diff options
| author | Rajat Kumar <rajat.kumar@ittiam.com> | 2019-04-29 17:54:00 +0530 |
|---|---|---|
| committer | Ray Essick <essick@google.com> | 2020-01-09 14:24:30 -0800 |
| commit | 0e6ba2531414125ee93d042f8264663206d7c9af (patch) | |
| tree | 50abd1a66d62299414fbbb1197fbf2446b4bdd6e /decoder/ixheaacd_esbr_envcal.c | |
| parent | da82edd619dd5679267750f9b68708dab2ad652e (diff) | |
| download | libxaac-0e6ba2531414125ee93d042f8264663206d7c9af.tar.gz | |
Fix for array out of bound esbr_envcalc file.
Added bound checks before access
Bug:131878685
Test: poc in bug
Change-Id: Ibd8dec7875509fc98f7c57d000bcc3635f36f297
Diffstat (limited to 'decoder/ixheaacd_esbr_envcal.c')
| -rw-r--r-- | decoder/ixheaacd_esbr_envcal.c | 12 |
1 files changed, 10 insertions, 2 deletions
diff --git a/decoder/ixheaacd_esbr_envcal.c b/decoder/ixheaacd_esbr_envcal.c index c964bf6..492287d 100644 --- a/decoder/ixheaacd_esbr_envcal.c +++ b/decoder/ixheaacd_esbr_envcal.c @@ -207,12 +207,14 @@ WORD32 ixheaacd_sbr_env_calc(ia_sbr_frame_info_data_struct *frame_data, } for (i = 0; i < bs_num_env; i++) { + if (kk > MAX_NOISE_ENVELOPES) return IA_FATAL_ERROR; if (p_frame_info->border_vec[i] == p_frame_info->noise_border_vec[kk]) kk++, next++; start_pos = p_frame_info->border_vec[i]; end_pos = p_frame_info->border_vec[i + 1]; - + if ((start_pos < 0) || (end_pos > MAX_FREQ_COEFFS_SBR)) + return IA_FATAL_ERROR; for (t = start_pos; t < end_pos; t++) { band_loop_end = num_sf_bands[p_frame_info->freq_res[i]]; @@ -224,6 +226,7 @@ WORD32 ixheaacd_sbr_env_calc(ia_sbr_frame_info_data_struct *frame_data, for (k = 0; k < ui - li; k++) { o = (k + li >= ui2) ? o + 1 : o; + if (o >= MAX_NOISE_COEFFS) return IA_FATAL_ERROR; ui2 = freq_band_table_noise[o + 1]; frame_data->qmapped_pvc[c][t] = @@ -238,12 +241,14 @@ WORD32 ixheaacd_sbr_env_calc(ia_sbr_frame_info_data_struct *frame_data, next = -1; for (i = 0; i < bs_num_env; i++) { + if (kk > MAX_NOISE_ENVELOPES) return IA_FATAL_ERROR; if (p_frame_info->border_vec[i] == p_frame_info->noise_border_vec[kk]) kk++, next++; start_pos = pvc_frame_info->border_vec[i]; end_pos = pvc_frame_info->border_vec[i + 1]; - + if ((start_pos < 0) || (end_pos > MAX_FREQ_COEFFS_SBR)) + return IA_FATAL_ERROR; for (t = start_pos; t < end_pos; t++) { for (c = 0; c < 64; c++) { env_tmp[c][t] = env_out[64 * t + c]; @@ -301,6 +306,7 @@ WORD32 ixheaacd_sbr_env_calc(ia_sbr_frame_info_data_struct *frame_data, for (k = 0; k < ui - li; k++) { o = (k + li >= ui2) ? o + 1 : o; + if (o >= MAX_NOISE_COEFFS) return IA_FATAL_ERROR; ui2 = freq_band_table_noise[o + 1]; nrg_est_pvc[c][t] = (!int_mode) ? nrg : nrg_est_pvc[c][t]; nrg_tone_pvc[c][t] = 0.0f; @@ -419,6 +425,7 @@ WORD32 ixheaacd_sbr_env_calc(ia_sbr_frame_info_data_struct *frame_data, for (k = 0; k < ui - li; k++) { o = (k + li >= ui2) ? o + 1 : o; + if (o >= MAX_NOISE_COEFFS) return IA_FATAL_ERROR; ui2 = freq_band_table_noise[o + 1]; nrg_est_pvc[c][t] = (!int_mode) ? nrg : nrg_est_pvc[c][t]; nrg_tone_pvc[c][t] = 0.0f; @@ -612,6 +619,7 @@ WORD32 ixheaacd_sbr_env_calc(ia_sbr_frame_info_data_struct *frame_data, for (k = 0; k < ui - li; k++) { FLOAT64 guard = 1e-17; o = (k + li >= ui2) ? o + 1 : o; + if (o >= MAX_NOISE_COEFFS) return IA_FATAL_ERROR; ui2 = frame_data->pstr_sbr_header->pstr_freq_band_data ->freq_band_tbl_noise[o + 1]; nrg_ref[c] = sfb_nrg[m]; |