fenix/fdk-aac
1
0
Fork 0
mirror of https://github.com/mstorsjo/fdk-aac.git synced 2025-06-05 22:39:13 +02:00
Code Issues Projects Releases Wiki Activity

Prevent out of bounds accesses in lppTransposer() and lppTransposerHBE()

Browse Source 
Bug: 112160868
Test: see poc in bug
Change-Id: I6a2161865d9cb9b51dc37c09d6e3a4a8e5d11f86
This commit is contained in:
Fraunhofer IIS FDK
2018-09-10 16:39:30 +02:00
committed by Jean-Michel Trivi
parent 42f714f2ab
commit 4dad829df0
2 changed files with 50 additions and 27 deletions
Download Patch File Download Diff File Expand all files Collapse all files

3
Android.bp
View File

@@ -27,6 +27,9 @@ cc_library_static {
misc_undefined:["unsigned-integer-overflow", "signed-integer-overflow"], misc_undefined:["unsigned-integer-overflow", "signed-integer-overflow"],
cfi: true, cfi: true,
}, },
shared_libs: [
"liblog",
],
export_include_dirs: [ export_include_dirs: [
"libAACdec/include", "libAACdec/include",
"libAACenc/include", "libAACenc/include",

28
libSBRdec/src/lpp_tran.cpp
View File

@@ -118,6 +118,10 @@ amm-info@iis.fraunhofer.de
\sa lppTransposer(), main_audio.cpp, sbr_scale.h, \ref documentationOverview \sa lppTransposer(), main_audio.cpp, sbr_scale.h, \ref documentationOverview
*/ */
#ifdef __ANDROID__
#include "log/log.h"
#endif
#include "lpp_tran.h" #include "lpp_tran.h"
#include "sbr_ram.h" #include "sbr_ram.h"
@@ -295,7 +299,6 @@ void lppTransposer(
int ovLowBandShift; int ovLowBandShift;
int lowBandShift; int lowBandShift;
/* int ovHighBandShift;*/ /* int ovHighBandShift;*/
int targetStopBand;
alphai[0] = FL2FXCONST_SGL(0.0f); alphai[0] = FL2FXCONST_SGL(0.0f);
alphai[1] = FL2FXCONST_SGL(0.0f); alphai[1] = FL2FXCONST_SGL(0.0f);
@@ -311,11 +314,13 @@ void lppTransposer(
autoCorrLength = pSettings->nCols + pSettings->overlap; autoCorrLength = pSettings->nCols + pSettings->overlap;
if (pSettings->noOfPatches > 0) {
/* Set upper subbands to zero: /* Set upper subbands to zero:
This is required in case that the patches do not cover the complete This is required in case that the patches do not cover the complete
highband (because the last patch would be too short). Possible highband (because the last patch would be too short). Possible
optimization: Clearing bands up to usb would be sufficient here. */ optimization: Clearing bands up to usb would be sufficient here. */
targetStopBand = patchParam[pSettings->noOfPatches - 1].targetStartBand + int targetStopBand =
patchParam[pSettings->noOfPatches - 1].targetStartBand +
patchParam[pSettings->noOfPatches - 1].numBandsInPatch; patchParam[pSettings->noOfPatches - 1].numBandsInPatch;
int memSize = ((64) - targetStopBand) * sizeof(FIXP_DBL); int memSize = ((64) - targetStopBand) * sizeof(FIXP_DBL);
@@ -330,6 +335,13 @@ void lppTransposer(
FDKmemclear(&qmfBufferReal[i][targetStopBand], memSize); FDKmemclear(&qmfBufferReal[i][targetStopBand], memSize);
} }
} }
}
#ifdef __ANDROID__
else {
// Safetynet logging
android_errorWriteLog(0x534e4554, "112160868");
}
#endif
/* init bwIndex for each patch */ /* init bwIndex for each patch */
FDKmemclear(bwIndex, sizeof(bwIndex)); FDKmemclear(bwIndex, sizeof(bwIndex));
@@ -874,7 +886,6 @@ void lppTransposerHBE(
int ovLowBandShift; int ovLowBandShift;
int lowBandShift; int lowBandShift;
/* int ovHighBandShift;*/ /* int ovHighBandShift;*/
int targetStopBand;
alphai[0] = FL2FXCONST_SGL(0.0f); alphai[0] = FL2FXCONST_SGL(0.0f);
alphai[1] = FL2FXCONST_SGL(0.0f); alphai[1] = FL2FXCONST_SGL(0.0f);
@@ -889,11 +900,13 @@ void lppTransposerHBE(
autoCorrLength = pSettings->nCols + pSettings->overlap; autoCorrLength = pSettings->nCols + pSettings->overlap;
if (pSettings->noOfPatches > 0) {
/* Set upper subbands to zero: /* Set upper subbands to zero:
This is required in case that the patches do not cover the complete This is required in case that the patches do not cover the complete
highband (because the last patch would be too short). Possible highband (because the last patch would be too short). Possible
optimization: Clearing bands up to usb would be sufficient here. */ optimization: Clearing bands up to usb would be sufficient here. */
targetStopBand = patchParam[pSettings->noOfPatches - 1].targetStartBand + int targetStopBand =
patchParam[pSettings->noOfPatches - 1].targetStartBand +
patchParam[pSettings->noOfPatches - 1].numBandsInPatch; patchParam[pSettings->noOfPatches - 1].numBandsInPatch;
int memSize = ((64) - targetStopBand) * sizeof(FIXP_DBL); int memSize = ((64) - targetStopBand) * sizeof(FIXP_DBL);
@@ -902,6 +915,13 @@ void lppTransposerHBE(
FDKmemclear(&qmfBufferReal[i][targetStopBand], memSize); FDKmemclear(&qmfBufferReal[i][targetStopBand], memSize);
FDKmemclear(&qmfBufferImag[i][targetStopBand], memSize); FDKmemclear(&qmfBufferImag[i][targetStopBand], memSize);
} }
}
#ifdef __ANDROID__
else {
// Safetynet logging
android_errorWriteLog(0x534e4554, "112160868");
}
#endif
/* /*
Calc common low band scale factor Calc common low band scale factor