Fix for array bound overflow in ia_gain_set_params_struct.
Max value of
str_p_loc_drc_coefficients_uni_drc->gain_set_count_plus
is used as index without checking for upper bound.
Hence added a check here.
Bug:144665190
Test:poc in bug
Change-Id: Ibd8dfe91910eb4d7548cf3236065eb38121b60c8
diff --git a/decoder/drc_src/impd_drc_static_payload.c b/decoder/drc_src/impd_drc_static_payload.c
index 95c9e58..67223bb 100644
--- a/decoder/drc_src/impd_drc_static_payload.c
+++ b/decoder/drc_src/impd_drc_static_payload.c
@@ -443,9 +443,13 @@
str_p_loc_drc_coefficients_uni_drc->gain_sequence_count = 0;
drc_config->drc_coefficients_drc_count += 1;
}
- str_p_loc_drc_coefficients_uni_drc->gain_set_count_plus =
- str_p_loc_drc_coefficients_uni_drc->gain_set_count +
- str_drc_coeff_param_drc->parametric_drc_gain_set_count;
+ {
+ WORD32 tmp = str_p_loc_drc_coefficients_uni_drc->gain_set_count +
+ str_drc_coeff_param_drc->parametric_drc_gain_set_count;
+ if (tmp > GAIN_SET_COUNT_MAX) return UNEXPECTED_ERROR;
+ str_p_loc_drc_coefficients_uni_drc->gain_set_count_plus = tmp;
+ }
+
for (i = str_p_loc_drc_coefficients_uni_drc->gain_set_count;
i < str_p_loc_drc_coefficients_uni_drc->gain_set_count_plus; i++) {
str_p_loc_drc_coefficients_uni_drc->gain_set_params[i].band_count = 1;