[DO NOT MERGE] Fix heap buffer overflow in sbrDecoder_AssignQmfChannels2SbrChannels(). am: 50aa5be388 am: 0468e02e5b

Original change: https://googleplex-android-review.googlesource.com/c/platform/external/aac/+/12088847

Change-Id: I0f5863139bc848401b905625fdc572793755b8cf
This commit is contained in:
Fraunhofer IIS FDK 2020-09-09 21:44:15 +00:00 committed by Automerger Merge Worker
commit d20df7ee14
1 changed files with 10 additions and 3 deletions

View File

@ -510,9 +510,6 @@ SBR_ERROR sbrDecoder_InitElement (
self->numSbrChannels -= self->pSbrElement[elementIndex]->nChannels;
}
/* Save element ID for sanity checks and to have a fallback for concealment. */
self->pSbrElement[elementIndex]->elementID = elementID;
/* Determine amount of channels for this element */
switch (elementID) {
case ID_NONE:
@ -540,6 +537,16 @@ SBR_ERROR sbrDecoder_InitElement (
}
}
/* Sanity check to avoid memory leaks */
if (elChannels < self->pSbrElement[elementIndex]->nChannels ||
(self->numSbrChannels + elChannels) > (8) + (1)) {
self->numSbrChannels += self->pSbrElement[elementIndex]->nChannels;
sbrError = SBRDEC_PARSE_ERROR;
goto bail;
}
/* Save element ID for sanity checks and to have a fallback for concealment. */
self->pSbrElement[elementIndex]->elementID = elementID;
self->pSbrElement[elementIndex]->nChannels = elChannels;
for (ch=0; ch<elChannels; ch++)