MPEG-4 AAC Decoder: check against invalid height info

In CProgramConfig_ReadHeightExt prevent stack overflow
 from invalid FrontElementHeightInfo array value.

Bug: 70637599
Test: see bug
Change-Id: I145414d81d7a7be711672c12f44b537c12eea308
This commit is contained in:
Jean-Michel Trivi 2018-01-12 10:08:32 -08:00
parent 433f0352e6
commit 772c7f5542
1 changed files with 19 additions and 4 deletions

View File

@ -118,7 +118,9 @@ int CProgramConfig_IsValid ( const CProgramConfig *pPce )
/* /*
* Read the extension for height info. * Read the extension for height info.
* return 0 if successfull or -1 if the CRC failed. * return 0 if successfull,
* -1 if the CRC failed,
* -2 if invalid HeightInfo.
*/ */
static static
int CProgramConfig_ReadHeightExt( int CProgramConfig_ReadHeightExt(
@ -146,15 +148,21 @@ int CProgramConfig_ReadHeightExt(
for (i=0; i < pPce->NumFrontChannelElements; i++) for (i=0; i < pPce->NumFrontChannelElements; i++)
{ {
pPce->FrontElementHeightInfo[i] = (UCHAR) FDKreadBits(bs,2); if ((pPce->FrontElementHeightInfo[i] = (UCHAR) FDKreadBits(bs,2)) >= PC_NUM_HEIGHT_LAYER) {
err = -2; /* height information is out of the valid range */
}
} }
for (i=0; i < pPce->NumSideChannelElements; i++) for (i=0; i < pPce->NumSideChannelElements; i++)
{ {
pPce->SideElementHeightInfo[i] = (UCHAR) FDKreadBits(bs,2); if ((pPce->SideElementHeightInfo[i] = (UCHAR) FDKreadBits(bs,2)) >= PC_NUM_HEIGHT_LAYER) {
err = -2; /* height information is out of the valid range */
}
} }
for (i=0; i < pPce->NumBackChannelElements; i++) for (i=0; i < pPce->NumBackChannelElements; i++)
{ {
pPce->BackElementHeightInfo[i] = (UCHAR) FDKreadBits(bs,2); if ((pPce->BackElementHeightInfo[i] = (UCHAR) FDKreadBits(bs,2)) >= PC_NUM_HEIGHT_LAYER) {
err = -2; /* height information is out of the valid range */
}
} }
FDKbyteAlign(bs, alignmentAnchor); FDKbyteAlign(bs, alignmentAnchor);
@ -163,6 +171,13 @@ int CProgramConfig_ReadHeightExt(
/* CRC failed */ /* CRC failed */
err = -1; err = -1;
} }
if (err!=0) {
/* Reset whole height information in case an error occured during parsing. The return
value ensures that pPce->isValid is set to 0 and implicit channel mapping is used. */
FDKmemclear(pPce->FrontElementHeightInfo, sizeof(pPce->FrontElementHeightInfo));
FDKmemclear(pPce->SideElementHeightInfo, sizeof(pPce->SideElementHeightInfo));
FDKmemclear(pPce->BackElementHeightInfo, sizeof(pPce->BackElementHeightInfo));
}
} }
else { else {
/* No valid extension data found -> restore the initial bitbuffer state */ /* No valid extension data found -> restore the initial bitbuffer state */