From 2b5217a9532ab952c831693e208bdfcb6a0b50eb Mon Sep 17 00:00:00 2001
From: Fraunhofer IIS FDK <audio-fdk@iis.fraunhofer.de>
Date: Fri, 9 Aug 2019 17:07:19 +0200
Subject: Fix possible stack buffer overflow in mapIndexData().

Bug: 131430997
Test: atest DecoderTestXheAac ; atest DecoderTestAacDrc
Change-Id: I160e7174f32dabe386fce1e9ec67d3c8cea60c78
---
 libSACdec/src/sac_bitdec.cpp | 24 +++++++++++-------------
 1 file changed, 11 insertions(+), 13 deletions(-)

(limited to 'libSACdec')

diff --git a/libSACdec/src/sac_bitdec.cpp b/libSACdec/src/sac_bitdec.cpp
index a1bdca4..c814b41 100644
--- a/libSACdec/src/sac_bitdec.cpp
+++ b/libSACdec/src/sac_bitdec.cpp
@@ -1,7 +1,7 @@
 /* -----------------------------------------------------------------------------
 Software License for The Fraunhofer FDK AAC Codec Library for Android
 
-© Copyright  1995 - 2018 Fraunhofer-Gesellschaft zur Förderung der angewandten
+© Copyright  1995 - 2019 Fraunhofer-Gesellschaft zur Förderung der angewandten
 Forschung e.V. All rights reserved.
 
  1.    INTRODUCTION
@@ -1554,22 +1554,20 @@ static SACDEC_ERROR mapIndexData(
   /* Interpolate */
   i1 = 0;
   for (i = 0; i < numParameterSets; i++) {
-    int xi, i2, x1, x2;
-
     if (aInterpolate[i] != 1) {
       i1 = i;
-    }
-    i2 = i;
-    while (aInterpolate[i2] == 1) {
-      i2++;
-      if (i2 >= MAX_PARAMETER_SETS) return MPS_WRONG_PARAMETERSETS;
-    }
-    x1 = paramSlot[i1];
-    xi = paramSlot[i];
-    x2 = paramSlot[i2];
+    } else {
+      int xi, i2, x1, x2;
 
-    if (aInterpolate[i] == 1) {
+      for (i2 = i; i2 < numParameterSets; i2++) {
+        if (aInterpolate[i2] != 1) break;
+      }
       if (i2 >= numParameterSets) return MPS_WRONG_PARAMETERSETS;
+
+      x1 = paramSlot[i1];
+      xi = paramSlot[i];
+      x2 = paramSlot[i2];
+
       for (band = startBand; band < stopBand; band++) {
         int yi, y1, y2;
         y1 = outputIdxData[xttIdx][i1][band];
-- 
cgit v1.2.3


From 0be235952d653d9932b8cb180cdb16560506b98c Mon Sep 17 00:00:00 2001
From: Fraunhofer IIS FDK <audio-fdk@iis.fraunhofer.de>
Date: Fri, 9 Aug 2019 17:08:05 +0200
Subject: Solve potential dereference of null pointers in factorCLD().

Bug: 131430997
Test: atest DecoderTestXheAac ; atest DecoderTestAacDrc
Change-Id: I27334567d1887755d62fadf2456fd5366869cbab
---
 libSACdec/src/sac_bitdec.cpp | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

(limited to 'libSACdec')

diff --git a/libSACdec/src/sac_bitdec.cpp b/libSACdec/src/sac_bitdec.cpp
index c814b41..4b47132 100644
--- a/libSACdec/src/sac_bitdec.cpp
+++ b/libSACdec/src/sac_bitdec.cpp
@@ -1586,9 +1586,9 @@ static SACDEC_ERROR mapIndexData(
   for (ps = 0; ps < numParameterSets; ps++) {
     if (quantMode && (paramType == t_CLD)) {
       if (pOttVsTotDbIn == 0) return MPS_WRONG_OTT;
-      if ((pOttVsTotDb1 == 0) && (ottVsTotDbMode == ottVsTotDb1Activ))
+      if ((pOttVsTotDb1 == 0) && (ottVsTotDbMode & ottVsTotDb1Activ))
         return MPS_WRONG_OTT;
-      if ((pOttVsTotDb2 == 0) && (ottVsTotDbMode == ottVsTotDb2Activ))
+      if ((pOttVsTotDb2 == 0) && (ottVsTotDbMode & ottVsTotDb2Activ))
         return MPS_WRONG_OTT;
 
       for (pb = startBand; pb < stopBand; pb++) {
-- 
cgit v1.2.3