summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorJean-Michel Trivi <jmtrivi@google.com>2016-03-21 14:12:19 -0700
committerFeng Yu <feny@google.com>2016-03-22 20:27:48 +0000
commit2181968d7c10f94e5d56408e2de17f5c07705370 (patch)
tree1890fa95db14a23bc83aea6eec77568e3f4ff661
parent48b330d303727e1f2671f844a1d541d596f6d5da (diff)
downloadandroid_external_aac-2181968d7c10f94e5d56408e2de17f5c07705370.tar.gz
android_external_aac-2181968d7c10f94e5d56408e2de17f5c07705370.tar.bz2
android_external_aac-2181968d7c10f94e5d56408e2de17f5c07705370.zip
Fix stack corruption happening in aacDecoder_drcExtractAndMap()
In the aacDecoder_drcExtractAndMap() function, self->numThreads can be used after having exceeded its intended max value, MAX_DRC_THREADS, causing memory to be cleared after the threadBs[MAX_DRC_THREADS] array. The crash is prevented by never using self->numThreads with a value equal to or greater than MAX_DRC_THREADS. A proper fix will be required as there seems to be an issue as to which entry in the threadBs array is meant to be initialized and used. Bug 26751339 Change-Id: I655cc40c35d4206ab72e83b2bdb751be2fe52b5a (cherry picked from commit a06d1c2b9af1621037b48557aac42b5ecbdb03b3)
-rw-r--r--libAACdec/src/aacdec_drc.cpp10
1 files changed, 9 insertions, 1 deletions
diff --git a/libAACdec/src/aacdec_drc.cpp b/libAACdec/src/aacdec_drc.cpp
index 0c33a2b..9cfc5d5 100644
--- a/libAACdec/src/aacdec_drc.cpp
+++ b/libAACdec/src/aacdec_drc.cpp
@@ -2,7 +2,7 @@
/* -----------------------------------------------------------------------------------------------------------
Software License for The Fraunhofer FDK AAC Codec Library for Android
-© Copyright 1995 - 2013 Fraunhofer-Gesellschaft zur Förderung der angewandten Forschung e.V.
+© Copyright 1995 - 2013 Fraunhofer-Gesellschaft zur Förderung der angewandten Forschung e.V.
All rights reserved.
1. INTRODUCTION
@@ -705,6 +705,10 @@ static int aacDecoder_drcExtractAndMap (
}
self->numPayloads = 0;
+ if (self->numThreads >= MAX_DRC_THREADS) {
+ self->numThreads = MAX_DRC_THREADS - 1;
+ }
+
if (self->dvbAncDataAvailable)
{ /* Append a DVB heavy compression payload thread if available. */
int bitsParsed;
@@ -731,6 +735,10 @@ static int aacDecoder_drcExtractAndMap (
/* coupling channels not supported */
+ if (self->numThreads >= MAX_DRC_THREADS) {
+ self->numThreads = MAX_DRC_THREADS - 1;
+ }
+
/* check for valid threads */
for (thread = 0; thread < self->numThreads; thread++) {
CDrcPayload *pThreadBs = &threadBs[thread];