diff options
| author | Jean-Michel Trivi <jmtrivi@google.com> | 2018-01-12 10:08:32 -0800 |
|---|---|---|
| committer | Tim Schumacher <timschumi@gmx.de> | 2018-04-06 16:28:48 +0200 |
| commit | 6bba65a37bb6b2749e8cb9a4d2a5b20d15ed150d (patch) | |
| tree | 6b73acd1f49e1a691eb5f7f8b415d5a3085e1279 | |
| parent | a879493b96c4c444786e4840adde6d0879c2901b (diff) | |
| download | android_external_aac-6bba65a37bb6b2749e8cb9a4d2a5b20d15ed150d.tar.gz android_external_aac-6bba65a37bb6b2749e8cb9a4d2a5b20d15ed150d.tar.bz2 android_external_aac-6bba65a37bb6b2749e8cb9a4d2a5b20d15ed150d.zip | |
MPEG-4 AAC Decoder: check against invalid height inforeplicant-6.0-0004-rc1
In CProgramConfig_ReadHeightExt prevent stack overflow
from invalid FrontElementHeightInfo array value.
Bug: 70637599
Test: see bug
Change-Id: I145414d81d7a7be711672c12f44b537c12eea308
(cherry picked from commit 772c7f5542e64f4a380e13e6263ab668694c7c4d)
| -rw-r--r-- | libMpegTPDec/src/tpdec_asc.cpp | 23 |
1 files changed, 19 insertions, 4 deletions
diff --git a/libMpegTPDec/src/tpdec_asc.cpp b/libMpegTPDec/src/tpdec_asc.cpp index bae271e..e697b48 100644 --- a/libMpegTPDec/src/tpdec_asc.cpp +++ b/libMpegTPDec/src/tpdec_asc.cpp @@ -118,7 +118,9 @@ int CProgramConfig_IsValid ( const CProgramConfig *pPce ) /* * Read the extension for height info. - * return 0 if successfull or -1 if the CRC failed. + * return 0 if successfull, + * -1 if the CRC failed, + * -2 if invalid HeightInfo. */ static int CProgramConfig_ReadHeightExt( @@ -146,15 +148,21 @@ int CProgramConfig_ReadHeightExt( for (i=0; i < pPce->NumFrontChannelElements; i++) { - pPce->FrontElementHeightInfo[i] = (UCHAR) FDKreadBits(bs,2); + if ((pPce->FrontElementHeightInfo[i] = (UCHAR) FDKreadBits(bs,2)) >= PC_NUM_HEIGHT_LAYER) { + err = -2; /* height information is out of the valid range */ + } } for (i=0; i < pPce->NumSideChannelElements; i++) { - pPce->SideElementHeightInfo[i] = (UCHAR) FDKreadBits(bs,2); + if ((pPce->SideElementHeightInfo[i] = (UCHAR) FDKreadBits(bs,2)) >= PC_NUM_HEIGHT_LAYER) { + err = -2; /* height information is out of the valid range */ + } } for (i=0; i < pPce->NumBackChannelElements; i++) { - pPce->BackElementHeightInfo[i] = (UCHAR) FDKreadBits(bs,2); + if ((pPce->BackElementHeightInfo[i] = (UCHAR) FDKreadBits(bs,2)) >= PC_NUM_HEIGHT_LAYER) { + err = -2; /* height information is out of the valid range */ + } } FDKbyteAlign(bs, alignmentAnchor); @@ -163,6 +171,13 @@ int CProgramConfig_ReadHeightExt( /* CRC failed */ err = -1; } + if (err!=0) { + /* Reset whole height information in case an error occured during parsing. The return + value ensures that pPce->isValid is set to 0 and implicit channel mapping is used. */ + FDKmemclear(pPce->FrontElementHeightInfo, sizeof(pPce->FrontElementHeightInfo)); + FDKmemclear(pPce->SideElementHeightInfo, sizeof(pPce->SideElementHeightInfo)); + FDKmemclear(pPce->BackElementHeightInfo, sizeof(pPce->BackElementHeightInfo)); + } } else { /* No valid extension data found -> restore the initial bitbuffer state */ |