Fix for OOB write in split drc characteristic parsing
added bounds check on values parsed from input stream.
Bug: 116619337
Test: vendor
Change-Id: Ia938ce45cb0503c1ddcbeaa5d036c0f57521a38f
(cherry picked from commit 599ca4428a8a357f0b47116a710f474c5ec51356)
diff --git a/decoder/drc_src/impd_drc_static_payload.c b/decoder/drc_src/impd_drc_static_payload.c
index 4802669..de4ceec 100644
--- a/decoder/drc_src/impd_drc_static_payload.c
+++ b/decoder/drc_src/impd_drc_static_payload.c
@@ -1703,6 +1703,11 @@
str_p_loc_drc_coefficients_uni_drc->characteristic_left_count =
impd_read_bits_buf(it_bit_buff, 4);
if (it_bit_buff->error) return it_bit_buff->error;
+
+ if (str_p_loc_drc_coefficients_uni_drc->characteristic_left_count >
+ SPLIT_CHARACTERISTIC_COUNT_MAX)
+ return (UNEXPECTED_ERROR);
+
for (i = 1;
i <= str_p_loc_drc_coefficients_uni_drc->characteristic_left_count;
i++) {
@@ -1720,6 +1725,10 @@
str_p_loc_drc_coefficients_uni_drc->characteristic_right_count =
impd_read_bits_buf(it_bit_buff, 4);
if (it_bit_buff->error) return it_bit_buff->error;
+
+ if (str_p_loc_drc_coefficients_uni_drc->characteristic_right_count >
+ SPLIT_CHARACTERISTIC_COUNT_MAX)
+ return (UNEXPECTED_ERROR);
for (i = 1;
i <= str_p_loc_drc_coefficients_uni_drc->characteristic_right_count;
i++) {
