From b1136d1c348261adc1801c8db04d25033a0bdb9f Mon Sep 17 00:00:00 2001
From: Fraunhofer IIS FDK <audio-fdk@iis.fraunhofer.de>
Date: Thu, 9 Apr 2020 17:56:25 +0200
Subject: Check transportDec_OutOfBandConfig() input buffer size parameter.

Bug: 176246647
Test: atest DecoderTestXheAac DecoderTestAacDrc
Change-Id: I60ac86f09a5652c820d60dfdc12212637f888164
---
 libAACdec/src/aacdecoder_lib.cpp | 6 ++++--
 1 file changed, 4 insertions(+), 2 deletions(-)

(limited to 'libAACdec/src')

diff --git a/libAACdec/src/aacdecoder_lib.cpp b/libAACdec/src/aacdecoder_lib.cpp
index 4c0d347..0c13304 100644
--- a/libAACdec/src/aacdecoder_lib.cpp
+++ b/libAACdec/src/aacdecoder_lib.cpp
@@ -1179,8 +1179,10 @@ LINKSPEC_CPP AAC_DECODER_ERROR aacDecoder_DecodeFrame(HANDLE_AACDECODER self,
       aacDecoder_FreeMemCallback(self, &asc);
       self->streamInfo.numChannels = 0;
       /* 3) restore AudioSpecificConfig */
-      transportDec_OutOfBandConfig(self->hInput, asc.config,
-                                   (asc.configBits + 7) >> 3, 0);
+      if (asc.configBits <= (TP_USAC_MAX_CONFIG_LEN << 3)) {
+        transportDec_OutOfBandConfig(self->hInput, asc.config,
+                                     (asc.configBits + 7) >> 3, 0);
+      }
     }
   }
 
-- 
cgit v1.2.3