aboutsummaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorRajat kumar <rajat.kumar@ittiam.com>2019-11-08 10:19:50 +0530
committerRay Essick <essick@google.com>2020-03-05 12:24:41 -0800
commit7a984f6ccc04d61df1cecf097e2c33dcf42d287c (patch)
treefe242247d88fc4ad725cd59e669adbf88d628748
parentf60122a142a153fed7b68d9dee2fc9ad8941649a (diff)
downloadlibxaac-7a984f6ccc04d61df1cecf097e2c33dcf42d287c.tar.gz
Fix for segv in ixheaacd_read_bits_buf
When ixheaacd_drc_offset comes negative, we read backward in bitbuffer. There was no bound check to make sure it did not go beyond the start of bitbuffer. This caused a SEGV. As a fix, bound check has been added. Bug:144134845 Test: poc in bug Change-Id: I94c4362f26fdb463eb07f5006d0f36860aad8128
Diffstat
-rw-r--r--decoder/ixheaacd_common_initfuncs.c7
1 files changed, 4 insertions, 3 deletions
diff --git a/decoder/ixheaacd_common_initfuncs.c b/decoder/ixheaacd_common_initfuncs.c
index 8b9930f..88fadcc 100644
--- a/decoder/ixheaacd_common_initfuncs.c
+++ b/decoder/ixheaacd_common_initfuncs.c
@@ -158,12 +158,13 @@ VOID ixheaacd_read_bidirection(ia_bit_buf_struct *it_bit_buff,
WORD32 ixheaacd_drc_offset) {
if (ixheaacd_drc_offset != 0) {
WORD32 byte_offset;
-
- it_bit_buff->cnt_bits = it_bit_buff->cnt_bits - ixheaacd_drc_offset;
- if (it_bit_buff->cnt_bits < 0) {
+ if ((it_bit_buff->cnt_bits < 0) ||
+ (it_bit_buff->cnt_bits - ixheaacd_drc_offset < 0) ||
+ (it_bit_buff->cnt_bits - ixheaacd_drc_offset > it_bit_buff->size)) {
longjmp(*(it_bit_buff->xaac_jmp_buf),
IA_ENHAACPLUS_DEC_EXE_NONFATAL_INSUFFICIENT_INPUT_BYTES);
}
+ it_bit_buff->cnt_bits = it_bit_buff->cnt_bits - ixheaacd_drc_offset;
it_bit_buff->bit_pos = it_bit_buff->bit_pos - ixheaacd_drc_offset;
byte_offset = it_bit_buff->bit_pos >> 3;
it_bit_buff->bit_pos = it_bit_buff->bit_pos - (byte_offset << 3);
generated by cgit v1.2.3 (git 2.25.1) at 2024-06-24 09:51:34 +0000