diff options
author | Ramesh Katuri <ramesh.katuri@ittiam.com> | 2018-11-09 18:56:44 +0530 |
---|---|---|
committer | Ray Essick <essick@google.com> | 2019-01-04 12:20:07 -0800 |
commit | 5148d0d2878b6fbb848c89f159c48064dab80f3c (patch) | |
tree | dfaa33d33210b5c6e97003b546e17f8ad1894d45 /test | |
parent | 69b0c9364d16cc65c2381b149aa0078a98c70b76 (diff) | |
download | libxaac-5148d0d2878b6fbb848c89f159c48064dab80f3c.tar.gz |
Fix for heap buffer overflow in xaac decoder test bench
In Xaac decoder frame size information is obtained from ia_mp4_stsz_size array
using frame counter. Due to some bad frames in the stream frame counter is not
getting updated properly which is causing heap buffer overflow.
As a fix
1. We added check on frame counter value before accessing ia_mp4_stsz_size[]
2. Frame counter value is updated properly even if input frame is an erroneous
frame
Bug:119005793
Test: vendor, poc
Change-Id: I402cf9b4d5641545fdaaf433f0a4a43c293e5dd9
Diffstat (limited to 'test')
-rw-r--r-- | test/ixheaacd_main.c | 19 | ||||
-rw-r--r-- | test/ixheaacd_metadata_read.c | 6 |
2 files changed, 21 insertions, 4 deletions
diff --git a/test/ixheaacd_main.c b/test/ixheaacd_main.c index 6b889ad..fca49c3 100644 --- a/test/ixheaacd_main.c +++ b/test/ixheaacd_main.c @@ -1211,10 +1211,21 @@ int ixheaacd_main_process(WORD32 argc, pWORD8 argv[]) { if (raw_testing) { ixheaacd_i_bytes_to_read = get_metadata_dec_exec(meta_info, frame_counter); + + if (ixheaacd_i_bytes_to_read <= 0) { + err_code = (*p_ia_process_api)(pv_ia_process_api_obj, + IA_API_CMD_INPUT_OVER, 0, NULL); + + _IA_HANDLE_ERROR(p_proc_err_info, (pWORD8) "", err_code); + + return IA_NO_ERROR; + } + /* Set number of bytes to be processed */ err_code = (*p_ia_process_api)(pv_ia_process_api_obj, IA_API_CMD_SET_INPUT_BYTES, 0, &ixheaacd_i_bytes_to_read); + init_iteration++; } else { /* Set number of bytes to be processed */ err_code = (*p_ia_process_api)( @@ -1235,6 +1246,10 @@ int ixheaacd_main_process(WORD32 argc, pWORD8 argv[]) { err_code = (*p_ia_process_api)(pv_ia_process_api_obj, IA_API_CMD_INIT, IA_CMD_TYPE_INIT_DONE_QUERY, &ui_init_done); + if (init_iteration > 2 && ui_init_done == 0) { + frame_counter++; + } + _IA_HANDLE_ERROR(p_proc_err_info, (pWORD8) "", err_code); /* How much buffer is used in input buffers */ @@ -1766,9 +1781,7 @@ int ixheaacd_main_process(WORD32 argc, pWORD8 argv[]) { #endif } - if (i_out_bytes) { - frame_counter++; - } + frame_counter++; #ifdef _DEBUG if (frame_counter == 80) frame_counter = frame_counter; diff --git a/test/ixheaacd_metadata_read.c b/test/ixheaacd_metadata_read.c index dc62d09..dcd0251 100644 --- a/test/ixheaacd_metadata_read.c +++ b/test/ixheaacd_metadata_read.c @@ -132,7 +132,11 @@ int get_metadata_dec_info_init(metadata_info meta_info) { } WORD32 get_metadata_dec_exec(metadata_info meta_info, int frame) { - return meta_info.ia_mp4_stsz_size[frame]; + if (frame < (int)meta_info.ia_mp4_stsz_entries) { + return meta_info.ia_mp4_stsz_size[frame]; + } else { + return 0; + } } int get_movie_time_scale(metadata_info meta_info) { |