fenix/fdk-aac
1
0
Fork 0
mirror of https://github.com/mstorsjo/fdk-aac.git synced 2025-06-05 22:39:13 +02:00
Code Issues Projects Releases Wiki Activity

Fix heap buffer overflow in sbrDecoder_AssignQmfChannels2SbrChannels().

Browse Source 
In the bug the SBR decoder has already set up 9 channels and tries to
allocate one more channel. The assignment of the QMF channels to SBR
channels fails since the QMF domain manages only 8+1 channels instead
of 10 channels as reqeusted by SBR.
Here we have added a check in sbrDecoder_InitElement() which will
return with a parse error in case additional SBR channels would exceed
the maximum number of SBR channels. This solves the potential heap
buffer overflow.

Bug: 158762825
Test: atest DecoderTestAacDrc DecoderTestAacFormat DecoderTestXheAac
Change-Id: I0150ac6d5a47ffce883010f531928656eebc619e
Merged-In: I0150ac6d5a47ffce883010f531928656eebc619e
This commit is contained in:
Fraunhofer IIS FDK
2020-07-06 16:37:38 +02:00
committed by Jean-Michel Trivi
parent ebc1030f65
commit bb8f983bf3
1 changed files with 6 additions and 6 deletions
Download Patch File Download Diff File Expand all files Collapse all files

12
libSBRdec/src/sbrdecoder.cpp
View File

@@ -1,7 +1,7 @@
/* -----------------------------------------------------------------------------
Software License for The Fraunhofer FDK AAC Codec Library for Android
© Copyright 1995 - 2019 Fraunhofer-Gesellschaft zur Förderung der angewandten
© Copyright 1995 - 2020 Fraunhofer-Gesellschaft zur Förderung der angewandten
Forschung e.V. All rights reserved.
1. INTRODUCTION
@@ -617,10 +617,6 @@ SBR_ERROR sbrDecoder_InitElement(
self->numSbrChannels -= self->pSbrElement[elementIndex]->nChannels;
}
/* Save element ID for sanity checks and to have a fallback for concealment.
*/
self->pSbrElement[elementIndex]->elementID = elementID;
/* Determine amount of channels for this element */
switch (elementID) {
case ID_NONE:
@@ -653,12 +649,16 @@ SBR_ERROR sbrDecoder_InitElement(
}
/* Sanity check to avoid memory leaks */
if (elChannels < self->pSbrElement[elementIndex]->nChannels) {
if (elChannels < self->pSbrElement[elementIndex]->nChannels ||
(self->numSbrChannels + elChannels) > (8) + (1)) {
self->numSbrChannels += self->pSbrElement[elementIndex]->nChannels;
sbrError = SBRDEC_PARSE_ERROR;
goto bail;
}
/* Save element ID for sanity checks and to have a fallback for concealment.
*/
self->pSbrElement[elementIndex]->elementID = elementID;
self->pSbrElement[elementIndex]->nChannels = elChannels;
for (ch = 0; ch < elChannels; ch++) {