Fix stack corruption happening in aacDecoder_drcExtractAndMap()

In the aacDecoder_drcExtractAndMap() function, self->numThreads can be used after having exceeded its intended max value, MAX_DRC_THREADS, causing memory to be cleared after the threadBs[MAX_DRC_THREADS] array. The crash is prevented by never using self->numThreads with a value equal to or greater than MAX_DRC_THREADS. A proper fix will be required as there seems to be an issue as to which entry in the threadBs array is meant to be initialized and used. Bug 26751339 Change-Id: I655cc40c35d4206ab72e83b2bdb751be2fe52b5a
2016-03-21 14:12:19 -07:00 · 2016-03-21 14:12:19 -07:00 · a06d1c2b9a
parent fa3eba1644
commit a06d1c2b9a
1 changed files with 9 additions and 1 deletions
--- a/libAACdec/src/aacdec_drc.cpp
+++ b/libAACdec/src/aacdec_drc.cpp
@ -2,7 +2,7 @@
 /* -----------------------------------------------------------------------------------------------------------
 Software License for The Fraunhofer FDK AAC Codec Library for Android

-© Copyright  1995 - 2013 Fraunhofer-Gesellschaft zur Förderung der angewandten Forschung e.V.
+© Copyright  1995 - 2013 Fraunhofer-Gesellschaft zur Förderung der angewandten Forschung e.V.
  All rights reserved.

 1.    INTRODUCTION
@ -680,6 +680,10 @@ static int aacDecoder_drcExtractAndMap (
  }
  self->numPayloads = 0;

+  if (self->numThreads >= MAX_DRC_THREADS) {
+      self->numThreads = MAX_DRC_THREADS - 1;
+  }
+
  if (self->dvbAncDataAvailable)
  { /* Append a DVB heavy compression payload thread if available. */
    int bitsParsed;
@ -706,6 +710,10 @@ static int aacDecoder_drcExtractAndMap (

  /* coupling channels not supported */

+  if (self->numThreads >= MAX_DRC_THREADS) {
+      self->numThreads = MAX_DRC_THREADS - 1;
+  }
+
  /* check for valid threads */
  for (thread = 0; thread < self->numThreads; thread++) {
    CDrcPayload *pThreadBs = &threadBs[thread];