diff options
author | Jean-Michel Trivi <jmtrivi@google.com> | 2017-10-24 17:39:19 -0700 |
---|---|---|
committer | mse1969 <mse1969@posteo.de> | 2018-01-12 12:20:45 +0100 |
commit | 602446dfd498d1b47abc99d41d0421d6755215bc (patch) | |
tree | 3bdd8888d7b95840920a81e1d2b6e95ef6943315 | |
parent | 06685fa2ced8306b48bc6a8d4ff0c83705b76c41 (diff) | |
download | android_external_aac-602446dfd498d1b47abc99d41d0421d6755215bc.tar.gz android_external_aac-602446dfd498d1b47abc99d41d0421d6755215bc.tar.bz2 android_external_aac-602446dfd498d1b47abc99d41d0421d6755215bc.zip |
DO NOT MERGE Prevent out of bound memory access in GetInvInt
In GetInvInt(int) function, malicious content can access memory
outside of the invCount array. Always bound access to valid
indices.
Test: see bug for malicious content, decoded with "stagefright -s -a"
Bug: 65025048
Change-Id: I92d4a14519f45d5a329d7f69f21f2aef0a8c6daa
(cherry picked from commit 9fb4261c43a2d15f3b77a7e56470ed6784f83d04)
CVE-2017-13206
-rw-r--r-- | libFDK/include/fixpoint_math.h | 12 |
1 files changed, 8 insertions, 4 deletions
diff --git a/libFDK/include/fixpoint_math.h b/libFDK/include/fixpoint_math.h index df141d3..13cce2d 100644 --- a/libFDK/include/fixpoint_math.h +++ b/libFDK/include/fixpoint_math.h @@ -450,15 +450,19 @@ inline FIXP_DBL fAddSaturate(const FIXP_DBL a, const FIXP_DBL b) /** * \brief Calculate the value of 1/i where i is a integer value. It supports - * input values from 1 upto 50. + * input values from 0 upto 79. * \param intValue Integer input value. * \param FIXP_DBL representation of 1/intValue */ inline FIXP_DBL GetInvInt(int intValue) { - FDK_ASSERT((intValue > 0) && (intValue < 50)); - FDK_ASSERT(intValue<50); - return invCount[intValue]; + FDK_ASSERT((intValue >= 0) && (intValue < 80)); + if (intValue > 79) + return invCount[79]; + else if (intValue < 0) + return invCount[0]; + else + return invCount[intValue]; } |