Fix out of bound memory access in lppTransposer

In TRANSPOSER_SETTINGS, initialize the whole bwBorders array to a
  reasonable value to guarantee correct termination in while loop
  in lppTransposer function. This fixes the reported bug.
For completeness:
  - clear the whole bwIndex array instead of noOfPatches entries only.
  - abort criterion in while loop to prevent potential
    infinite loop, and limit bwIndex[patch] to a valid range.

Test: see bug for malicious content, decoded with "stagefright -s -a"
Bug: 65280786

(cherry picked from commit 6d3dd40e204bf550abcfa589bd9615df8778e118)

Change-Id: I62ba99f0b04a0244523aa8703e2b1a30065918f8

1 files changed, 7 insertions, 3 deletions

diff --git a/libSBRdec/src/lpp_tran.cpp b/libSBRdec/src/lpp_tran.cpp
index 117e739..343aec3 100644
--- a/libSBRdec/src/lpp_tran.cpp
+++ b/libSBRdec/src/lpp_tran.cpp
@@ -293,7 +293,7 @@ void lppTransposer (HANDLE_SBR_LPP_TRANS hLppTrans,    /*!< Handle of lpp transp
   }
 
   /* init bwIndex for each patch */
-  FDKmemclear(bwIndex, pSettings->noOfPatches*sizeof(INT));
+  FDKmemclear(bwIndex, MAX_NUM_PATCHES*sizeof(INT));
 
   /*
     Calc common low band scale factor
@@ -621,9 +621,9 @@ void lppTransposer (HANDLE_SBR_LPP_TRANS hLppTrans,    /*!< Handle of lpp transp
       FDK_ASSERT( hiBand < (64) );
 
       /* bwIndex[patch] is already initialized with value from previous band inside this patch */
-      while (hiBand >= pSettings->bwBorders[bwIndex[patch]])
+      while (hiBand >= pSettings->bwBorders[bwIndex[patch]] && bwIndex[patch] < MAX_NUM_PATCHES-1) {
         bwIndex[patch]++;
-
+      }
 
       /*
         Filter Step 2: add the left slope with the current filter to the buffer
@@ -962,6 +962,10 @@ resetLppTransposer (HANDLE_SBR_LPP_TRANS hLppTrans,  /*!< Handle of lpp transpos
   for(i = 0 ; i < noNoiseBands; i++){
     pSettings->bwBorders[i] = noiseBandTable[i+1];
   }
+  for (;i < MAX_NUM_NOISE_VALUES; i++) {
+    pSettings->bwBorders[i] = 255;
+  }
+
 
   /*
    * Choose whitening factors