Validate correct ascLen in CLatmDemux_ReadStreamMuxConfig() to overcome integer overflow in FDK_get32().

Bug: 131430997 Test: atest DecoderTestXheAac ; atest DecoderTestAacDrc Change-Id: I87b53661df7a435ddf3572a0ff8b6ef84972db60
2019-09-20 13:55:57 +02:00 · 2019-09-20 13:55:57 +02:00 · f0e1e3f8c7
parent da5b0dcb3c
commit f0e1e3f8c7
1 changed files with 3 additions and 3 deletions
--- a/libMpegTPDec/src/tpdec_latm.cpp
+++ b/libMpegTPDec/src/tpdec_latm.cpp
@ -1,7 +1,7 @@
 /* -----------------------------------------------------------------------------
 Software License for The Fraunhofer FDK AAC Codec Library for Android

-© Copyright  1995 - 2018 Fraunhofer-Gesellschaft zur Förderung der angewandten
+© Copyright  1995 - 2019 Fraunhofer-Gesellschaft zur Förderung der angewandten
 Forschung e.V. All rights reserved.

 1.    INTRODUCTION
@ -367,10 +367,10 @@ TRANSPORTDEC_ERROR CLatmDemux_ReadStreamMuxConfig(
          }
          if (pLatmDemux->m_AudioMuxVersion == 1) {
            FDK_BITSTREAM tmpBs;
-            UINT ascLen = 0;
+            INT ascLen = 0;
            ascLen = CLatmDemux_GetValue(bs);
            /* The ascLen could be wrong, so check if validBits<=bufBits*/
-            if (ascLen > FDKgetValidBits(bs)) {
+            if (ascLen < 0 || ascLen > (INT)FDKgetValidBits(bs)) {
              ErrorStatus = TRANSPORTDEC_PARSE_ERROR;
              goto bail;
            }