From ce97e7d55e1f69683b5bc8f19cc8da8c85bc2cd4 Mon Sep 17 00:00:00 2001 From: Fraunhofer IIS FDK Date: Fri, 8 Jun 2018 18:07:14 +0200 Subject: [PATCH 1/3] Always check whether given channel config is supported. Bug: 112660981 Test: atest DecoderTestXheAac ; atest DecoderTestAacDrc Change-Id: I169161dd31bc624f2cab6be2b4c6518946ed32ba Merged-In: I169161dd31bc624f2cab6be2b4c6518946ed32ba (cherry picked from commit 25b209f229879a155759d791fe463b8abd283677) --- libAACdec/src/aacdecoder.cpp | 14 +++----------- 1 file changed, 3 insertions(+), 11 deletions(-) diff --git a/libAACdec/src/aacdecoder.cpp b/libAACdec/src/aacdecoder.cpp index 362e0b6..fab30de 100644 --- a/libAACdec/src/aacdecoder.cpp +++ b/libAACdec/src/aacdecoder.cpp @@ -1630,17 +1630,9 @@ CAacDecoder_Init(HANDLE_AACDECODER self, const CSAudioSpecificConfig *asc, aacChannelsOffset = 0; aacChannelsOffsetIdx = 0; elementOffset = 0; - if (configMode & AC_CM_ALLOC_MEM) { - if ((ascChannels <= 0) || - (asc->m_channelConfiguration > AACDEC_MAX_CH_CONF)) { - return AAC_DEC_UNSUPPORTED_CHANNELCONFIG; - } - if ((ascChannels + aacChannelsOffsetIdx) > ((8) * 2)) { - return AAC_DEC_UNSUPPORTED_CHANNELCONFIG; - } - if ((ascChannels + aacChannelsOffset) > (8)) { - return AAC_DEC_UNSUPPORTED_CHANNELCONFIG; - } + if ((ascChannels <= 0) || (ascChannels > (8)) || + (asc->m_channelConfiguration > AACDEC_MAX_CH_CONF)) { + return AAC_DEC_UNSUPPORTED_CHANNELCONFIG; } /* Set syntax flags */ From 0e5db9fee912d367a572b88f0d86f9a33006fa29 Mon Sep 17 00:00:00 2001 From: Fraunhofer IIS FDK Date: Wed, 15 Aug 2018 14:33:56 +0200 Subject: [PATCH 2/3] Unify audio element loop abort criterion in ER syntax Bug: 112891548 Test: atest DecoderTestXheAac ; atest DecoderTestAacDrc Change-Id: Iea56cf804cfb9d396810124c718fc91bdff68392 (cherry picked from commit f2bc07da2ed70eb069f3faab1179c4c89792bf3d) --- libAACdec/src/aacdecoder.cpp | 11 ++++------- 1 file changed, 4 insertions(+), 7 deletions(-) diff --git a/libAACdec/src/aacdecoder.cpp b/libAACdec/src/aacdecoder.cpp index fab30de..24907ee 100644 --- a/libAACdec/src/aacdecoder.cpp +++ b/libAACdec/src/aacdecoder.cpp @@ -2047,17 +2047,12 @@ CAacDecoder_Init(HANDLE_AACDECODER self, const CSAudioSpecificConfig *asc, if (self->flags[streamIndex] & (AC_RSV603DA | AC_USAC)) { _numElements = (int)asc->m_sc.m_usacConfig.m_usacNumElements; } - if (self->flags[streamIndex] & (AC_ER | AC_LD | AC_ELD)) { - _numElements = (asc->m_channelConfiguration == 7) - ? 8 - : asc->m_channelConfiguration; - } for (int _el = 0; _el < _numElements; _el++) { int el_channels = 0; int el = elementOffset + _el; if (self->flags[streamIndex] & - (AC_ELD | AC_RSV603DA | AC_USAC | AC_RSVD50)) { + (AC_ER | AC_LD | AC_ELD | AC_RSV603DA | AC_USAC | AC_RSVD50)) { if (ch >= ascChannels) { break; } @@ -2107,7 +2102,9 @@ CAacDecoder_Init(HANDLE_AACDECODER self, const CSAudioSpecificConfig *asc, (SPECTRAL_PTR)&self->workBufferCore2[ch * 1024]; if (el_channels == 2) { - FDK_ASSERT(ch < (8) - 1); + if (ch >= (8) - 1) { + return AAC_DEC_UNSUPPORTED_CHANNELCONFIG; + } self->pAacDecoderChannelInfo[ch + 1]->pComData = self->pAacDecoderChannelInfo[ch]->pComData; self->pAacDecoderChannelInfo[ch + 1]->pComStaticData = From 5e5701952535e22ad38d6735bbf4f1f92ce99ceb Mon Sep 17 00:00:00 2001 From: Fraunhofer IIS FDK Date: Mon, 10 Sep 2018 16:39:30 +0200 Subject: [PATCH 3/3] Prevent out of bounds accesses in lppTransposer() and lppTransposerHBE() Bug: 112160868 Test: see poc in bug Change-Id: I6a2161865d9cb9b51dc37c09d6e3a4a8e5d11f86 (cherry picked from commit 4dad829df00932b89858b9833cf5dcded8d97c37) --- Android.bp | 3 ++ libSBRdec/src/lpp_tran.cpp | 74 ++++++++++++++++++++++++-------------- 2 files changed, 50 insertions(+), 27 deletions(-) diff --git a/Android.bp b/Android.bp index 50cc092..c89a95c 100644 --- a/Android.bp +++ b/Android.bp @@ -27,6 +27,9 @@ cc_library_static { misc_undefined:["unsigned-integer-overflow", "signed-integer-overflow"], cfi: true, }, + shared_libs: [ + "liblog", + ], export_include_dirs: [ "libAACdec/include", "libAACenc/include", diff --git a/libSBRdec/src/lpp_tran.cpp b/libSBRdec/src/lpp_tran.cpp index aa1fd5d..2ef07eb 100644 --- a/libSBRdec/src/lpp_tran.cpp +++ b/libSBRdec/src/lpp_tran.cpp @@ -118,6 +118,10 @@ amm-info@iis.fraunhofer.de \sa lppTransposer(), main_audio.cpp, sbr_scale.h, \ref documentationOverview */ +#ifdef __ANDROID__ +#include "log/log.h" +#endif + #include "lpp_tran.h" #include "sbr_ram.h" @@ -295,7 +299,6 @@ void lppTransposer( int ovLowBandShift; int lowBandShift; /* int ovHighBandShift;*/ - int targetStopBand; alphai[0] = FL2FXCONST_SGL(0.0f); alphai[1] = FL2FXCONST_SGL(0.0f); @@ -311,25 +314,34 @@ void lppTransposer( autoCorrLength = pSettings->nCols + pSettings->overlap; - /* Set upper subbands to zero: - This is required in case that the patches do not cover the complete - highband (because the last patch would be too short). Possible - optimization: Clearing bands up to usb would be sufficient here. */ - targetStopBand = patchParam[pSettings->noOfPatches - 1].targetStartBand + - patchParam[pSettings->noOfPatches - 1].numBandsInPatch; + if (pSettings->noOfPatches > 0) { + /* Set upper subbands to zero: + This is required in case that the patches do not cover the complete + highband (because the last patch would be too short). Possible + optimization: Clearing bands up to usb would be sufficient here. */ + int targetStopBand = + patchParam[pSettings->noOfPatches - 1].targetStartBand + + patchParam[pSettings->noOfPatches - 1].numBandsInPatch; - int memSize = ((64) - targetStopBand) * sizeof(FIXP_DBL); + int memSize = ((64) - targetStopBand) * sizeof(FIXP_DBL); - if (!useLP) { - for (i = startSample; i < stopSampleClear; i++) { - FDKmemclear(&qmfBufferReal[i][targetStopBand], memSize); - FDKmemclear(&qmfBufferImag[i][targetStopBand], memSize); - } - } else { - for (i = startSample; i < stopSampleClear; i++) { - FDKmemclear(&qmfBufferReal[i][targetStopBand], memSize); + if (!useLP) { + for (i = startSample; i < stopSampleClear; i++) { + FDKmemclear(&qmfBufferReal[i][targetStopBand], memSize); + FDKmemclear(&qmfBufferImag[i][targetStopBand], memSize); + } + } else { + for (i = startSample; i < stopSampleClear; i++) { + FDKmemclear(&qmfBufferReal[i][targetStopBand], memSize); + } } } +#ifdef __ANDROID__ + else { + // Safetynet logging + android_errorWriteLog(0x534e4554, "112160868"); + } +#endif /* init bwIndex for each patch */ FDKmemclear(bwIndex, sizeof(bwIndex)); @@ -874,7 +886,6 @@ void lppTransposerHBE( int ovLowBandShift; int lowBandShift; /* int ovHighBandShift;*/ - int targetStopBand; alphai[0] = FL2FXCONST_SGL(0.0f); alphai[1] = FL2FXCONST_SGL(0.0f); @@ -889,19 +900,28 @@ void lppTransposerHBE( autoCorrLength = pSettings->nCols + pSettings->overlap; - /* Set upper subbands to zero: - This is required in case that the patches do not cover the complete - highband (because the last patch would be too short). Possible - optimization: Clearing bands up to usb would be sufficient here. */ - targetStopBand = patchParam[pSettings->noOfPatches - 1].targetStartBand + - patchParam[pSettings->noOfPatches - 1].numBandsInPatch; + if (pSettings->noOfPatches > 0) { + /* Set upper subbands to zero: + This is required in case that the patches do not cover the complete + highband (because the last patch would be too short). Possible + optimization: Clearing bands up to usb would be sufficient here. */ + int targetStopBand = + patchParam[pSettings->noOfPatches - 1].targetStartBand + + patchParam[pSettings->noOfPatches - 1].numBandsInPatch; - int memSize = ((64) - targetStopBand) * sizeof(FIXP_DBL); + int memSize = ((64) - targetStopBand) * sizeof(FIXP_DBL); - for (i = startSample; i < stopSampleClear; i++) { - FDKmemclear(&qmfBufferReal[i][targetStopBand], memSize); - FDKmemclear(&qmfBufferImag[i][targetStopBand], memSize); + for (i = startSample; i < stopSampleClear; i++) { + FDKmemclear(&qmfBufferReal[i][targetStopBand], memSize); + FDKmemclear(&qmfBufferImag[i][targetStopBand], memSize); + } } +#ifdef __ANDROID__ + else { + // Safetynet logging + android_errorWriteLog(0x534e4554, "112160868"); + } +#endif /* Calc common low band scale factor