diff options
| author | Wonsik Kim <wonsik@google.com> | 2021-09-26 18:34:54 -0700 |
|---|---|---|
| committer | Wonsik Kim <wonsik@google.com> | 2021-09-27 05:26:06 +0000 |
| commit | c3e2eb596635757ef854ce288cd2cd9921d7fa45 (patch) | |
| tree | 5cf762f0697398518bf3e2e7d3430160cc6e8379 | |
| parent | 3d4739e5bfb3ad9008d9c8e8131b7c28fd06bdf0 (diff) | |
| download | av-c3e2eb596635757ef854ce288cd2cd9921d7fa45.tar.gz | |
DO NOT MERGE C2SoftMp3Dec: fix OOB write in output buffer
outputFrameSize, calOutSize and outSize are calculated at 8bit level
However, the library expects outputFrameSize in int16 samples.
One of the initialization of outputFrameSize was in bytes.
This is now corrected.
Test: clusterfuzz generated poc in bug
Test: atest android.mediav2.cts.CodecDecoderTest
Test: atest VtsHalMediaC2V1_0TargetAudioDecTest
Bug: 193363621
Change-Id: Iac62c4e9d77e7f95f2c692f5ea236e7a5c536dcb
| -rw-r--r-- | media/codecs/mp3/C2SoftMp3Dec.cpp | 2 |
1 files changed, 1 insertions, 1 deletions
diff --git a/media/codecs/mp3/C2SoftMp3Dec.cpp b/media/codecs/mp3/C2SoftMp3Dec.cpp index 48de625..6aec6c5 100644 --- a/media/codecs/mp3/C2SoftMp3Dec.cpp +++ b/media/codecs/mp3/C2SoftMp3Dec.cpp @@ -410,7 +410,7 @@ void C2SoftMP3::process( mConfig->inputBufferCurrentLength = (inSize - inPos); mConfig->inputBufferMaxLength = 0; mConfig->inputBufferUsedLength = 0; - mConfig->outputFrameSize = (calOutSize - outSize); + mConfig->outputFrameSize = (calOutSize - outSize) / sizeof(int16_t); mConfig->pOutputBuffer = reinterpret_cast<int16_t *> (wView.data() + outSize); ERROR_CODE decoderErr; |