR:
       /* DRC compression factor (where 0 is no and 127 is max compression) */
+      if ((value < 0) || (value > 127)) {
+        return AAC_DEC_SET_PARAM_FAIL;
+      }
       errorStatus = aacDecoder_drcSetParam(hDrcInfo, DRC_CUT_SCALE, value);
       uniDrcErr = FDK_drcDec_SetParam(self->hUniDrcDecoder, DRC_DEC_COMPRESS,
                                       value * (FL2FXCONST_DBL(0.5f / 127.0f)));
@@ -829,6 +832,9 @@ LINKSPEC_CPP AAC_DECODER_ERROR aacDecoder_SetParam(
 
     case AAC_DRC_BOOST_FACTOR:
       /* DRC boost factor (where 0 is no and 127 is max boost) */
+      if ((value < 0) || (value > 127)) {
+        return AAC_DEC_SET_PARAM_FAIL;
+      }
       errorStatus = aacDecoder_drcSetParam(hDrcInfo, DRC_BOOST_SCALE, value);
       uniDrcErr = FDK_drcDec_SetParam(self->hUniDrcDecoder, DRC_DEC_BOOST,
                                       value * (FL2FXCONST_DBL(0.5f / 127.0f)));
-- 
cgit v1.2.3


From 293ccc7fbc509cc0ba4d944bd1bb9ad6f79c037d Mon Sep 17 00:00:00 2001
From: Fraunhofer IIS FDK <audio-fdk@iis.fraunhofer.de>
Date: Thu, 9 Apr 2020 17:54:50 +0200
Subject: Fix unsigned integer overflow in Hcr_State_BODY_SIGN_ESC__ESC_WORD().

Bug: 176246647
Test: atest DecoderTestXheAac DecoderTestAacDrc
Change-Id: I5eb0f88a55e856c427f9e4647332070f66e673c5
---
 libAACdec/src/aacdec_hcrs.cpp | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/libAACdec/src/aacdec_hcrs.cpp b/libAACdec/src/aacdec_hcrs.cpp
index 44b32a5..5e3f9ac 100644
--- a/libAACdec/src/aacdec_hcrs.cpp
+++ b/libAACdec/src/aacdec_hcrs.cpp
@@ -1,7 +1,7 @@
 /* -----------------------------------------------------------------------------
 Software License for The Fraunhofer FDK AAC Codec Library for Android
 
-© Copyright  1995 - 2019 Fraunhofer-Gesellschaft zur Förderung der angewandten
+© Copyright  1995 - 2020 Fraunhofer-Gesellschaft zur Förderung der angewandten
 Forschung e.V. All rights reserved.
 
  1.    INTRODUCTION
@@ -173,7 +173,9 @@ void DecodeNonPCWs(HANDLE_FDK_BITSTREAM bs, H_HCR_INFO pHcr) {
     pHcr->segmentInfo.readDirection = FROM_RIGHT_TO_LEFT;
 
     /* Process sets subsequently */
+    numSet = fMin(numSet, (UCHAR)MAX_HCR_SETS);
     for (currentSet = 1; currentSet < numSet; currentSet++) {
+
       /* step 1 */
       numCodeword -=
           *pNumSegment; /* number of remaining non PCWs [for all sets] */
-- 
cgit v1.2.3