From 5148d0d2878b6fbb848c89f159c48064dab80f3c Mon Sep 17 00:00:00 2001
From: Ramesh Katuri <ramesh.katuri@ittiam.com>
Date: Fri, 9 Nov 2018 18:56:44 +0530
Subject: Fix for heap buffer overflow in xaac decoder test bench

In Xaac decoder frame size information is obtained from  ia_mp4_stsz_size array
using frame counter. Due to some bad frames in the stream frame counter is not
getting updated properly which is causing heap buffer overflow.

As a fix

1. We added check on frame counter value before accessing  ia_mp4_stsz_size[]
2. Frame counter value is updated properly even if input frame is an erroneous
   frame

Bug:119005793
Test: vendor, poc
Change-Id: I402cf9b4d5641545fdaaf433f0a4a43c293e5dd9
---
 test/ixheaacd_main.c          | 19 ++++++++++++++++---
 test/ixheaacd_metadata_read.c |  6 +++++-
 2 files changed, 21 insertions(+), 4 deletions(-)

(limited to 'test')

diff --git a/test/ixheaacd_main.c b/test/ixheaacd_main.c
index 6b889ad..fca49c3 100644
--- a/test/ixheaacd_main.c
+++ b/test/ixheaacd_main.c
@@ -1211,10 +1211,21 @@ int ixheaacd_main_process(WORD32 argc, pWORD8 argv[]) {
       if (raw_testing) {
         ixheaacd_i_bytes_to_read =
             get_metadata_dec_exec(meta_info, frame_counter);
+
+        if (ixheaacd_i_bytes_to_read <= 0) {
+          err_code = (*p_ia_process_api)(pv_ia_process_api_obj,
+                                         IA_API_CMD_INPUT_OVER, 0, NULL);
+
+          _IA_HANDLE_ERROR(p_proc_err_info, (pWORD8) "", err_code);
+
+          return IA_NO_ERROR;
+        }
+
         /* Set number of bytes to be processed */
         err_code = (*p_ia_process_api)(pv_ia_process_api_obj,
                                        IA_API_CMD_SET_INPUT_BYTES, 0,
                                        &ixheaacd_i_bytes_to_read);
+        init_iteration++;
       } else {
         /* Set number of bytes to be processed */
         err_code = (*p_ia_process_api)(
@@ -1235,6 +1246,10 @@ int ixheaacd_main_process(WORD32 argc, pWORD8 argv[]) {
     err_code = (*p_ia_process_api)(pv_ia_process_api_obj, IA_API_CMD_INIT,
                                    IA_CMD_TYPE_INIT_DONE_QUERY, &ui_init_done);
 
+    if (init_iteration > 2 && ui_init_done == 0) {
+      frame_counter++;
+    }
+
     _IA_HANDLE_ERROR(p_proc_err_info, (pWORD8) "", err_code);
 
     /* How much buffer is used in input buffers */
@@ -1766,9 +1781,7 @@ int ixheaacd_main_process(WORD32 argc, pWORD8 argv[]) {
 #endif
     }
 
-    if (i_out_bytes) {
-      frame_counter++;
-    }
+    frame_counter++;
 
 #ifdef _DEBUG
     if (frame_counter == 80) frame_counter = frame_counter;
diff --git a/test/ixheaacd_metadata_read.c b/test/ixheaacd_metadata_read.c
index dc62d09..dcd0251 100644
--- a/test/ixheaacd_metadata_read.c
+++ b/test/ixheaacd_metadata_read.c
@@ -132,7 +132,11 @@ int get_metadata_dec_info_init(metadata_info meta_info) {
 }
 
 WORD32 get_metadata_dec_exec(metadata_info meta_info, int frame) {
-  return meta_info.ia_mp4_stsz_size[frame];
+  if (frame < (int)meta_info.ia_mp4_stsz_entries) {
+    return meta_info.ia_mp4_stsz_size[frame];
+  } else {
+    return 0;
+  }
 }
 
 int get_movie_time_scale(metadata_info meta_info) {
-- 
cgit v1.2.3