From cab99f4b6a45de02a3b6d010cef4443a4a249f88 Mon Sep 17 00:00:00 2001 From: Fraunhofer IIS FDK Date: Tue, 16 Mar 2021 14:43:10 +0100 Subject: [PATCH 1/3] Perform parameter check before parameter assignment to avoid incorrect initialization in resetFreqBandTables(). Bug: 186777497 Test: atest android.media.cts.DecoderTestAacFormat android.media.cts.DecoderTestXheAac android.media.cts.DecoderTestAacDrc Change-Id: I5af625905b1e4365fa84423d186c227a49707f72 --- libSBRdec/src/sbrdec_freq_sca.cpp | 16 ++++++++-------- 1 file changed, 8 insertions(+), 8 deletions(-) diff --git a/libSBRdec/src/sbrdec_freq_sca.cpp b/libSBRdec/src/sbrdec_freq_sca.cpp index e187656..daa3554 100644 --- a/libSBRdec/src/sbrdec_freq_sca.cpp +++ b/libSBRdec/src/sbrdec_freq_sca.cpp @@ -1,7 +1,7 @@ /* ----------------------------------------------------------------------------- Software License for The Fraunhofer FDK AAC Codec Library for Android -© Copyright 1995 - 2019 Fraunhofer-Gesellschaft zur Förderung der angewandten +© Copyright 1995 - 2021 Fraunhofer-Gesellschaft zur Förderung der angewandten Forschung e.V. All rights reserved. 1. INTRODUCTION @@ -765,9 +765,6 @@ resetFreqBandTables(HANDLE_SBR_HEADER_DATA hHeaderData, const UINT flags) { sbrdecUpdateLoRes(hFreq->freqBandTable[0], &nBandsLo, hFreq->freqBandTable[1], nBandsHi); - hFreq->nSfb[0] = nBandsLo; - hFreq->nSfb[1] = nBandsHi; - /* Check index to freqBandTable[0] */ if (!(nBandsLo > 0) || (nBandsLo > (((hHeaderData->numberOfAnalysisBands == 16) @@ -777,6 +774,9 @@ resetFreqBandTables(HANDLE_SBR_HEADER_DATA hHeaderData, const UINT flags) { return SBRDEC_UNSUPPORTED_CONFIG; } + hFreq->nSfb[0] = nBandsLo; + hFreq->nSfb[1] = nBandsHi; + lsb = hFreq->freqBandTable[0][0]; usb = hFreq->freqBandTable[0][nBandsLo]; @@ -814,15 +814,15 @@ resetFreqBandTables(HANDLE_SBR_HEADER_DATA hHeaderData, const UINT flags) { if (intTemp == 0) intTemp = 1; + if (intTemp > MAX_NOISE_COEFFS) { + return SBRDEC_UNSUPPORTED_CONFIG; + } + hFreq->nNfb = intTemp; } hFreq->nInvfBands = hFreq->nNfb; - if (hFreq->nNfb > MAX_NOISE_COEFFS) { - return SBRDEC_UNSUPPORTED_CONFIG; - } - /* Get noise bands */ sbrdecDownSampleLoRes(hFreq->freqBandTableNoise, hFreq->nNfb, hFreq->freqBandTable[0], nBandsLo); From a1edc32174933c375f84f202dddadd5dfb862060 Mon Sep 17 00:00:00 2001 From: Fraunhofer IIS FDK Date: Tue, 16 Mar 2021 14:43:32 +0100 Subject: [PATCH 2/3] Sbr syncstate may only be set to upsampling if the sbr decoder was sucessfully initialized. Bug: 186777497 Test: atest android.media.cts.DecoderTestAacFormat android.media.cts.DecoderTestXheAac android.media.cts.DecoderTestAacDrc Change-Id: I92f7c559af961ec063bfea74353f11092dcda653 --- libSBRdec/src/sbrdecoder.cpp | 16 +++++++++++----- 1 file changed, 11 insertions(+), 5 deletions(-) diff --git a/libSBRdec/src/sbrdecoder.cpp b/libSBRdec/src/sbrdecoder.cpp index b101a4a..7718695 100644 --- a/libSBRdec/src/sbrdecoder.cpp +++ b/libSBRdec/src/sbrdecoder.cpp @@ -1,7 +1,7 @@ /* ----------------------------------------------------------------------------- Software License for The Fraunhofer FDK AAC Codec Library for Android -© Copyright 1995 - 2020 Fraunhofer-Gesellschaft zur Förderung der angewandten +© Copyright 1995 - 2021 Fraunhofer-Gesellschaft zur Förderung der angewandten Forschung e.V. All rights reserved. 1. INTRODUCTION @@ -961,8 +961,10 @@ SBR_ERROR sbrDecoder_SetParam(HANDLE_SBRDECODER self, const SBRDEC_PARAM param, /* Set sync state UPSAMPLING for the corresponding slot. This switches off bitstream parsing until a new header arrives. */ - hSbrHeader->syncState = UPSAMPLING; - hSbrHeader->status |= SBRDEC_HDR_STAT_UPDATE; + if (hSbrHeader->syncState != SBR_NOT_INITIALIZED) { + hSbrHeader->syncState = UPSAMPLING; + hSbrHeader->status |= SBRDEC_HDR_STAT_UPDATE; + } } } } break; @@ -1371,7 +1373,9 @@ SBR_ERROR sbrDecoder_Parse(HANDLE_SBRDECODER self, HANDLE_FDK_BITSTREAM hBs, } if (headerStatus == HEADER_ERROR) { /* Corrupt SBR info data, do not decode and switch to UPSAMPLING */ - hSbrHeader->syncState = UPSAMPLING; + hSbrHeader->syncState = hSbrHeader->syncState > UPSAMPLING + ? UPSAMPLING + : hSbrHeader->syncState; fDoDecodeSbrData = 0; sbrHeaderPresent = 0; } @@ -1610,7 +1614,9 @@ static SBR_ERROR sbrDecoder_DecodeElement( /* No valid SBR payload available, hence switch to upsampling (in all * headers) */ for (hdrIdx = 0; hdrIdx < ((1) + 1); hdrIdx += 1) { - self->sbrHeader[elementIndex][hdrIdx].syncState = UPSAMPLING; + if (self->sbrHeader[elementIndex][hdrIdx].syncState > UPSAMPLING) { + self->sbrHeader[elementIndex][hdrIdx].syncState = UPSAMPLING; + } } } else { /* Move frame pointer to the next slot which is up to be decoded/applied From 27c3a2bd1cc08b0096813474410c667468077d6e Mon Sep 17 00:00:00 2001 From: Fraunhofer IIS FDK Date: Tue, 16 Mar 2021 14:47:41 +0100 Subject: [PATCH 3/3] Check the number of available escapes in rvlcDecodeBackward() to avoid out-of-bounds access. Bug: 186777497 Test: atest android.media.cts.DecoderTestAacFormat android.media.cts.DecoderTestXheAac android.media.cts.DecoderTestAacDrc Change-Id: I42956a9fd7a8e78c3c0f4f553370ac5a9f1ac2ca --- libAACdec/src/rvlc.cpp | 15 ++++++++------- 1 file changed, 8 insertions(+), 7 deletions(-) diff --git a/libAACdec/src/rvlc.cpp b/libAACdec/src/rvlc.cpp index b7a9be1..0b80364 100644 --- a/libAACdec/src/rvlc.cpp +++ b/libAACdec/src/rvlc.cpp @@ -1,7 +1,7 @@ /* ----------------------------------------------------------------------------- Software License for The Fraunhofer FDK AAC Codec Library for Android -© Copyright 1995 - 2018 Fraunhofer-Gesellschaft zur Förderung der angewandten +© Copyright 1995 - 2021 Fraunhofer-Gesellschaft zur Förderung der angewandten Forschung e.V. All rights reserved. 1. INTRODUCTION @@ -628,7 +628,7 @@ static void rvlcDecodeBackward(CErRvlcInfo *pRvlc, SHORT *pScfBwd = pAacDecoderChannelInfo->pComData->overlay.aac.aRvlcScfBwd; SHORT *pScfEsc = pAacDecoderChannelInfo->pComData->overlay.aac.aRvlcScfEsc; - UCHAR *pEscEscCnt = &(pRvlc->numDecodedEscapeWordsEsc); + UCHAR escEscCnt = pRvlc->numDecodedEscapeWordsEsc; UCHAR *pEscBwdCnt = &(pRvlc->numDecodedEscapeWordsBwd); pRvlc->pRvlBitCnt_RVL = &(pRvlc->length_of_rvlc_sf_bwd); @@ -636,7 +636,7 @@ static void rvlcDecodeBackward(CErRvlcInfo *pRvlc, *pEscBwdCnt = 0; pRvlc->direction = BWD; - pScfEsc += *pEscEscCnt - 1; /* set pScfEsc to last entry */ + pScfEsc += escEscCnt - 1; /* set pScfEsc to last entry */ pRvlc->firstScf = 0; pRvlc->firstNrg = 0; pRvlc->firstIs = 0; @@ -651,7 +651,7 @@ static void rvlcDecodeBackward(CErRvlcInfo *pRvlc, } dpcm -= TABLE_OFFSET; if ((dpcm == MIN_RVL) || (dpcm == MAX_RVL)) { - if (pRvlc->length_of_rvlc_escapes) { + if ((pRvlc->length_of_rvlc_escapes) || (*pEscBwdCnt >= escEscCnt)) { pRvlc->conceal_min = bnds; return; } else { @@ -694,7 +694,7 @@ static void rvlcDecodeBackward(CErRvlcInfo *pRvlc, } dpcm -= TABLE_OFFSET; if ((dpcm == MIN_RVL) || (dpcm == MAX_RVL)) { - if (pRvlc->length_of_rvlc_escapes) { + if ((pRvlc->length_of_rvlc_escapes) || (*pEscBwdCnt >= escEscCnt)) { pScfBwd[bnds] = position; pRvlc->conceal_min = fMax(0, bnds - offset); return; @@ -731,7 +731,8 @@ static void rvlcDecodeBackward(CErRvlcInfo *pRvlc, } dpcm -= TABLE_OFFSET; if ((dpcm == MIN_RVL) || (dpcm == MAX_RVL)) { - if (pRvlc->length_of_rvlc_escapes) { + if ((pRvlc->length_of_rvlc_escapes) || + (*pEscBwdCnt >= escEscCnt)) { pScfBwd[bnds] = noisenrg; pRvlc->conceal_min = fMax(0, bnds - offset); return; @@ -762,7 +763,7 @@ static void rvlcDecodeBackward(CErRvlcInfo *pRvlc, } dpcm -= TABLE_OFFSET; if ((dpcm == MIN_RVL) || (dpcm == MAX_RVL)) { - if (pRvlc->length_of_rvlc_escapes) { + if ((pRvlc->length_of_rvlc_escapes) || (*pEscBwdCnt >= escEscCnt)) { pScfBwd[bnds] = factor; pRvlc->conceal_min = fMax(0, bnds - offset); return;