DO NOT MERGE Prevent out of bound memory access in GetInvInt

In GetInvInt(int) function, malicious content can access memory
 outside of the invCount array. Always bound access to valid
 indices.

Test: see bug for malicious content, decoded with "stagefright -s -a"
Bug: 65025048
Change-Id: I92d4a14519f45d5a329d7f69f21f2aef0a8c6daa
This commit is contained in:
Jean-Michel Trivi 2017-10-24 17:39:19 -07:00
parent 9d4702f2d9
commit 51f38b3a6d
1 changed files with 8 additions and 4 deletions

View File

@ -479,15 +479,19 @@ inline FIXP_DBL fAddSaturate(const FIXP_DBL a, const FIXP_DBL b)
/** /**
* \brief Calculate the value of 1/i where i is a integer value. It supports * \brief Calculate the value of 1/i where i is a integer value. It supports
* input values from 1 upto 80. * input values from 0 upto 79.
* \param intValue Integer input value. * \param intValue Integer input value.
* \param FIXP_DBL representation of 1/intValue * \param FIXP_DBL representation of 1/intValue
*/ */
inline FIXP_DBL GetInvInt(int intValue) inline FIXP_DBL GetInvInt(int intValue)
{ {
FDK_ASSERT((intValue > 0) && (intValue < 80)); FDK_ASSERT((intValue >= 0) && (intValue < 80));
FDK_ASSERT(intValue<80); if (intValue > 79)
return invCount[intValue]; return invCount[79];
else if (intValue < 0)
return invCount[0];
else
return invCount[intValue];
} }