fenix
/
fdk-aac
mirror of https://github.com/mstorsjo/fdk-aac.git
1
0
Fork 0
Code Issues Projects Releases Wiki Activity

FDK patches: fix overflows in decoder out-of-band config 

Bug: 71430241
Bug: 79220129
Test: cts-tradefed run commandAndExit cts-dev -m CtsMediaTestCases -t android.media.cts.DecoderTestXheAac
      cts-tradefed run commandAndExit cts-dev -m CtsMediaTestCases -t android.media.cts.DecoderTestAacDrc

Unsigned Integer Overflows in CDataStreamElement_Read()

Change-Id: Ic2f5b3ae111bf984d4d0db664823798957b0a979

Unsigned Integer Overflow in CProgramConfig_ReadHeightExt()

Change-Id: Iaebc458bb59504203e604a28ed6d5cecaa875c42

Unsigned Integer Overflow in transportDec_OutOfBandConfig()

Change-Id: I24a4b32d736f28c55147f0e2ca06fe5537da19c2

Unsigned Integer Overflows in CDKcrcEndReg() & crcCalc()

Change-Id: I6ebbe541a4d3b6bacbd5ace17264972951de7ca8

Unsigned Integer Overflows in ReadPsData()

Change-Id: Id36576fe545236860a06f17971494ecd4484c494

Unsigned Integer Overflow in SpatialDecParseSpecificConfig()

Change-Id: Ib468f129a951c69776b88468407f008ab4cfd2c7

Unsigned Integer Overflows in _readUniDrcConfigExtension() & _readLoudnessInfoSetExtension()

Change-Id: Ibcf7c6a23af49239206ea9301c58adac36e3ceba
This commit is contained in:
Fraunhofer IIS FDK 2018-05-09 13:32:45 +02:00 committed by Jean-Michel Trivi
parent 9ab67882ec
commit 44ac411683
8 changed files with 28 additions and 26 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

12
libAACdec/src/aacdecoder.cpp
View File

@ -437,7 +437,8 @@ static AAC_DECODER_ERROR CDataStreamElement_Read(HANDLE_AACDECODER self,
UCHAR *elementInstanceTag, UCHAR *elementInstanceTag,
UINT alignmentAnchor) { UINT alignmentAnchor) {
AAC_DECODER_ERROR error = AAC_DEC_OK; AAC_DECODER_ERROR error = AAC_DEC_OK;
UINT dataStart, dseBits; UINT dseBits;
INT dataStart;
int dataByteAlignFlag, count; int dataByteAlignFlag, count;
FDK_ASSERT(self != NULL); FDK_ASSERT(self != NULL);
@ -460,14 +461,14 @@ static AAC_DECODER_ERROR CDataStreamElement_Read(HANDLE_AACDECODER self,
FDKbyteAlign(bs, alignmentAnchor); FDKbyteAlign(bs, alignmentAnchor);
} }
dataStart = FDKgetValidBits(bs); dataStart = (INT)FDKgetValidBits(bs);
error = CAacDecoder_AncDataParse(&self->ancData, bs, count); error = CAacDecoder_AncDataParse(&self->ancData, bs, count);
transportDec_CrcEndReg(self->hInput, crcReg); transportDec_CrcEndReg(self->hInput, crcReg);
{ {
/* Move to the beginning of the data chunk */ /* Move to the beginning of the data chunk */
FDKpushBack(bs, dataStart - FDKgetValidBits(bs)); FDKpushBack(bs, dataStart - (INT)FDKgetValidBits(bs));
/* Read Anc data if available */ /* Read Anc data if available */
aacDecoder_drcMarkPayload(self->hDrcInfo, bs, DVB_DRC_ANC_DATA); aacDecoder_drcMarkPayload(self->hDrcInfo, bs, DVB_DRC_ANC_DATA);
@ -477,7 +478,7 @@ static AAC_DECODER_ERROR CDataStreamElement_Read(HANDLE_AACDECODER self,
PCMDMX_ERROR dmxErr = PCMDMX_OK; PCMDMX_ERROR dmxErr = PCMDMX_OK;
/* Move to the beginning of the data chunk */ /* Move to the beginning of the data chunk */
FDKpushBack(bs, dataStart - FDKgetValidBits(bs)); FDKpushBack(bs, dataStart - (INT)FDKgetValidBits(bs));
/* Read DMX meta-data */ /* Read DMX meta-data */
dmxErr = pcmDmx_Parse(self->hPcmUtils, bs, dseBits, 0 /* not mpeg2 */); dmxErr = pcmDmx_Parse(self->hPcmUtils, bs, dseBits, 0 /* not mpeg2 */);
@ -487,8 +488,7 @@ static AAC_DECODER_ERROR CDataStreamElement_Read(HANDLE_AACDECODER self,
} }
/* Move to the very end of the element. */ /* Move to the very end of the element. */
FDKpushBiDirectional( FDKpushBiDirectional(bs, (INT)FDKgetValidBits(bs) - dataStart + (INT)dseBits);
bs, (INT)FDKgetValidBits(bs) - (INT)dataStart + (INT)dseBits);
return error; return error;
} }

14
libDRCdec/src/drcDec_reader.cpp
View File

@ -1622,7 +1622,7 @@ static DRC_ERROR _readUniDrcConfigExtension(
HANDLE_FDK_BITSTREAM hBs, HANDLE_UNI_DRC_CONFIG hUniDrcConfig) { HANDLE_FDK_BITSTREAM hBs, HANDLE_UNI_DRC_CONFIG hUniDrcConfig) {
DRC_ERROR err = DE_OK; DRC_ERROR err = DE_OK;
int k, bitSizeLen, extSizeBits, bitSize; int k, bitSizeLen, extSizeBits, bitSize;
UINT nBitsRemaining; INT nBitsRemaining;
UNI_DRC_CONFIG_EXTENSION* pExt = &(hUniDrcConfig->uniDrcConfigExt); UNI_DRC_CONFIG_EXTENSION* pExt = &(hUniDrcConfig->uniDrcConfigExt);
k = 0; k = 0;
@ -1634,13 +1634,14 @@ static DRC_ERROR _readUniDrcConfigExtension(
bitSize = FDKreadBits(hBs, extSizeBits); bitSize = FDKreadBits(hBs, extSizeBits);
pExt->extBitSize[k] = bitSize + 1; pExt->extBitSize[k] = bitSize + 1;
nBitsRemaining = FDKgetValidBits(hBs); nBitsRemaining = (INT)FDKgetValidBits(hBs);
switch (pExt->uniDrcConfigExtType[k]) { switch (pExt->uniDrcConfigExtType[k]) {
case UNIDRCCONFEXT_V1: case UNIDRCCONFEXT_V1:
err = _readDrcExtensionV1(hBs, hUniDrcConfig); err = _readDrcExtensionV1(hBs, hUniDrcConfig);
if (err) return err; if (err) return err;
if (nBitsRemaining != (pExt->extBitSize[k] + FDKgetValidBits(hBs))) if (nBitsRemaining !=
((INT)pExt->extBitSize[k] + (INT)FDKgetValidBits(hBs)))
return DE_NOT_OK; return DE_NOT_OK;
break; break;
case UNIDRCCONFEXT_PARAM_DRC: case UNIDRCCONFEXT_PARAM_DRC:
@ -1940,7 +1941,7 @@ static DRC_ERROR _readLoudnessInfoSetExtension(
HANDLE_FDK_BITSTREAM hBs, HANDLE_LOUDNESS_INFO_SET hLoudnessInfoSet) { HANDLE_FDK_BITSTREAM hBs, HANDLE_LOUDNESS_INFO_SET hLoudnessInfoSet) {
DRC_ERROR err = DE_OK; DRC_ERROR err = DE_OK;
int k, bitSizeLen, extSizeBits, bitSize; int k, bitSizeLen, extSizeBits, bitSize;
UINT nBitsRemaining; INT nBitsRemaining;
LOUDNESS_INFO_SET_EXTENSION* pExt = &(hLoudnessInfoSet->loudnessInfoSetExt); LOUDNESS_INFO_SET_EXTENSION* pExt = &(hLoudnessInfoSet->loudnessInfoSetExt);
k = 0; k = 0;
@ -1952,13 +1953,14 @@ static DRC_ERROR _readLoudnessInfoSetExtension(
bitSize = FDKreadBits(hBs, extSizeBits); bitSize = FDKreadBits(hBs, extSizeBits);
pExt->extBitSize[k] = bitSize + 1; pExt->extBitSize[k] = bitSize + 1;
nBitsRemaining = FDKgetValidBits(hBs); nBitsRemaining = (INT)FDKgetValidBits(hBs);
switch (pExt->loudnessInfoSetExtType[k]) { switch (pExt->loudnessInfoSetExtType[k]) {
case UNIDRCLOUDEXT_EQ: case UNIDRCLOUDEXT_EQ:
err = _readLoudnessInfoSetExtEq(hBs, hLoudnessInfoSet); err = _readLoudnessInfoSetExtEq(hBs, hLoudnessInfoSet);
if (err) return err; if (err) return err;
if (nBitsRemaining != (pExt->extBitSize[k] + FDKgetValidBits(hBs))) if (nBitsRemaining !=
((INT)pExt->extBitSize[k] + (INT)FDKgetValidBits(hBs)))
return DE_NOT_OK; return DE_NOT_OK;
break; break;
/* add future extensions here */ /* add future extensions here */

4
libFDK/include/FDK_crc.h
View File

@ -115,8 +115,8 @@ amm-info@iis.fraunhofer.de
typedef struct { typedef struct {
UCHAR isActive; UCHAR isActive;
INT maxBits; INT maxBits;
UINT bitBufCntBits; INT bitBufCntBits;
UINT validBits; INT validBits;
} CCrcRegData; } CCrcRegData;

10
libFDK/src/FDK_crc.cpp
View File

@ -281,7 +281,7 @@ INT FDKcrcStartReg(HANDLE_FDK_CRCINFO hCrcInfo, const HANDLE_FDK_BITSTREAM hBs,
FDK_ASSERT(hCrcInfo->crcRegData[reg].isActive == 0); FDK_ASSERT(hCrcInfo->crcRegData[reg].isActive == 0);
hCrcInfo->crcRegData[reg].isActive = 1; hCrcInfo->crcRegData[reg].isActive = 1;
hCrcInfo->crcRegData[reg].maxBits = mBits; hCrcInfo->crcRegData[reg].maxBits = mBits;
hCrcInfo->crcRegData[reg].validBits = FDKgetValidBits(hBs); hCrcInfo->crcRegData[reg].validBits = (INT)FDKgetValidBits(hBs);
hCrcInfo->crcRegData[reg].bitBufCntBits = 0; hCrcInfo->crcRegData[reg].bitBufCntBits = 0;
hCrcInfo->regStart = (hCrcInfo->regStart + 1) % MAX_CRC_REGS; hCrcInfo->regStart = (hCrcInfo->regStart + 1) % MAX_CRC_REGS;
@ -296,10 +296,10 @@ INT FDKcrcEndReg(HANDLE_FDK_CRCINFO hCrcInfo, const HANDLE_FDK_BITSTREAM hBs,
if (hBs->ConfigCache == BS_WRITER) { if (hBs->ConfigCache == BS_WRITER) {
hCrcInfo->crcRegData[reg].bitBufCntBits = hCrcInfo->crcRegData[reg].bitBufCntBits =
FDKgetValidBits(hBs) - hCrcInfo->crcRegData[reg].validBits; (INT)FDKgetValidBits(hBs) - hCrcInfo->crcRegData[reg].validBits;
} else { } else {
hCrcInfo->crcRegData[reg].bitBufCntBits = hCrcInfo->crcRegData[reg].bitBufCntBits =
hCrcInfo->crcRegData[reg].validBits - FDKgetValidBits(hBs); hCrcInfo->crcRegData[reg].validBits - (INT)FDKgetValidBits(hBs);
} }
if (hCrcInfo->crcRegData[reg].maxBits == 0) { if (hCrcInfo->crcRegData[reg].maxBits == 0) {
@ -432,7 +432,7 @@ static void crcCalc(HANDLE_FDK_CRCINFO hCrcInfo, HANDLE_FDK_BITSTREAM hBs,
if (hBs->ConfigCache == BS_READER) { if (hBs->ConfigCache == BS_READER) {
bsReader = *hBs; bsReader = *hBs;
FDKpushBiDirectional(&bsReader, FDKpushBiDirectional(&bsReader,
-(INT)(rD->validBits - FDKgetValidBits(&bsReader))); -(rD->validBits - (INT)FDKgetValidBits(&bsReader)));
} else { } else {
FDKinitBitStream(&bsReader, hBs->hBitBuf.Buffer, hBs->hBitBuf.bufSize, FDKinitBitStream(&bsReader, hBs->hBitBuf.Buffer, hBs->hBitBuf.bufSize,
hBs->hBitBuf.ValidBits, BS_READER); hBs->hBitBuf.ValidBits, BS_READER);
@ -441,7 +441,7 @@ static void crcCalc(HANDLE_FDK_CRCINFO hCrcInfo, HANDLE_FDK_BITSTREAM hBs,
int bits, rBits; int bits, rBits;
rBits = (rD->maxBits >= 0) ? rD->maxBits : -rD->maxBits; /* ramaining bits */ rBits = (rD->maxBits >= 0) ? rD->maxBits : -rD->maxBits; /* ramaining bits */
if ((rD->maxBits > 0) && (((INT)rD->bitBufCntBits >> 3 << 3) < rBits)) { if ((rD->maxBits > 0) && ((rD->bitBufCntBits >> 3 << 3) < rBits)) {
bits = rD->bitBufCntBits; bits = rD->bitBufCntBits;
} else { } else {
bits = rBits; bits = rBits;

4
libMpegTPDec/src/tpdec_asc.cpp
View File

@ -257,11 +257,11 @@ static int CProgramConfig_ReadHeightExt(CProgramConfig *pPce,
} }
} else { } else {
/* No valid extension data found -> restore the initial bitbuffer state */ /* No valid extension data found -> restore the initial bitbuffer state */
FDKpushBack(bs, startAnchor - FDKgetValidBits(bs)); FDKpushBack(bs, (INT)startAnchor - (INT)FDKgetValidBits(bs));
} }
/* Always report the bytes read. */ /* Always report the bytes read. */
*bytesAvailable -= (startAnchor - FDKgetValidBits(bs)) >> 3; *bytesAvailable -= ((INT)startAnchor - (INT)FDKgetValidBits(bs)) >> 3;
return (err); return (err);
} }

2
libMpegTPDec/src/tpdec_lib.cpp
View File

@ -283,7 +283,7 @@ TRANSPORTDEC_ERROR transportDec_OutOfBandConfig(HANDLE_TRANSPORTDEC hTp,
for (i = 0; i < 2; i++) { for (i = 0; i < 2; i++) {
if (i > 0) { if (i > 0) {
FDKpushBack(hBs, length * 8 - FDKgetValidBits(hBs)); FDKpushBack(hBs, (INT)length * 8 - (INT)FDKgetValidBits(hBs));
configMode = AC_CM_ALLOC_MEM; configMode = AC_CM_ALLOC_MEM;
} }

4
libSACdec/src/sac_bitdec.cpp
View File

@ -566,7 +566,7 @@ SACDEC_ERROR SpatialDecParseSpecificConfig(
with respect to the beginning of the syntactic with respect to the beginning of the syntactic
element in which ByteAlign() occurs. */ element in which ByteAlign() occurs. */
numHeaderBits = cfgStartPos - FDKgetValidBits(bitstream); numHeaderBits = cfgStartPos - (INT)FDKgetValidBits(bitstream);
bitsAvailable -= numHeaderBits; bitsAvailable -= numHeaderBits;
pSpatialSpecificConfig->sacExtCnt = 0; pSpatialSpecificConfig->sacExtCnt = 0;
@ -594,7 +594,7 @@ bail:
bitbuffer is exactly at its end when leaving the function. */ bitbuffer is exactly at its end when leaving the function. */
FDKpushBiDirectional( FDKpushBiDirectional(
bitstream, bitstream,
(sacHeaderLen * 8) - (cfgStartPos - FDKgetValidBits(bitstream))); (sacHeaderLen * 8) - (cfgStartPos - (INT)FDKgetValidBits(bitstream)));
} }
return err; return err;

4
libSBRdec/src/psbitdec.cpp
View File

@ -496,7 +496,7 @@ unsigned int ReadPsData(
/* no useful PS data could be read from bitstream */ /* no useful PS data could be read from bitstream */
h_ps_d->bPsDataAvail[h_ps_d->bsReadSlot] = ppt_none; h_ps_d->bPsDataAvail[h_ps_d->bsReadSlot] = ppt_none;
/* discard all remaining bits */ /* discard all remaining bits */
nBitsLeft -= startbits - FDKgetValidBits(hBitBuf); nBitsLeft -= startbits - (INT)FDKgetValidBits(hBitBuf);
while (nBitsLeft > 0) { while (nBitsLeft > 0) {
int i = nBitsLeft; int i = nBitsLeft;
if (i > 8) { if (i > 8) {
@ -505,7 +505,7 @@ unsigned int ReadPsData(
FDKreadBits(hBitBuf, i); FDKreadBits(hBitBuf, i);
nBitsLeft -= i; nBitsLeft -= i;
} }
return (startbits - FDKgetValidBits(hBitBuf)); return (UINT)(startbits - (INT)FDKgetValidBits(hBitBuf));
} }
if (pBsData->modeIid > 2) { if (pBsData->modeIid > 2) {