From 6d3dd40e204bf550abcfa589bd9615df8778e118 Mon Sep 17 00:00:00 2001 From: Jean-Michel Trivi Date: Mon, 30 Oct 2017 11:31:03 -0700 Subject: Fix out of bound memory access in lppTransposer In TRANSPOSER_SETTINGS, initialize the whole bwBorders array to a reasonable value to guarantee correct termination in while loop in lppTransposer function. This fixes the reported bug. For completeness: - clear the whole bwIndex array instead of noOfPatches entries only. - abort criterion in while loop to prevent potential infinite loop, and limit bwIndex[patch] to a valid range. Test: see bug for malicious content, decoded with "stagefright -s -a" Bug: 65280786 Change-Id: I16ed2e1c0f1601926239a652ca20a91284151843 --- libSBRdec/src/lpp_tran.cpp | 10 +++++++--- 1 file changed, 7 insertions(+), 3 deletions(-) (limited to 'libSBRdec') diff --git a/libSBRdec/src/lpp_tran.cpp b/libSBRdec/src/lpp_tran.cpp index 117e739..343aec3 100644 --- a/libSBRdec/src/lpp_tran.cpp +++ b/libSBRdec/src/lpp_tran.cpp @@ -293,7 +293,7 @@ void lppTransposer (HANDLE_SBR_LPP_TRANS hLppTrans, /*!< Handle of lpp transp } /* init bwIndex for each patch */ - FDKmemclear(bwIndex, pSettings->noOfPatches*sizeof(INT)); + FDKmemclear(bwIndex, MAX_NUM_PATCHES*sizeof(INT)); /* Calc common low band scale factor @@ -621,9 +621,9 @@ void lppTransposer (HANDLE_SBR_LPP_TRANS hLppTrans, /*!< Handle of lpp transp FDK_ASSERT( hiBand < (64) ); /* bwIndex[patch] is already initialized with value from previous band inside this patch */ - while (hiBand >= pSettings->bwBorders[bwIndex[patch]]) + while (hiBand >= pSettings->bwBorders[bwIndex[patch]] && bwIndex[patch] < MAX_NUM_PATCHES-1) { bwIndex[patch]++; - + } /* Filter Step 2: add the left slope with the current filter to the buffer @@ -962,6 +962,10 @@ resetLppTransposer (HANDLE_SBR_LPP_TRANS hLppTrans, /*!< Handle of lpp transpos for(i = 0 ; i < noNoiseBands; i++){ pSettings->bwBorders[i] = noiseBandTable[i+1]; } + for (;i < MAX_NUM_NOISE_VALUES; i++) { + pSettings->bwBorders[i] = 255; + } + /* * Choose whitening factors -- cgit v1.2.3