diff options
author | Ramesh Katuri <ramesh.katuri@ittiam.com> | 2018-09-06 15:43:35 +0530 |
---|---|---|
committer | Ray Essick <essick@google.com> | 2018-09-18 13:05:13 -0700 |
commit | b25f096d7b4a21689cf8d66d9f016f506fe49845 (patch) | |
tree | a5d94f17824f39414fc83e7a648473f050b43f12 /decoder/ixheaacd_bitbuffer.c | |
parent | 9669ec83492da67f835f55caf26a3fecaa948092 (diff) | |
download | libxaac-b25f096d7b4a21689cf8d66d9f016f506fe49845.tar.gz |
Fix for heap buffer overflow in huff code reorder
For this stream, input size is very high that causes
huffman decoding to access beyond bit-buffer pointer
end limit due to no OOB access check. As a fix,added
this check in the bit read functionality.
Bug:112611181
Bug:113508101
Test: poc before/after
Change-Id: I4b7cc9624a388e8a20c7d4b11998dfed9c90d3f6
Diffstat (limited to 'decoder/ixheaacd_bitbuffer.c')
-rw-r--r-- | decoder/ixheaacd_bitbuffer.c | 21 |
1 files changed, 11 insertions, 10 deletions
diff --git a/decoder/ixheaacd_bitbuffer.c b/decoder/ixheaacd_bitbuffer.c index 847815f..3c25161 100644 --- a/decoder/ixheaacd_bitbuffer.c +++ b/decoder/ixheaacd_bitbuffer.c @@ -142,21 +142,22 @@ UWORD32 ixheaacd_aac_read_2bytes(UWORD8 **ptr_read_next, WORD32 *bit_pos, } UWORD32 ixheaacd_aac_read_byte_corr1(UWORD8 **ptr_read_next, - WORD16 *ptr_bit_pos, WORD32 *readword) { + WORD32 *ptr_bit_pos, WORD32 *readword, + UWORD8 *p_bit_buf_end) { UWORD8 *v = *ptr_read_next; - WORD16 bits_consumed = *ptr_bit_pos; + WORD32 bits_consumed = *ptr_bit_pos; + WORD32 temp_bit_count = 0; while (bits_consumed >= 8) { - if ((bits_consumed -= 8) >= 0) { - { - *readword = (*readword << 8) | *v; - v++; - } - } else { - bits_consumed += 8; + bits_consumed -= 8; + if ((p_bit_buf_end < v) && (p_bit_buf_end != 0)) + temp_bit_count += 8; + else { + *readword = (*readword << 8) | *v; + v++; } } - *ptr_bit_pos = bits_consumed; + *ptr_bit_pos = bits_consumed + temp_bit_count; *ptr_read_next = v; return 1; } |