Information HAL library is responsible for decoding the Apple iTunes
ALAC/AAC-LC audio format on Qualcomm based smartphones.
Privileged service loads the ALAC library when requested by an Android app, and then calls it to decode the supplied audio frames.
In the, an out of bound memory access can occur due to improper validation of number of frames being passed during music playback.
The size of the internal output buffer mMixBufferU can be specified using the csd-0 configuration parameter. The numSamples audio parameter is encoded in the audio frame:
We can write data outside the mMixBufferU output buffer because no size check is

Crash trace:

Build fingerprint: 'Sony/G8142/G8142:8.0.0/47.1.A.16.20/623594567:user/release-keys'
Revision: '0'
ABI: 'arm'
pid: 9942, tid: 10891, name: media.codec  >>> omx@1.0-service <<<
signal 11 (SIGSEGV), code 1 (SEGV_MAPERR), fault addr 0x85a0
    r0 00000000  r1 00000000  r2 00000007  r3 00000007
    r4 00000020  r5 00002168  r6 00000000  r7 ed621e6c
    r8 ea90d808  r9 00000001  sl 41411fd8  fp 00000000
    ip 00000007  sp ea90d6b0  lr 00000082  pc ea91033e  cpsr 400f0030

    #00 pc 0000233e  /system/vendor/lib/ (_ZN11ALACDecoder6DecodeEP9BitBufferPhjjPj+1385)
    #01 pc 00005d17  /system/vendor/lib/ (alac_dec_process+154)
    #02 pc 0000331f  /system/vendor/lib/ (_ZN11COmxDecAlac12process_dataEPvP20OMX_BUFFERHEADERTYPES2_+582)
    #03 pc 00006145  /system/vendor/lib/ (_ZN15omx_common_adec19process_in_port_msgEPvh+1196)
    #04 pc 0000906b  /system/vendor/lib/ (omx_common_msg+66)
    #05 pc 000484b7  /system/lib/ (_ZL15__pthread_startPv+22)
    #06 pc 0001b59d  /system/lib/ (__start_thread+32)