diff options
author | Rajat kumar <rajat.kumar@ittiam.com> | 2019-11-08 10:19:50 +0530 |
---|---|---|
committer | Ray Essick <essick@google.com> | 2020-03-05 12:24:41 -0800 |
commit | 7a984f6ccc04d61df1cecf097e2c33dcf42d287c (patch) | |
tree | fe242247d88fc4ad725cd59e669adbf88d628748 | |
parent | f60122a142a153fed7b68d9dee2fc9ad8941649a (diff) | |
download | libxaac-7a984f6ccc04d61df1cecf097e2c33dcf42d287c.tar.gz |
Fix for segv in ixheaacd_read_bits_buf
When ixheaacd_drc_offset comes negative, we read
backward in bitbuffer. There was no bound check to
make sure it did not go beyond the start of bitbuffer.
This caused a SEGV.
As a fix, bound check has been added.
Bug:144134845
Test: poc in bug
Change-Id: I94c4362f26fdb463eb07f5006d0f36860aad8128
-rw-r--r-- | decoder/ixheaacd_common_initfuncs.c | 7 |
1 files changed, 4 insertions, 3 deletions
diff --git a/decoder/ixheaacd_common_initfuncs.c b/decoder/ixheaacd_common_initfuncs.c index 8b9930f..88fadcc 100644 --- a/decoder/ixheaacd_common_initfuncs.c +++ b/decoder/ixheaacd_common_initfuncs.c @@ -158,12 +158,13 @@ VOID ixheaacd_read_bidirection(ia_bit_buf_struct *it_bit_buff, WORD32 ixheaacd_drc_offset) { if (ixheaacd_drc_offset != 0) { WORD32 byte_offset; - - it_bit_buff->cnt_bits = it_bit_buff->cnt_bits - ixheaacd_drc_offset; - if (it_bit_buff->cnt_bits < 0) { + if ((it_bit_buff->cnt_bits < 0) || + (it_bit_buff->cnt_bits - ixheaacd_drc_offset < 0) || + (it_bit_buff->cnt_bits - ixheaacd_drc_offset > it_bit_buff->size)) { longjmp(*(it_bit_buff->xaac_jmp_buf), IA_ENHAACPLUS_DEC_EXE_NONFATAL_INSUFFICIENT_INPUT_BYTES); } + it_bit_buff->cnt_bits = it_bit_buff->cnt_bits - ixheaacd_drc_offset; it_bit_buff->bit_pos = it_bit_buff->bit_pos - ixheaacd_drc_offset; byte_offset = it_bit_buff->bit_pos >> 3; it_bit_buff->bit_pos = it_bit_buff->bit_pos - (byte_offset << 3); |