Fix for segv in ixheaacd_read_bits_buf
When ixheaacd_drc_offset comes negative, we read
backward in bitbuffer. There was no bound check to
make sure it did not go beyond the start of bitbuffer.
This caused a SEGV.
As a fix, bound check has been added.
Bug:144134845
Test: poc in bug
Change-Id: I94c4362f26fdb463eb07f5006d0f36860aad8128
diff --git a/decoder/ixheaacd_common_initfuncs.c b/decoder/ixheaacd_common_initfuncs.c
index 8b9930f..88fadcc 100644
--- a/decoder/ixheaacd_common_initfuncs.c
+++ b/decoder/ixheaacd_common_initfuncs.c
@@ -158,12 +158,13 @@
WORD32 ixheaacd_drc_offset) {
if (ixheaacd_drc_offset != 0) {
WORD32 byte_offset;
-
- it_bit_buff->cnt_bits = it_bit_buff->cnt_bits - ixheaacd_drc_offset;
- if (it_bit_buff->cnt_bits < 0) {
+ if ((it_bit_buff->cnt_bits < 0) ||
+ (it_bit_buff->cnt_bits - ixheaacd_drc_offset < 0) ||
+ (it_bit_buff->cnt_bits - ixheaacd_drc_offset > it_bit_buff->size)) {
longjmp(*(it_bit_buff->xaac_jmp_buf),
IA_ENHAACPLUS_DEC_EXE_NONFATAL_INSUFFICIENT_INPUT_BYTES);
}
+ it_bit_buff->cnt_bits = it_bit_buff->cnt_bits - ixheaacd_drc_offset;
it_bit_buff->bit_pos = it_bit_buff->bit_pos - ixheaacd_drc_offset;
byte_offset = it_bit_buff->bit_pos >> 3;
it_bit_buff->bit_pos = it_bit_buff->bit_pos - (byte_offset << 3);