From 27c3a2bd1cc08b0096813474410c667468077d6e Mon Sep 17 00:00:00 2001 From: Fraunhofer IIS FDK Date: Tue, 16 Mar 2021 14:47:41 +0100 Subject: Check the number of available escapes in rvlcDecodeBackward() to avoid out-of-bounds access. Bug: 186777497 Test: atest android.media.cts.DecoderTestAacFormat android.media.cts.DecoderTestXheAac android.media.cts.DecoderTestAacDrc Change-Id: I42956a9fd7a8e78c3c0f4f553370ac5a9f1ac2ca --- libAACdec/src/rvlc.cpp | 15 ++++++++------- 1 file changed, 8 insertions(+), 7 deletions(-) (limited to 'libAACdec/src') diff --git a/libAACdec/src/rvlc.cpp b/libAACdec/src/rvlc.cpp index b7a9be1..0b80364 100644 --- a/libAACdec/src/rvlc.cpp +++ b/libAACdec/src/rvlc.cpp @@ -1,7 +1,7 @@ /* ----------------------------------------------------------------------------- Software License for The Fraunhofer FDK AAC Codec Library for Android -© Copyright 1995 - 2018 Fraunhofer-Gesellschaft zur Förderung der angewandten +© Copyright 1995 - 2021 Fraunhofer-Gesellschaft zur Förderung der angewandten Forschung e.V. All rights reserved. 1. INTRODUCTION @@ -628,7 +628,7 @@ static void rvlcDecodeBackward(CErRvlcInfo *pRvlc, SHORT *pScfBwd = pAacDecoderChannelInfo->pComData->overlay.aac.aRvlcScfBwd; SHORT *pScfEsc = pAacDecoderChannelInfo->pComData->overlay.aac.aRvlcScfEsc; - UCHAR *pEscEscCnt = &(pRvlc->numDecodedEscapeWordsEsc); + UCHAR escEscCnt = pRvlc->numDecodedEscapeWordsEsc; UCHAR *pEscBwdCnt = &(pRvlc->numDecodedEscapeWordsBwd); pRvlc->pRvlBitCnt_RVL = &(pRvlc->length_of_rvlc_sf_bwd); @@ -636,7 +636,7 @@ static void rvlcDecodeBackward(CErRvlcInfo *pRvlc, *pEscBwdCnt = 0; pRvlc->direction = BWD; - pScfEsc += *pEscEscCnt - 1; /* set pScfEsc to last entry */ + pScfEsc += escEscCnt - 1; /* set pScfEsc to last entry */ pRvlc->firstScf = 0; pRvlc->firstNrg = 0; pRvlc->firstIs = 0; @@ -651,7 +651,7 @@ static void rvlcDecodeBackward(CErRvlcInfo *pRvlc, } dpcm -= TABLE_OFFSET; if ((dpcm == MIN_RVL) || (dpcm == MAX_RVL)) { - if (pRvlc->length_of_rvlc_escapes) { + if ((pRvlc->length_of_rvlc_escapes) || (*pEscBwdCnt >= escEscCnt)) { pRvlc->conceal_min = bnds; return; } else { @@ -694,7 +694,7 @@ static void rvlcDecodeBackward(CErRvlcInfo *pRvlc, } dpcm -= TABLE_OFFSET; if ((dpcm == MIN_RVL) || (dpcm == MAX_RVL)) { - if (pRvlc->length_of_rvlc_escapes) { + if ((pRvlc->length_of_rvlc_escapes) || (*pEscBwdCnt >= escEscCnt)) { pScfBwd[bnds] = position; pRvlc->conceal_min = fMax(0, bnds - offset); return; @@ -731,7 +731,8 @@ static void rvlcDecodeBackward(CErRvlcInfo *pRvlc, } dpcm -= TABLE_OFFSET; if ((dpcm == MIN_RVL) || (dpcm == MAX_RVL)) { - if (pRvlc->length_of_rvlc_escapes) { + if ((pRvlc->length_of_rvlc_escapes) || + (*pEscBwdCnt >= escEscCnt)) { pScfBwd[bnds] = noisenrg; pRvlc->conceal_min = fMax(0, bnds - offset); return; @@ -762,7 +763,7 @@ static void rvlcDecodeBackward(CErRvlcInfo *pRvlc, } dpcm -= TABLE_OFFSET; if ((dpcm == MIN_RVL) || (dpcm == MAX_RVL)) { - if (pRvlc->length_of_rvlc_escapes) { + if ((pRvlc->length_of_rvlc_escapes) || (*pEscBwdCnt >= escEscCnt)) { pScfBwd[bnds] = factor; pRvlc->conceal_min = fMax(0, bnds - offset); return; -- cgit v1.2.3