tag c0c74511561b00fbd1fded728c4fb1021c6cc3a9
tagger The Android Open Source Project <initial-contribution@android.com> Mon Mar 01 19:15:34 2021 -0800
object 90a7f73cc0db1314c063aa51773a84ffa3d41b86

Android Security 8.1.0 Release 86 (7070700)

commit 90a7f73cc0db1314c063aa51773a84ffa3d41b86
author Fraunhofer IIS FDK <audio-fdk@iis.fraunhofer.de> Mon Jul 06 12:28:12 2020 -0700
committer Anis Assi <anisassi@google.com> Thu Sep 10 13:50:15 2020 -0700
tree df6dc98477c262cdebd31d7adfe35c799c7223e9
parent fcfcf78dda10addc8c916493372dec539f4e8a5b

[DO NOT MERGE] Fix heap buffer overflow in sbrDecoder_AssignQmfChannels2SbrChannels().

In the bug the SBR decoder has already set up 9 channels and tries to
allocate one more channel. The assignment of the QMF channels to SBR
channels fails since the QMF domain manages only 8+1 channels instead
of 10 channels as reqeusted by SBR.
Here we have added a check in sbrDecoder_InitElement() which will
return with a parse error in case additional SBR channels would exceed
the maximum number of SBR channels. This solves the potential heap
buffer overflow.

Bug: 158762825
Test: atest DecoderTestAacDrc DecoderTestXheAac
Change-Id: I741f49ab3b675fa3d3217ee72e1db66b0114f7ee
(cherry picked from commit 50aa5be38870319395ce2ef6f91543e6475e4b97)