Fix for heap buffer over flow in drc bit stream parsing
Bound values that we parse from the input stream.
Bug: 115375616
Test: vendor
Change-Id: I357d8e19e377fbe5156e5a639ed9ab99cbfeed52
(cherry picked from commit c90eeb6e6181e80e753692690176cf5ee2dbb38e)
diff --git a/decoder/drc_src/impd_drc_dynamic_payload.c b/decoder/drc_src/impd_drc_dynamic_payload.c
index abaface..65d3576 100644
--- a/decoder/drc_src/impd_drc_dynamic_payload.c
+++ b/decoder/drc_src/impd_drc_dynamic_payload.c
@@ -587,6 +587,10 @@
if (str_drc_config_ext->loud_eq_instructions_flag == 1) {
str_drc_config_ext->loud_eq_instructions_count =
impd_read_bits_buf(it_bit_buff, 4);
+ if (str_drc_config_ext->loud_eq_instructions_count >
+ LOUD_EQ_INSTRUCTIONS_COUNT_MAX)
+ return UNEXPECTED_ERROR;
+
if (it_bit_buff->error) return it_bit_buff->error;
for (i = 0; i < str_drc_config_ext->loud_eq_instructions_count; i++) {
err = impd_parse_loud_eq_instructions(
@@ -605,6 +609,8 @@
if (err) return (err);
str_drc_config_ext->eq_instructions_count =
impd_read_bits_buf(it_bit_buff, 4);
+ if (str_drc_config_ext->eq_instructions_count > EQ_INSTRUCTIONS_COUNT_MAX)
+ return UNEXPECTED_ERROR;
if (it_bit_buff->error) return it_bit_buff->error;
for (i = 0; i < str_drc_config_ext->eq_instructions_count; i++) {
err = impd_parse_eq_instructions(