DO NOT MERGE Prevent out of bounds accesses in lppTransposer()

Check validity of pSettings->noOfPatches to prevent out of bounds
  access in lppTransposer(), which can also cause memSize to be
  negative.

Bug: 112160868
Test: see poc in bug
Change-Id: I77bd1e1dfab3bac92b4522170bdc3c9eb56fdf82

libSBRdec/src/lpp_tran.cpp

@@ -96,6 +96,10 @@ amm-info@iis.fraunhofer.de
   \sa lppTransposer(), main_audio.cpp, sbr_scale.h, \ref documentationOverview
 */
 
+#ifdef __ANDROID__
+#include <cutils/log.h>
+#endif
+
 #include "lpp_tran.h"
 
 #include "sbr_ram.h"
@@ -256,7 +260,6 @@ void lppTransposer (HANDLE_SBR_LPP_TRANS hLppTrans,    /*!< Handle of lpp transp
   int ovLowBandShift;
   int lowBandShift;
 /*  int ovHighBandShift;*/
-  int targetStopBand;
 
 
   alphai[0] = FL2FXCONST_SGL(0.0f);
@@ -273,11 +276,12 @@ void lppTransposer (HANDLE_SBR_LPP_TRANS hLppTrans,    /*!< Handle of lpp transp
 
   autoCorrLength = pSettings->nCols + pSettings->overlap;
 
+  if (pSettings->noOfPatches > 0) {
     /* Set upper subbands to zero:
        This is required in case that the patches do not cover the complete highband
        (because the last patch would be too short).
        Possible optimization: Clearing bands up to usb would be sufficient here. */
-  targetStopBand = patchParam[pSettings->noOfPatches-1].targetStartBand
+    int targetStopBand = patchParam[pSettings->noOfPatches-1].targetStartBand
                    + patchParam[pSettings->noOfPatches-1].numBandsInPatch;
 
     int memSize = ((64) - targetStopBand) * sizeof(FIXP_DBL);
@@ -291,6 +295,13 @@ void lppTransposer (HANDLE_SBR_LPP_TRANS hLppTrans,    /*!< Handle of lpp transp
     for (i = startSample; i < stopSampleClear; i++) {
       FDKmemclear(&qmfBufferReal[i][targetStopBand], memSize);
     }
+  }
+#ifdef __ANDROID__
+  else {
+    // Safetynet logging
+    android_errorWriteLog(0x534e4554, "112160868");
+  }
+#endif
 
   /* init bwIndex for each patch */
   FDKmemclear(bwIndex, MAX_NUM_PATCHES*sizeof(INT));