From 8e27e0bd3004b41ebc61be9f8b19a0cb4787f39b Mon Sep 17 00:00:00 2001
From: Jean-Michel Trivi <jmtrivi@google.com>
Date: Thu, 7 Mar 2019 12:52:29 -0800
Subject: AAC decoder: fix use of uninitialized value, check index

Initialize aInterpolate int array in mapIndexData().
Prevent index from accessing OOB value.

Bug: 120426980
Test: see bug
Change-Id: Ib9f1b5e143802d3d662af36fedcae8bf47ff09bc
---
 libSACdec/src/sac_bitdec.cpp | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/libSACdec/src/sac_bitdec.cpp b/libSACdec/src/sac_bitdec.cpp
index 883e1e8..a1bdca4 100644
--- a/libSACdec/src/sac_bitdec.cpp
+++ b/libSACdec/src/sac_bitdec.cpp
@@ -1457,7 +1457,7 @@ static SACDEC_ERROR mapIndexData(
     FIXP_DBL (*pOttVsTotDb1)[MAX_PARAMETER_SETS][MAX_PARAMETER_BANDS],
     FIXP_DBL (*pOttVsTotDb2)[MAX_PARAMETER_SETS][MAX_PARAMETER_BANDS]) {
   int aParamSlots[MAX_PARAMETER_SETS];
-  int aInterpolate[MAX_PARAMETER_SETS];
+  int aInterpolate[MAX_PARAMETER_SETS] = {0};
 
   int dataSets;
   int aMap[MAX_PARAMETER_BANDS + 1];
@@ -1562,6 +1562,7 @@ static SACDEC_ERROR mapIndexData(
     i2 = i;
     while (aInterpolate[i2] == 1) {
       i2++;
+      if (i2 >= MAX_PARAMETER_SETS) return MPS_WRONG_PARAMETERSETS;
     }
     x1 = paramSlot[i1];
     xi = paramSlot[i];
-- 
cgit v1.2.3