Merge changes I42956a9f,I92f7c559,I5af62590 into sc-dev

* changes: Check the number of available escapes in rvlcDecodeBackward() to avoid out-of-bounds access. Sbr syncstate may only be set to upsampling if the sbr decoder was sucessfully initialized. Perform parameter check before parameter assignment to avoid incorrect initialization in resetFreqBandTables().
2025-06-05 22:39:13 +02:00 · 2021-05-05 00:48:05 +00:00
parent 2a3cde8157 27c3a2bd1c
commit 826719dee4
3 changed files with 27 additions and 20 deletions
--- a/libAACdec/src/rvlc.cpp
+++ b/libAACdec/src/rvlc.cpp
@ -1,7 +1,7 @@
 /* -----------------------------------------------------------------------------
 Software License for The Fraunhofer FDK AAC Codec Library for Android

-© Copyright  1995 - 2018 Fraunhofer-Gesellschaft zur Förderung der angewandten
+© Copyright  1995 - 2021 Fraunhofer-Gesellschaft zur Förderung der angewandten
 Forschung e.V. All rights reserved.

 1.    INTRODUCTION
@ -628,7 +628,7 @@ static void rvlcDecodeBackward(CErRvlcInfo *pRvlc,

  SHORT *pScfBwd = pAacDecoderChannelInfo->pComData->overlay.aac.aRvlcScfBwd;
  SHORT *pScfEsc = pAacDecoderChannelInfo->pComData->overlay.aac.aRvlcScfEsc;
-  UCHAR *pEscEscCnt = &(pRvlc->numDecodedEscapeWordsEsc);
+  UCHAR escEscCnt = pRvlc->numDecodedEscapeWordsEsc;
  UCHAR *pEscBwdCnt = &(pRvlc->numDecodedEscapeWordsBwd);

  pRvlc->pRvlBitCnt_RVL = &(pRvlc->length_of_rvlc_sf_bwd);
@ -636,7 +636,7 @@ static void rvlcDecodeBackward(CErRvlcInfo *pRvlc,

  *pEscBwdCnt = 0;
  pRvlc->direction = BWD;
-  pScfEsc += *pEscEscCnt - 1; /* set pScfEsc to last entry */
+  pScfEsc += escEscCnt - 1; /* set pScfEsc to last entry */
  pRvlc->firstScf = 0;
  pRvlc->firstNrg = 0;
  pRvlc->firstIs = 0;
@ -651,7 +651,7 @@ static void rvlcDecodeBackward(CErRvlcInfo *pRvlc,
    }
    dpcm -= TABLE_OFFSET;
    if ((dpcm == MIN_RVL) || (dpcm == MAX_RVL)) {
-      if (pRvlc->length_of_rvlc_escapes) {
+      if ((pRvlc->length_of_rvlc_escapes) || (*pEscBwdCnt >= escEscCnt)) {
        pRvlc->conceal_min = bnds;
        return;
      } else {
@ -694,7 +694,7 @@ static void rvlcDecodeBackward(CErRvlcInfo *pRvlc,
          }
          dpcm -= TABLE_OFFSET;
          if ((dpcm == MIN_RVL) || (dpcm == MAX_RVL)) {
-            if (pRvlc->length_of_rvlc_escapes) {
+            if ((pRvlc->length_of_rvlc_escapes) || (*pEscBwdCnt >= escEscCnt)) {
              pScfBwd[bnds] = position;
              pRvlc->conceal_min = fMax(0, bnds - offset);
              return;
@ -731,7 +731,8 @@ static void rvlcDecodeBackward(CErRvlcInfo *pRvlc,
            }
            dpcm -= TABLE_OFFSET;
            if ((dpcm == MIN_RVL) || (dpcm == MAX_RVL)) {
-              if (pRvlc->length_of_rvlc_escapes) {
+              if ((pRvlc->length_of_rvlc_escapes) ||
+                  (*pEscBwdCnt >= escEscCnt)) {
                pScfBwd[bnds] = noisenrg;
                pRvlc->conceal_min = fMax(0, bnds - offset);
                return;
@ -762,7 +763,7 @@ static void rvlcDecodeBackward(CErRvlcInfo *pRvlc,
          }
          dpcm -= TABLE_OFFSET;
          if ((dpcm == MIN_RVL) || (dpcm == MAX_RVL)) {
-            if (pRvlc->length_of_rvlc_escapes) {
+            if ((pRvlc->length_of_rvlc_escapes) || (*pEscBwdCnt >= escEscCnt)) {
              pScfBwd[bnds] = factor;
              pRvlc->conceal_min = fMax(0, bnds - offset);
              return;
--- a/libSBRdec/src/sbrdec_freq_sca.cpp
+++ b/libSBRdec/src/sbrdec_freq_sca.cpp
@ -1,7 +1,7 @@
 /* -----------------------------------------------------------------------------
 Software License for The Fraunhofer FDK AAC Codec Library for Android

-© Copyright  1995 - 2019 Fraunhofer-Gesellschaft zur Förderung der angewandten
+© Copyright  1995 - 2021 Fraunhofer-Gesellschaft zur Förderung der angewandten
 Forschung e.V. All rights reserved.

 1.    INTRODUCTION
@ -765,9 +765,6 @@ resetFreqBandTables(HANDLE_SBR_HEADER_DATA hHeaderData, const UINT flags) {
  sbrdecUpdateLoRes(hFreq->freqBandTable[0], &nBandsLo, hFreq->freqBandTable[1],
                    nBandsHi);

-  hFreq->nSfb[0] = nBandsLo;
-  hFreq->nSfb[1] = nBandsHi;
-
  /* Check index to freqBandTable[0] */
  if (!(nBandsLo > 0) ||
      (nBandsLo > (((hHeaderData->numberOfAnalysisBands == 16)
@ -777,6 +774,9 @@ resetFreqBandTables(HANDLE_SBR_HEADER_DATA hHeaderData, const UINT flags) {
    return SBRDEC_UNSUPPORTED_CONFIG;
  }

+  hFreq->nSfb[0] = nBandsLo;
+  hFreq->nSfb[1] = nBandsHi;
+
  lsb = hFreq->freqBandTable[0][0];
  usb = hFreq->freqBandTable[0][nBandsLo];

@ -814,15 +814,15 @@ resetFreqBandTables(HANDLE_SBR_HEADER_DATA hHeaderData, const UINT flags) {

    if (intTemp == 0) intTemp = 1;

+    if (intTemp > MAX_NOISE_COEFFS) {
+      return SBRDEC_UNSUPPORTED_CONFIG;
+    }
+
    hFreq->nNfb = intTemp;
  }

  hFreq->nInvfBands = hFreq->nNfb;

-  if (hFreq->nNfb > MAX_NOISE_COEFFS) {
-    return SBRDEC_UNSUPPORTED_CONFIG;
-  }
-
  /* Get noise bands */
  sbrdecDownSampleLoRes(hFreq->freqBandTableNoise, hFreq->nNfb,
                        hFreq->freqBandTable[0], nBandsLo);
--- a/libSBRdec/src/sbrdecoder.cpp
+++ b/libSBRdec/src/sbrdecoder.cpp
@ -1,7 +1,7 @@
 /* -----------------------------------------------------------------------------
 Software License for The Fraunhofer FDK AAC Codec Library for Android

-© Copyright  1995 - 2020 Fraunhofer-Gesellschaft zur Förderung der angewandten
+© Copyright  1995 - 2021 Fraunhofer-Gesellschaft zur Förderung der angewandten
 Forschung e.V. All rights reserved.

 1.    INTRODUCTION
@ -961,8 +961,10 @@ SBR_ERROR sbrDecoder_SetParam(HANDLE_SBRDECODER self, const SBRDEC_PARAM param,

          /* Set sync state UPSAMPLING for the corresponding slot.
             This switches off bitstream parsing until a new header arrives. */
-          hSbrHeader->syncState = UPSAMPLING;
-          hSbrHeader->status |= SBRDEC_HDR_STAT_UPDATE;
+          if (hSbrHeader->syncState != SBR_NOT_INITIALIZED) {
+            hSbrHeader->syncState = UPSAMPLING;
+            hSbrHeader->status |= SBRDEC_HDR_STAT_UPDATE;
+          }
        }
      }
    } break;
@ -1371,7 +1373,9 @@ SBR_ERROR sbrDecoder_Parse(HANDLE_SBRDECODER self, HANDLE_FDK_BITSTREAM hBs,
      }
      if (headerStatus == HEADER_ERROR) {
        /* Corrupt SBR info data, do not decode and switch to UPSAMPLING */
-        hSbrHeader->syncState = UPSAMPLING;
+        hSbrHeader->syncState = hSbrHeader->syncState > UPSAMPLING
+                                    ? UPSAMPLING
+                                    : hSbrHeader->syncState;
        fDoDecodeSbrData = 0;
        sbrHeaderPresent = 0;
      }
@ -1610,7 +1614,9 @@ static SBR_ERROR sbrDecoder_DecodeElement(
      /* No valid SBR payload available, hence switch to upsampling (in all
       * headers) */
      for (hdrIdx = 0; hdrIdx < ((1) + 1); hdrIdx += 1) {
-        self->sbrHeader[elementIndex][hdrIdx].syncState = UPSAMPLING;
+        if (self->sbrHeader[elementIndex][hdrIdx].syncState > UPSAMPLING) {
+          self->sbrHeader[elementIndex][hdrIdx].syncState = UPSAMPLING;
+        }
      }
    } else {
      /* Move frame pointer to the next slot which is up to be decoded/applied