Merge "Fix for SEGV in ixheaacd_aacdec_decodeframe function." into rvc-dev
diff --git a/decoder/drc_src/impd_drc_dynamic_payload.c b/decoder/drc_src/impd_drc_dynamic_payload.c
index 4fa54ec..e4243ec 100644
--- a/decoder/drc_src/impd_drc_dynamic_payload.c
+++ b/decoder/drc_src/impd_drc_dynamic_payload.c
@@ -521,9 +521,12 @@
}
}
for (k = 0; k < num_nodes_node_reservoir; k++) {
- drc_gain_sequence->str_spline_nodes[i].str_node[k].time =
- prev_frame_time_buf[k] -
- 2 * pstr_drc_uni_bs_dec->ia_drc_params_struct.drc_frame_size;
+ WORD32 tmp = prev_frame_time_buf[k] -
+ 2 * pstr_drc_uni_bs_dec->ia_drc_params_struct.drc_frame_size;
+ if (tmp >= (2 * AUDIO_CODEC_FRAME_SIZE_MAX -
+ pstr_drc_uni_bs_dec->ia_drc_params_struct.drc_frame_size))
+ return UNEXPECTED_ERROR;
+ drc_gain_sequence->str_spline_nodes[i].str_node[k].time = tmp;
}
for (m = 0; m < num_nodes_cur; m++, k++) {
drc_gain_sequence->str_spline_nodes[i].str_node[k].time =
diff --git a/decoder/ixheaacd_common_initfuncs.c b/decoder/ixheaacd_common_initfuncs.c
index 8b9930f..88fadcc 100644
--- a/decoder/ixheaacd_common_initfuncs.c
+++ b/decoder/ixheaacd_common_initfuncs.c
@@ -158,12 +158,13 @@
WORD32 ixheaacd_drc_offset) {
if (ixheaacd_drc_offset != 0) {
WORD32 byte_offset;
-
- it_bit_buff->cnt_bits = it_bit_buff->cnt_bits - ixheaacd_drc_offset;
- if (it_bit_buff->cnt_bits < 0) {
+ if ((it_bit_buff->cnt_bits < 0) ||
+ (it_bit_buff->cnt_bits - ixheaacd_drc_offset < 0) ||
+ (it_bit_buff->cnt_bits - ixheaacd_drc_offset > it_bit_buff->size)) {
longjmp(*(it_bit_buff->xaac_jmp_buf),
IA_ENHAACPLUS_DEC_EXE_NONFATAL_INSUFFICIENT_INPUT_BYTES);
}
+ it_bit_buff->cnt_bits = it_bit_buff->cnt_bits - ixheaacd_drc_offset;
it_bit_buff->bit_pos = it_bit_buff->bit_pos - ixheaacd_drc_offset;
byte_offset = it_bit_buff->bit_pos >> 3;
it_bit_buff->bit_pos = it_bit_buff->bit_pos - (byte_offset << 3);
