fenix/fdk-aac
1
0
Fork 0
mirror of https://github.com/mstorsjo/fdk-aac.git synced 2025-02-07 03:03:56 +01:00
Code Issues Projects Releases Wiki Activity

Avoid integer overflows in CLatmDemux_ReadAuChunkLengthInfo() and FDK_get32() to prevent endless loop.

Browse Source 
Bug: 186777497
Test: atest android.media.cts.DecoderTestAacFormat android.media.cts.DecoderTestXheAac android.media.cts.DecoderTestAacDrc
Change-Id: Icaedd341f4602882f72ff5e7be71d99ce08f3bec
This commit is contained in:
Fraunhofer IIS FDK 2021-03-16 14:47:58 +01:00 committed by Jean-Michel Trivi
parent 27c3a2bd1c
commit 14db264786
2 changed files with 22 additions and 23 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

41
libMpegTPDec/src/tpdec_latm.cpp
View File

@ -1,7 +1,7 @@
/* -----------------------------------------------------------------------------
Software License for The Fraunhofer FDK AAC Codec Library for Android
© Copyright 1995 - 2019 Fraunhofer-Gesellschaft zur Förderung der angewandten
© Copyright 1995 - 2021 Fraunhofer-Gesellschaft zur Förderung der angewandten
Forschung e.V. All rights reserved.
1. INTRODUCTION
@ -591,6 +591,18 @@ bail:
return (ErrorStatus);
}
static int CLatmDemux_ReadAuChunkLengthInfo(HANDLE_FDK_BITSTREAM bs) {
int len = 0, tmp = 255;
int validBytes = (int)FDKgetValidBits(bs) >> 3;
while (tmp == 255 && validBytes-- > 0) {
tmp = (int)FDKreadBits(bs, 8);
len += tmp;
}
return ((tmp == 255) ? -1 : (len << 3));
}
TRANSPORTDEC_ERROR CLatmDemux_ReadPayloadLengthInfo(HANDLE_FDK_BITSTREAM bs,
CLatmDemux *pLatmDemux) {
TRANSPORTDEC_ERROR ErrorStatus = TRANSPORTDEC_OK;
@ -602,11 +614,17 @@ TRANSPORTDEC_ERROR CLatmDemux_ReadPayloadLengthInfo(HANDLE_FDK_BITSTREAM bs,
FDK_ASSERT(pLatmDemux->m_numLayer[prog] <= LATM_MAX_LAYER);
for (UINT lay = 0; lay < pLatmDemux->m_numLayer[prog]; lay++) {
LATM_LAYER_INFO *p_linfo = &pLatmDemux->m_linfo[prog][lay];
int auChunkLengthInfo = 0;
switch (p_linfo->m_frameLengthType) {
case 0:
p_linfo->m_frameLengthInBits = CLatmDemux_ReadAuChunkLengthInfo(bs);
totalPayloadBits += p_linfo->m_frameLengthInBits;
auChunkLengthInfo = CLatmDemux_ReadAuChunkLengthInfo(bs);
if (auChunkLengthInfo >= 0) {
p_linfo->m_frameLengthInBits = (UINT)auChunkLengthInfo;
totalPayloadBits += p_linfo->m_frameLengthInBits;
} else {
return TRANSPORTDEC_PARSE_ERROR;
}
break;
case 3:
case 5:
@ -627,23 +645,6 @@ TRANSPORTDEC_ERROR CLatmDemux_ReadPayloadLengthInfo(HANDLE_FDK_BITSTREAM bs,
return (ErrorStatus);
}
int CLatmDemux_ReadAuChunkLengthInfo(HANDLE_FDK_BITSTREAM bs) {
UCHAR endFlag;
int len = 0;
do {
UCHAR tmp = (UCHAR)FDKreadBits(bs, 8);
endFlag = (tmp < 255);
len += tmp;
} while (endFlag == 0);
len <<= 3; /* convert from bytes to bits */
return len;
}
UINT CLatmDemux_GetFrameLengthInBits(CLatmDemux *pLatmDemux, const UINT prog,
const UINT layer) {
UINT nFrameLenBits = 0;

4
libMpegTPDec/src/tpdec_latm.h
View File

@ -1,7 +1,7 @@
/* -----------------------------------------------------------------------------
Software License for The Fraunhofer FDK AAC Codec Library for Android
© Copyright 1995 - 2018 Fraunhofer-Gesellschaft zur Förderung der angewandten
© Copyright 1995 - 2021 Fraunhofer-Gesellschaft zur Förderung der angewandten
Forschung e.V. All rights reserved.
1. INTRODUCTION
@ -151,8 +151,6 @@ typedef struct {
AudioPreRoll */
} CLatmDemux;
int CLatmDemux_ReadAuChunkLengthInfo(HANDLE_FDK_BITSTREAM bs);
TRANSPORTDEC_ERROR CLatmDemux_Read(HANDLE_FDK_BITSTREAM bs,
CLatmDemux *pLatmDemux, TRANSPORT_TYPE tt,
CSTpCallBacks *pTpDecCallbacks,