Fix for array and integer overflow in drc related functions

Added init done check before execute calls to avoid access of
uninitialized data.

Bug:126652455
Test: poc
Change-Id: Ia33d05658d3830f27dfe607c4f4e96233c272e20

2 files changed, 9 insertions, 3 deletions

diff --git a/decoder/drc_src/impd_drc_api.c b/decoder/drc_src/impd_drc_api.c
index c0edced..65e54a6 100644
--- a/decoder/drc_src/impd_drc_api.c
+++ b/decoder/drc_src/impd_drc_api.c
@@ -452,7 +452,9 @@ IA_ERRORCODE ia_drc_dec_api(pVOID p_ia_drc_dec_obj, WORD32 i_cmd, WORD32 i_idx,
     case IA_API_CMD_EXECUTE: {
       switch (i_idx) {
         case IA_CMD_TYPE_DO_EXECUTE: {
-          if (p_obj_drc->str_config.dec_type == DEC_TYPE_TD) {
+          if (!p_obj_drc->p_state->ui_init_done) {
+            error_code = IA_FATAL_ERROR;
+          } else if (p_obj_drc->str_config.dec_type == DEC_TYPE_TD) {
             error_code = impd_process_time_domain(p_obj_drc);
           } else if (p_obj_drc->str_config.dec_type == DEC_TYPE_QMF64) {
             error_code = impd_init_process_audio_main_qmf(p_obj_drc);
diff --git a/decoder/ixheaacd_api.c b/decoder/ixheaacd_api.c
index 2652d27..f4e5bfb 100644
--- a/decoder/ixheaacd_api.c
+++ b/decoder/ixheaacd_api.c
@@ -805,8 +805,12 @@ IA_ERRORCODE ixheaacd_dec_api(pVOID p_ia_enhaacplus_dec_obj, WORD32 i_cmd,
       switch (i_idx) {
         case IA_CMD_TYPE_DO_EXECUTE: {
           WORD32 err_code = 0;
-          err_code = ixheaacd_dec_execute(p_obj_exhaacplus_dec);
-          if (err_code != 0) {
+          if (!p_obj_exhaacplus_dec->p_state_aac->ui_init_done) {
+            err_code = IA_FATAL_ERROR;
+          } else {
+            err_code = ixheaacd_dec_execute(p_obj_exhaacplus_dec);
+          }
+          if (err_code != IA_NO_ERROR) {
             p_obj_exhaacplus_dec->p_state_aac->i_bytes_consumed =
                 p_obj_exhaacplus_dec->p_state_aac->ui_in_bytes;
           }