diff options
author | Jean-Michel Trivi <jmtrivi@google.com> | 2017-10-24 17:39:19 -0700 |
---|---|---|
committer | Tim Schumacher <timschumi@gmx.de> | 2018-01-14 15:17:39 +0100 |
commit | 5971777054e3128a16af5641584547cb1263422d (patch) | |
tree | e12c16b3ead1800d84fafc3901aec914feba7716 | |
parent | faadf2bae979b7bcc5484e47a8a5dbc973f5f255 (diff) | |
download | android_external_aac-5971777054e3128a16af5641584547cb1263422d.tar.gz android_external_aac-5971777054e3128a16af5641584547cb1263422d.tar.bz2 android_external_aac-5971777054e3128a16af5641584547cb1263422d.zip |
DO NOT MERGE Prevent out of bound memory access in GetInvInt
In GetInvInt(int) function, malicious content can access memory
outside of the invCount array. Always bound access to valid
indices.
Test: see bug for malicious content, decoded with "stagefright -s -a"
Bug: 65025048
(cherry picked from commit 9fb4261c43a2d15f3b77a7e56470ed6784f83d04)
Change-Id: Ibc9c2eef405a04239e9c5347371ffb6acb4272c9
-rw-r--r-- | libFDK/include/fixpoint_math.h | 12 |
1 files changed, 8 insertions, 4 deletions
diff --git a/libFDK/include/fixpoint_math.h b/libFDK/include/fixpoint_math.h index df141d3..bbfc8b0 100644 --- a/libFDK/include/fixpoint_math.h +++ b/libFDK/include/fixpoint_math.h @@ -450,15 +450,19 @@ inline FIXP_DBL fAddSaturate(const FIXP_DBL a, const FIXP_DBL b) /** * \brief Calculate the value of 1/i where i is a integer value. It supports - * input values from 1 upto 50. + * input values from 0 upto 49. * \param intValue Integer input value. * \param FIXP_DBL representation of 1/intValue */ inline FIXP_DBL GetInvInt(int intValue) { - FDK_ASSERT((intValue > 0) && (intValue < 50)); - FDK_ASSERT(intValue<50); - return invCount[intValue]; + FDK_ASSERT((intValue >= 0) && (intValue < 50)); + if (intValue > 49) + return invCount[49]; + else if (intValue < 0) + return invCount[0]; + else + return invCount[intValue]; } |