Fix for stack buffer overflow in ixheaacd_latm_stream_mux_config
Bug:118149009
Test: vendor
Change-Id: I16213a2db36e9d678f7105edda9a4a6c17a3f8a6
diff --git a/decoder/ixheaacd_headerdecode.c b/decoder/ixheaacd_headerdecode.c
index c28833e..140ad78 100644
--- a/decoder/ixheaacd_headerdecode.c
+++ b/decoder/ixheaacd_headerdecode.c
@@ -81,6 +81,8 @@
#include "ixheaacd_struct.h"
#include "ixheaacd_function_selector.h"
+#include "ixheaacd_error_standards.h"
+
#undef ALLOW_SMALL_FRAMELENGTH
#define ALLOW_SMALL_FRAMELENGTH
@@ -811,11 +813,12 @@
(adts->profile != AAC_LC_PROFILE));
}
-WORD32 ixheaacd_latm_header_decode(
+IA_ERRORCODE ixheaacd_latm_header_decode(
ia_aac_dec_state_struct *aac_state_struct,
struct ia_bit_buf_struct *it_bit_buff, WORD32 *bytes_consumed,
ia_sampling_rate_info_struct *pstr_samp_rate_info) {
- WORD32 sync, result;
+ WORD32 sync;
+ IA_ERRORCODE result;
WORD32 next_sync, audio_mux_len_bytes_last;
WORD32 audio_mux_len_bits_last;
WORD32 sync_status = aac_state_struct->sync_status;
@@ -931,7 +934,7 @@
}
}
}
- return 0;
+ return IA_NO_ERROR;
}
WORD32 ixheaacd_aac_headerdecode(
diff --git a/decoder/ixheaacd_latmdemux.c b/decoder/ixheaacd_latmdemux.c
index d800c88..fb216f0 100644
--- a/decoder/ixheaacd_latmdemux.c
+++ b/decoder/ixheaacd_latmdemux.c
@@ -80,6 +80,7 @@
#include "ixheaacd_multichannel.h"
#include "ixheaacd_headerdecode.h"
+#include "ixheaacd_error_standards.h"
WORD32 ixheaacd_latm_au_chunk_length_info(
struct ia_bit_buf_struct *it_bit_buff) {
@@ -150,7 +151,7 @@
ixheaacd_read_bits_buf(it_bit_buff, 8);
}
-WORD32 ixheaacd_latm_stream_mux_config(
+IA_ERRORCODE ixheaacd_latm_stream_mux_config(
struct ia_bit_buf_struct *it_bit_buff, ixheaacd_latm_struct *latm_element,
ia_aac_dec_state_struct *aac_state_struct,
ia_sampling_rate_info_struct *sample_rate_info) {
@@ -159,7 +160,7 @@
WORD32 bytes_consumed;
WORD32 audio_mux_version_a;
UWORD32 tara_buf_fullness;
- WORD32 error_code = AAC_DEC_OK;
+ IA_ERRORCODE error_code = AAC_DEC_OK;
ixheaacd_latm_layer_info *layer_info = 0;
latm_element->audio_mux_version = ixheaacd_read_bits_buf(it_bit_buff, 1);
@@ -178,13 +179,13 @@
latm_element->num_sub_frames = ixheaacd_read_bits_buf(it_bit_buff, 6) + 1;
- if (latm_element->num_sub_frames != 1) {
- error_code = IA_ENHAACPLUS_DEC_EXE_FATAL_INVALID_LOAS_HEADER;
- return error_code;
- }
+ if (latm_element->num_sub_frames != 1)
+ return IA_ENHAACPLUS_DEC_EXE_FATAL_INVALID_LOAS_HEADER;
latm_element->num_program = ixheaacd_read_bits_buf(it_bit_buff, 4) + 1;
+ if (latm_element->num_program > LATM_MAX_PROG) return IA_FATAL_ERROR;
+
for (prog = 0; prog < latm_element->num_program; prog++) {
latm_element->num_layer = ixheaacd_read_bits_buf(it_bit_buff, 3) + 1;
@@ -250,8 +251,7 @@
break;
default:
- error_code = IA_ENHAACPLUS_DEC_EXE_FATAL_INVALID_LOAS_HEADER;
- return error_code;
+ return IA_ENHAACPLUS_DEC_EXE_FATAL_INVALID_LOAS_HEADER;
}
}
}
@@ -284,12 +284,12 @@
return (error_code);
}
-WORD32 ixheaacd_latm_audio_mux_element(
+IA_ERRORCODE ixheaacd_latm_audio_mux_element(
struct ia_bit_buf_struct *it_bit_buff, ixheaacd_latm_struct *latm_element,
ia_aac_dec_state_struct *aac_state_struct,
ia_sampling_rate_info_struct *sample_rate_info) {
UWORD32 i;
- WORD32 error_code = AAC_DEC_OK;
+ IA_ERRORCODE error_code = AAC_DEC_OK;
ixheaacd_read_bits_buf(it_bit_buff, 13);