fenix/fdk-aac
1
0
Fork 0
mirror of https://github.com/mstorsjo/fdk-aac.git synced 2025-06-05 22:39:13 +02:00
Code Issues Projects Releases Wiki Activity

DO NOT MERGE Prevent out of bounds accesses in lppTransposer()

Browse Source 
Check validity of pSettings->noOfPatches to prevent out of bounds
  access in lppTransposer(), which can also cause memSize to be
  negative.

Bug: 112160868
Test: see poc in bug
Change-Id: I77bd1e1dfab3bac92b4522170bdc3c9eb56fdf82
This commit is contained in:
Jean-Michel Trivi
2018-09-10 15:50:19 -07:00
parent 31447431fe
commit 2eaadebcb6
1 changed files with 24 additions and 13 deletions
Download Patch File Download Diff File Expand all files Collapse all files

37
libSBRdec/src/lpp_tran.cpp
View File

@ -96,6 +96,10 @@ amm-info@iis.fraunhofer.de
\sa lppTransposer(), main_audio.cpp, sbr_scale.h, \ref documentationOverview
*/
#ifdef __ANDROID__
#include <cutils/log.h>
#endif
#include "lpp_tran.h"
#include "sbr_ram.h"
@ -256,7 +260,6 @@ void lppTransposer (HANDLE_SBR_LPP_TRANS hLppTrans, /*!< Handle of lpp transp
int ovLowBandShift;
int lowBandShift;
/* int ovHighBandShift;*/
int targetStopBand;
alphai[0] = FL2FXCONST_SGL(0.0f);
@ -273,24 +276,32 @@ void lppTransposer (HANDLE_SBR_LPP_TRANS hLppTrans, /*!< Handle of lpp transp
autoCorrLength = pSettings->nCols + pSettings->overlap;
/* Set upper subbands to zero:
This is required in case that the patches do not cover the complete highband
(because the last patch would be too short).
Possible optimization: Clearing bands up to usb would be sufficient here. */
targetStopBand = patchParam[pSettings->noOfPatches-1].targetStartBand
+ patchParam[pSettings->noOfPatches-1].numBandsInPatch;
if (pSettings->noOfPatches > 0) {
/* Set upper subbands to zero:
This is required in case that the patches do not cover the complete highband
(because the last patch would be too short).
Possible optimization: Clearing bands up to usb would be sufficient here. */
int targetStopBand = patchParam[pSettings->noOfPatches-1].targetStartBand
+ patchParam[pSettings->noOfPatches-1].numBandsInPatch;
int memSize = ((64) - targetStopBand) * sizeof(FIXP_DBL);
int memSize = ((64) - targetStopBand) * sizeof(FIXP_DBL);
if (!useLP) {
if (!useLP) {
for (i = startSample; i < stopSampleClear; i++) {
FDKmemclear(&qmfBufferReal[i][targetStopBand], memSize);
FDKmemclear(&qmfBufferImag[i][targetStopBand], memSize);
}
} else
for (i = startSample; i < stopSampleClear; i++) {
FDKmemclear(&qmfBufferReal[i][targetStopBand], memSize);
FDKmemclear(&qmfBufferImag[i][targetStopBand], memSize);
}
} else
for (i = startSample; i < stopSampleClear; i++) {
FDKmemclear(&qmfBufferReal[i][targetStopBand], memSize);
}
#ifdef __ANDROID__
else {
// Safetynet logging
android_errorWriteLog(0x534e4554, "112160868");
}
#endif
/* init bwIndex for each patch */
FDKmemclear(bwIndex, MAX_NUM_PATCHES*sizeof(INT));