diff options
| author | Rajat Kumar <rajat.kumar@ittiam.com> | 2019-02-08 15:59:47 +0530 |
|---|---|---|
| committer | Ray Essick <essick@google.com> | 2019-03-01 17:56:08 -0800 |
| commit | a2e013254bf67aba3679a9966e66783a994441fd (patch) | |
| tree | 885241c3f187f9922abd710b4c9f600024b6e6bf | |
| parent | ee391b5dfade6345617a0af0c1b740dabc1a97aa (diff) | |
| download | libxaac-a2e013254bf67aba3679a9966e66783a994441fd.tar.gz | |
Fix for array out of bound access in multichannel.c file
Array common_gain_element_present was accessed with an index of 10,
so a check has been added as fix and error return code handling has
been modified.
Bug:124022181
Test: poc
Change-Id: Ic9be00f6a9cec2df433e7a5f86616da5e98c9e05
| -rw-r--r-- | decoder/ixheaacd_multichannel.c | 17 | ||||
| -rw-r--r-- | decoder/ixheaacd_multichannel.h | 2 |
2 files changed, 9 insertions, 10 deletions
diff --git a/decoder/ixheaacd_multichannel.c b/decoder/ixheaacd_multichannel.c index 1c276b6..b5f175c 100644 --- a/decoder/ixheaacd_multichannel.c +++ b/decoder/ixheaacd_multichannel.c @@ -129,7 +129,7 @@ WORD cblock_decode_huff_symbol(UWORD8 *ptr_read_next, WORD32 bit_pos, return tot_bits; } -WORD16 ixheaacd_dec_coupling_channel_element( +IA_ERRORCODE ixheaacd_dec_coupling_channel_element( ia_handle_bit_buf_struct bs, ia_aac_decoder_struct *aac_handle, WORD32 samp_rate_idx, ia_aac_dec_tables_struct *ptr_aac_tables, ixheaacd_misc_tables *common_tables_ptr, WORD *element_index_order, @@ -152,7 +152,7 @@ WORD16 ixheaacd_dec_coupling_channel_element( ptr_aac_tables->pstr_huffmann_tables->huffman_code_book_scl_index; WORD16 index, length; - WORD16 error_status = AAC_DEC_OK; + IA_ERRORCODE error_status = IA_NO_ERROR; element_instance_tag = ixheaacd_read_bits_buf(bs, 4); element_index_order[0] = element_instance_tag; @@ -179,7 +179,9 @@ WORD16 ixheaacd_dec_coupling_channel_element( } else ind_channel_info->elements_coupled[c] = 0; } - + if ((ind_sw_cce_flag == 0) && (num_gain_element_lists > MAX_BS_ELEMENT)) { + return IA_FATAL_ERROR; + } cc_domain = ixheaacd_read_bits_buf(bs, 1); gain_element_sign = ixheaacd_read_bits_buf(bs, 1); gain_element_scale = ixheaacd_read_bits_buf(bs, 2); @@ -207,8 +209,7 @@ WORD16 ixheaacd_dec_coupling_channel_element( else { common_gain_element_present[c] = ixheaacd_read_bits_buf(bs, 1); cge = common_gain_element_present[c]; - error_status = - (WORD)((WORD32)IA_ENHAACPLUS_DEC_EXE_FATAL_UNIMPLEMENTED_CCE); + return IA_ENHAACPLUS_DEC_EXE_FATAL_UNIMPLEMENTED_CCE; } if (cge) { UWORD8 *ptr_read_next = bs->ptr_read_next; @@ -244,13 +245,11 @@ WORD16 ixheaacd_dec_coupling_channel_element( } } } else { - error_status = - (WORD)((WORD32)IA_ENHAACPLUS_DEC_EXE_FATAL_UNIMPLEMENTED_CCE); + return IA_ENHAACPLUS_DEC_EXE_FATAL_UNIMPLEMENTED_CCE; } } if (bs->cnt_bits < 0) { - error_status = (WORD16)( - (WORD32)IA_ENHAACPLUS_DEC_EXE_NONFATAL_INSUFFICIENT_INPUT_BYTES); + return IA_ENHAACPLUS_DEC_EXE_NONFATAL_INSUFFICIENT_INPUT_BYTES; } return error_status; } diff --git a/decoder/ixheaacd_multichannel.h b/decoder/ixheaacd_multichannel.h index 2f280c7..9156f44 100644 --- a/decoder/ixheaacd_multichannel.h +++ b/decoder/ixheaacd_multichannel.h @@ -20,7 +20,7 @@ #ifndef IA_EAACP_DEC_MUTLCHANNEL_H #define IA_EAACP_DEC_MUTLCHANNEL_H -WORD16 ixheaacd_dec_coupling_channel_element( +IA_ERRORCODE ixheaacd_dec_coupling_channel_element( ia_handle_bit_buf_struct bs, ia_aac_decoder_struct *aac_handle, WORD32 sample_rate_idx, ia_aac_dec_tables_struct *ptr_aac_tables, ixheaacd_misc_tables *common_tables_ptr, WORD *element_index_order, |