mirror of https://github.com/mstorsjo/fdk-aac.git
FDK patches: fix overflows in decoder out-of-band config
Bug: 71430241
Bug: 79220129
Test: cts-tradefed run commandAndExit cts-dev -m CtsMediaTestCases -t android.media.cts.DecoderTestXheAac
cts-tradefed run commandAndExit cts-dev -m CtsMediaTestCases -t android.media.cts.DecoderTestAacDrc
Unsigned Integer Overflows in CDataStreamElement_Read()
Change-Id: Ic2f5b3ae111bf984d4d0db664823798957b0a979
Unsigned Integer Overflow in CProgramConfig_ReadHeightExt()
Change-Id: Iaebc458bb59504203e604a28ed6d5cecaa875c42
Unsigned Integer Overflow in transportDec_OutOfBandConfig()
Change-Id: I24a4b32d736f28c55147f0e2ca06fe5537da19c2
Unsigned Integer Overflows in CDKcrcEndReg() & crcCalc()
Change-Id: I6ebbe541a4d3b6bacbd5ace17264972951de7ca8
Unsigned Integer Overflows in ReadPsData()
Change-Id: Id36576fe545236860a06f17971494ecd4484c494
Unsigned Integer Overflow in SpatialDecParseSpecificConfig()
Change-Id: Ib468f129a951c69776b88468407f008ab4cfd2c7
Unsigned Integer Overflows in _readUniDrcConfigExtension() & _readLoudnessInfoSetExtension()
Change-Id: Ibcf7c6a23af49239206ea9301c58adac36e3ceba
This commit is contained in:
Fraunhofer IIS FDK
Jean-Michel Trivi
parent
9ab67882ec
commit
44ac411683
|
|
@ -437,7 +437,8 @@ static AAC_DECODER_ERROR CDataStreamElement_Read(HANDLE_AACDECODER self,
|
|||
UCHAR *elementInstanceTag,
|
||||
UINT alignmentAnchor) {
|
||||
AAC_DECODER_ERROR error = AAC_DEC_OK;
|
||||
UINT dataStart, dseBits;
|
||||
UINT dseBits;
|
||||
INT dataStart;
|
||||
int dataByteAlignFlag, count;
|
||||
|
||||
FDK_ASSERT(self != NULL);
|
||||
|
|
@ -460,14 +461,14 @@ static AAC_DECODER_ERROR CDataStreamElement_Read(HANDLE_AACDECODER self,
|
|||
FDKbyteAlign(bs, alignmentAnchor);
|
||||
}
|
||||
|
||||
dataStart = FDKgetValidBits(bs);
|
||||
dataStart = (INT)FDKgetValidBits(bs);
|
||||
|
||||
error = CAacDecoder_AncDataParse(&self->ancData, bs, count);
|
||||
transportDec_CrcEndReg(self->hInput, crcReg);
|
||||
|
||||
{
|
||||
/* Move to the beginning of the data chunk */
|
||||
FDKpushBack(bs, dataStart - FDKgetValidBits(bs));
|
||||
FDKpushBack(bs, dataStart - (INT)FDKgetValidBits(bs));
|
||||
|
||||
/* Read Anc data if available */
|
||||
aacDecoder_drcMarkPayload(self->hDrcInfo, bs, DVB_DRC_ANC_DATA);
|
||||
|
|
@ -477,7 +478,7 @@ static AAC_DECODER_ERROR CDataStreamElement_Read(HANDLE_AACDECODER self,
|
|||
PCMDMX_ERROR dmxErr = PCMDMX_OK;
|
||||
|
||||
/* Move to the beginning of the data chunk */
|
||||
FDKpushBack(bs, dataStart - FDKgetValidBits(bs));
|
||||
FDKpushBack(bs, dataStart - (INT)FDKgetValidBits(bs));
|
||||
|
||||
/* Read DMX meta-data */
|
||||
dmxErr = pcmDmx_Parse(self->hPcmUtils, bs, dseBits, 0 /* not mpeg2 */);
|
||||
|
|
@ -487,8 +488,7 @@ static AAC_DECODER_ERROR CDataStreamElement_Read(HANDLE_AACDECODER self,
|
|||
}
|
||||
|
||||
/* Move to the very end of the element. */
|
||||
FDKpushBiDirectional(
|
||||
bs, (INT)FDKgetValidBits(bs) - (INT)dataStart + (INT)dseBits);
|
||||
FDKpushBiDirectional(bs, (INT)FDKgetValidBits(bs) - dataStart + (INT)dseBits);
|
||||
|
||||
return error;
|
||||
}
|
||||
|
|
|
|||
|
|
@ -1622,7 +1622,7 @@ static DRC_ERROR _readUniDrcConfigExtension(
|
|||
HANDLE_FDK_BITSTREAM hBs, HANDLE_UNI_DRC_CONFIG hUniDrcConfig) {
|
||||
DRC_ERROR err = DE_OK;
|
||||
int k, bitSizeLen, extSizeBits, bitSize;
|
||||
UINT nBitsRemaining;
|
||||
INT nBitsRemaining;
|
||||
UNI_DRC_CONFIG_EXTENSION* pExt = &(hUniDrcConfig->uniDrcConfigExt);
|
||||
|
||||
k = 0;
|
||||
|
|
@ -1634,13 +1634,14 @@ static DRC_ERROR _readUniDrcConfigExtension(
|
|||
|
||||
bitSize = FDKreadBits(hBs, extSizeBits);
|
||||
pExt->extBitSize[k] = bitSize + 1;
|
||||
nBitsRemaining = FDKgetValidBits(hBs);
|
||||
nBitsRemaining = (INT)FDKgetValidBits(hBs);
|
||||
|
||||
switch (pExt->uniDrcConfigExtType[k]) {
|
||||
case UNIDRCCONFEXT_V1:
|
||||
err = _readDrcExtensionV1(hBs, hUniDrcConfig);
|
||||
if (err) return err;
|
||||
if (nBitsRemaining != (pExt->extBitSize[k] + FDKgetValidBits(hBs)))
|
||||
if (nBitsRemaining !=
|
||||
((INT)pExt->extBitSize[k] + (INT)FDKgetValidBits(hBs)))
|
||||
return DE_NOT_OK;
|
||||
break;
|
||||
case UNIDRCCONFEXT_PARAM_DRC:
|
||||
|
|
@ -1940,7 +1941,7 @@ static DRC_ERROR _readLoudnessInfoSetExtension(
|
|||
HANDLE_FDK_BITSTREAM hBs, HANDLE_LOUDNESS_INFO_SET hLoudnessInfoSet) {
|
||||
DRC_ERROR err = DE_OK;
|
||||
int k, bitSizeLen, extSizeBits, bitSize;
|
||||
UINT nBitsRemaining;
|
||||
INT nBitsRemaining;
|
||||
LOUDNESS_INFO_SET_EXTENSION* pExt = &(hLoudnessInfoSet->loudnessInfoSetExt);
|
||||
|
||||
k = 0;
|
||||
|
|
@ -1952,13 +1953,14 @@ static DRC_ERROR _readLoudnessInfoSetExtension(
|
|||
|
||||
bitSize = FDKreadBits(hBs, extSizeBits);
|
||||
pExt->extBitSize[k] = bitSize + 1;
|
||||
nBitsRemaining = FDKgetValidBits(hBs);
|
||||
nBitsRemaining = (INT)FDKgetValidBits(hBs);
|
||||
|
||||
switch (pExt->loudnessInfoSetExtType[k]) {
|
||||
case UNIDRCLOUDEXT_EQ:
|
||||
err = _readLoudnessInfoSetExtEq(hBs, hLoudnessInfoSet);
|
||||
if (err) return err;
|
||||
if (nBitsRemaining != (pExt->extBitSize[k] + FDKgetValidBits(hBs)))
|
||||
if (nBitsRemaining !=
|
||||
((INT)pExt->extBitSize[k] + (INT)FDKgetValidBits(hBs)))
|
||||
return DE_NOT_OK;
|
||||
break;
|
||||
/* add future extensions here */
|
||||
|
|
|
|||
|
|
@ -115,8 +115,8 @@ amm-info@iis.fraunhofer.de
|
|||
typedef struct {
|
||||
UCHAR isActive;
|
||||
INT maxBits;
|
||||
UINT bitBufCntBits;
|
||||
UINT validBits;
|
||||
INT bitBufCntBits;
|
||||
INT validBits;
|
||||
|
||||
} CCrcRegData;
|
||||
|
||||
|
|
|
|||
|
|
@ -281,7 +281,7 @@ INT FDKcrcStartReg(HANDLE_FDK_CRCINFO hCrcInfo, const HANDLE_FDK_BITSTREAM hBs,
|
|||
FDK_ASSERT(hCrcInfo->crcRegData[reg].isActive == 0);
|
||||
hCrcInfo->crcRegData[reg].isActive = 1;
|
||||
hCrcInfo->crcRegData[reg].maxBits = mBits;
|
||||
hCrcInfo->crcRegData[reg].validBits = FDKgetValidBits(hBs);
|
||||
hCrcInfo->crcRegData[reg].validBits = (INT)FDKgetValidBits(hBs);
|
||||
hCrcInfo->crcRegData[reg].bitBufCntBits = 0;
|
||||
|
||||
hCrcInfo->regStart = (hCrcInfo->regStart + 1) % MAX_CRC_REGS;
|
||||
|
|
@ -296,10 +296,10 @@ INT FDKcrcEndReg(HANDLE_FDK_CRCINFO hCrcInfo, const HANDLE_FDK_BITSTREAM hBs,
|
|||
|
||||
if (hBs->ConfigCache == BS_WRITER) {
|
||||
hCrcInfo->crcRegData[reg].bitBufCntBits =
|
||||
FDKgetValidBits(hBs) - hCrcInfo->crcRegData[reg].validBits;
|
||||
(INT)FDKgetValidBits(hBs) - hCrcInfo->crcRegData[reg].validBits;
|
||||
} else {
|
||||
hCrcInfo->crcRegData[reg].bitBufCntBits =
|
||||
hCrcInfo->crcRegData[reg].validBits - FDKgetValidBits(hBs);
|
||||
hCrcInfo->crcRegData[reg].validBits - (INT)FDKgetValidBits(hBs);
|
||||
}
|
||||
|
||||
if (hCrcInfo->crcRegData[reg].maxBits == 0) {
|
||||
|
|
@ -432,7 +432,7 @@ static void crcCalc(HANDLE_FDK_CRCINFO hCrcInfo, HANDLE_FDK_BITSTREAM hBs,
|
|||
if (hBs->ConfigCache == BS_READER) {
|
||||
bsReader = *hBs;
|
||||
FDKpushBiDirectional(&bsReader,
|
||||
-(INT)(rD->validBits - FDKgetValidBits(&bsReader)));
|
||||
-(rD->validBits - (INT)FDKgetValidBits(&bsReader)));
|
||||
} else {
|
||||
FDKinitBitStream(&bsReader, hBs->hBitBuf.Buffer, hBs->hBitBuf.bufSize,
|
||||
hBs->hBitBuf.ValidBits, BS_READER);
|
||||
|
|
@ -441,7 +441,7 @@ static void crcCalc(HANDLE_FDK_CRCINFO hCrcInfo, HANDLE_FDK_BITSTREAM hBs,
|
|||
|
||||
int bits, rBits;
|
||||
rBits = (rD->maxBits >= 0) ? rD->maxBits : -rD->maxBits; /* ramaining bits */
|
||||
if ((rD->maxBits > 0) && (((INT)rD->bitBufCntBits >> 3 << 3) < rBits)) {
|
||||
if ((rD->maxBits > 0) && ((rD->bitBufCntBits >> 3 << 3) < rBits)) {
|
||||
bits = rD->bitBufCntBits;
|
||||
} else {
|
||||
bits = rBits;
|
||||
|
|
|
|||
|
|
@ -257,11 +257,11 @@ static int CProgramConfig_ReadHeightExt(CProgramConfig *pPce,
|
|||
}
|
||||
} else {
|
||||
/* No valid extension data found -> restore the initial bitbuffer state */
|
||||
FDKpushBack(bs, startAnchor - FDKgetValidBits(bs));
|
||||
FDKpushBack(bs, (INT)startAnchor - (INT)FDKgetValidBits(bs));
|
||||
}
|
||||
|
||||
/* Always report the bytes read. */
|
||||
*bytesAvailable -= (startAnchor - FDKgetValidBits(bs)) >> 3;
|
||||
*bytesAvailable -= ((INT)startAnchor - (INT)FDKgetValidBits(bs)) >> 3;
|
||||
|
||||
return (err);
|
||||
}
|
||||
|
|
|
|||
|
|
@ -283,7 +283,7 @@ TRANSPORTDEC_ERROR transportDec_OutOfBandConfig(HANDLE_TRANSPORTDEC hTp,
|
|||
|
||||
for (i = 0; i < 2; i++) {
|
||||
if (i > 0) {
|
||||
FDKpushBack(hBs, length * 8 - FDKgetValidBits(hBs));
|
||||
FDKpushBack(hBs, (INT)length * 8 - (INT)FDKgetValidBits(hBs));
|
||||
configMode = AC_CM_ALLOC_MEM;
|
||||
}
|
||||
|
||||
|
|
|
|||
|
|
@ -566,7 +566,7 @@ SACDEC_ERROR SpatialDecParseSpecificConfig(
|
|||
with respect to the beginning of the syntactic
|
||||
element in which ByteAlign() occurs. */
|
||||
|
||||
numHeaderBits = cfgStartPos - FDKgetValidBits(bitstream);
|
||||
numHeaderBits = cfgStartPos - (INT)FDKgetValidBits(bitstream);
|
||||
bitsAvailable -= numHeaderBits;
|
||||
|
||||
pSpatialSpecificConfig->sacExtCnt = 0;
|
||||
|
|
@ -594,7 +594,7 @@ bail:
|
|||
bitbuffer is exactly at its end when leaving the function. */
|
||||
FDKpushBiDirectional(
|
||||
bitstream,
|
||||
(sacHeaderLen * 8) - (cfgStartPos - FDKgetValidBits(bitstream)));
|
||||
(sacHeaderLen * 8) - (cfgStartPos - (INT)FDKgetValidBits(bitstream)));
|
||||
}
|
||||
|
||||
return err;
|
||||
|
|
|
|||
|
|
@ -496,7 +496,7 @@ unsigned int ReadPsData(
|
|||
/* no useful PS data could be read from bitstream */
|
||||
h_ps_d->bPsDataAvail[h_ps_d->bsReadSlot] = ppt_none;
|
||||
/* discard all remaining bits */
|
||||
nBitsLeft -= startbits - FDKgetValidBits(hBitBuf);
|
||||
nBitsLeft -= startbits - (INT)FDKgetValidBits(hBitBuf);
|
||||
while (nBitsLeft > 0) {
|
||||
int i = nBitsLeft;
|
||||
if (i > 8) {
|
||||
|
|
@ -505,7 +505,7 @@ unsigned int ReadPsData(
|
|||
FDKreadBits(hBitBuf, i);
|
||||
nBitsLeft -= i;
|
||||
}
|
||||
return (startbits - FDKgetValidBits(hBitBuf));
|
||||
return (UINT)(startbits - (INT)FDKgetValidBits(hBitBuf));
|
||||
}
|
||||
|
||||
if (pBsData->modeIid > 2) {
|
||||
|
|
|
|||
Loading…
Reference in New Issue