From cc825aecf5ff8c2c7027f7424d7933cd80d6f3bb Mon Sep 17 00:00:00 2001 From: Fraunhofer IIS FDK Date: Fri, 9 Aug 2019 17:05:33 +0200 Subject: [PATCH 1/4] Restrict sampling rates parsed from bitstream to maximum of 96kHz. Bug: 131430997 Test: atest DecoderTestXheAac ; atest DecoderTestAacDrc Change-Id: I2511a7cfcdf1bae57d17c02c93867ccc4f1ea693 --- libMpegTPDec/src/tpdec_asc.cpp | 15 ++++++++++++--- 1 file changed, 12 insertions(+), 3 deletions(-) diff --git a/libMpegTPDec/src/tpdec_asc.cpp b/libMpegTPDec/src/tpdec_asc.cpp index 28bc22d..a86c2cb 100644 --- a/libMpegTPDec/src/tpdec_asc.cpp +++ b/libMpegTPDec/src/tpdec_asc.cpp @@ -1,7 +1,7 @@ /* ----------------------------------------------------------------------------- Software License for The Fraunhofer FDK AAC Codec Library for Android -© Copyright 1995 - 2018 Fraunhofer-Gesellschaft zur Förderung der angewandten +© Copyright 1995 - 2019 Fraunhofer-Gesellschaft zur Förderung der angewandten Forschung e.V. All rights reserved. 1. INTRODUCTION @@ -1440,7 +1440,8 @@ static TRANSPORTDEC_ERROR EldSpecificConfig_Parse(CSAudioSpecificConfig *asc, UCHAR tmpDownscaleFreqIdx; esc->m_downscaledSamplingFrequency = getSampleRate(hBs, &tmpDownscaleFreqIdx, 4); - if (esc->m_downscaledSamplingFrequency == 0) { + if (esc->m_downscaledSamplingFrequency == 0 || + esc->m_downscaledSamplingFrequency > 96000) { return TRANSPORTDEC_PARSE_ERROR; } downscale_fill_nibble = FDKreadBits(hBs, 4); @@ -1948,6 +1949,9 @@ static TRANSPORTDEC_ERROR UsacConfig_Parse(CSAudioSpecificConfig *asc, INT nbits = (INT)FDKgetValidBits(hBs); usacSamplingFrequency = getSampleRate(hBs, &asc->m_samplingFrequencyIndex, 5); + if (usacSamplingFrequency == 0 || usacSamplingFrequency > 96000) { + return TRANSPORTDEC_PARSE_ERROR; + } asc->m_samplingFrequency = (UINT)usacSamplingFrequency; coreSbrFrameLengthIndex = FDKreadBits(hBs, 3); @@ -2027,7 +2031,8 @@ static TRANSPORTDEC_ERROR AudioSpecificConfig_ExtensionParse( self->m_extensionSamplingFrequency = getSampleRate( bs, &self->m_extensionSamplingFrequencyIndex, 4); - if ((INT)self->m_extensionSamplingFrequency <= 0) { + if (self->m_extensionSamplingFrequency == 0 || + self->m_extensionSamplingFrequency > 96000) { return TRANSPORTDEC_PARSE_ERROR; } } @@ -2153,6 +2158,10 @@ TRANSPORTDEC_ERROR AudioSpecificConfig_Parse( self->m_extensionSamplingFrequency = getSampleRate(bs, &self->m_extensionSamplingFrequencyIndex, 4); + if (self->m_extensionSamplingFrequency == 0 || + self->m_extensionSamplingFrequency > 96000) { + return TRANSPORTDEC_PARSE_ERROR; + } self->m_aot = getAOT(bs); switch (self->m_aot) { From dbfa1cd71bbc5c0af382f47c222a72739bc101de Mon Sep 17 00:00:00 2001 From: Fraunhofer IIS FDK Date: Fri, 9 Aug 2019 17:06:06 +0200 Subject: [PATCH 2/4] Fix assert in synchronization() for loas streams with multiple sub frames. Bug: 131430997 Test: atest DecoderTestXheAac ; atest DecoderTestAacDrc Change-Id: Icb7d4b0b00a17367c8ec762b112fbb25268d9f67 --- libMpegTPDec/src/tpdec_lib.cpp | 21 +++++++++++++++------ 1 file changed, 15 insertions(+), 6 deletions(-) diff --git a/libMpegTPDec/src/tpdec_lib.cpp b/libMpegTPDec/src/tpdec_lib.cpp index 506aed3..ede64c9 100644 --- a/libMpegTPDec/src/tpdec_lib.cpp +++ b/libMpegTPDec/src/tpdec_lib.cpp @@ -1,7 +1,7 @@ /* ----------------------------------------------------------------------------- Software License for The Fraunhofer FDK AAC Codec Library for Android -© Copyright 1995 - 2018 Fraunhofer-Gesellschaft zur Förderung der angewandten +© Copyright 1995 - 2019 Fraunhofer-Gesellschaft zur Förderung der angewandten Forschung e.V. All rights reserved. 1. INTRODUCTION @@ -663,10 +663,14 @@ TRANSPORTDEC_ERROR transportDec_FillData(const HANDLE_TRANSPORTDEC hTp, if (*pBytesValid == 0) { /* nothing to do */ return TRANSPORTDEC_OK; - } - - if (hTp->numberOfRawDataBlocks <= 0) { + } else { + const int bytesValid = *pBytesValid; FDKfeedBuffer(hBs, pBuffer, bufferSize, pBytesValid); + + if (hTp->numberOfRawDataBlocks > 0) { + hTp->globalFramePos += (bytesValid - *pBytesValid) * 8; + hTp->accessUnitAnchor[layer] = FDKgetValidBits(hBs); + } } } @@ -1151,6 +1155,11 @@ static TRANSPORTDEC_ERROR synchronization(HANDLE_TRANSPORTDEC hTp, &rawDataBlockLength, &fTraverseMoreFrames, &syncLayerFrameBits, &fConfigFound, &headerBits); + if (headerBits > bitsAvail) { + err = (headerBits < (INT)hBs->hBitBuf.bufBits) + ? TRANSPORTDEC_NOT_ENOUGH_BITS + : TRANSPORTDEC_SYNC_ERROR; + } if (TPDEC_IS_FATAL_ERROR(err)) { /* Rewind - TPDEC_SYNCSKIP, in order to look for a synch one bit ahead * next time. Ensure that the bit amount lands at a multiple of @@ -1181,8 +1190,6 @@ static TRANSPORTDEC_ERROR synchronization(HANDLE_TRANSPORTDEC hTp, } if (err == TRANSPORTDEC_NOT_ENOUGH_BITS) { - /* Enforce reading of new data */ - hTp->numberOfRawDataBlocks = 0; break; } @@ -1273,7 +1280,9 @@ static TRANSPORTDEC_ERROR synchronization(HANDLE_TRANSPORTDEC hTp, /* Rewind for retry because of not enough bits */ if (err == TRANSPORTDEC_NOT_ENOUGH_BITS) { FDKpushBack(hBs, headerBits); + hTp->numberOfRawDataBlocks = numRawDataBlocksPrevious; headerBits = 0; + rawDataBlockLength = rawDataBlockLengthPrevious; } else { /* reset hold off frame counter */ hTp->holdOffFrames = 0; From 128abf6b1ace9c790ba7f42d976d3035cbe347b6 Mon Sep 17 00:00:00 2001 From: Fraunhofer IIS FDK Date: Fri, 9 Aug 2019 17:06:37 +0200 Subject: [PATCH 3/4] Validate aacSampleRate after applying ELD downscale factor. Avoid division by zero. Bug: 131430997 Test: atest DecoderTestXheAac ; atest DecoderTestAacDrc Change-Id: I3f7ece9451121d40fab2c97571c695c1ac62bd00 --- libAACdec/src/aacdecoder.cpp | 3 +++ 1 file changed, 3 insertions(+) diff --git a/libAACdec/src/aacdecoder.cpp b/libAACdec/src/aacdecoder.cpp index 7617937..38ef4f8 100644 --- a/libAACdec/src/aacdecoder.cpp +++ b/libAACdec/src/aacdecoder.cpp @@ -1928,6 +1928,9 @@ CAacDecoder_Init(HANDLE_AACDECODER self, const CSAudioSpecificConfig *asc, self->samplingRateInfo[0].samplingRate / self->downscaleFactor; self->streamInfo.aacSamplesPerFrame = asc->m_samplesPerFrame / self->downscaleFactor; + if (self->streamInfo.aacSampleRate <= 0) { + return AAC_DEC_UNSUPPORTED_SAMPLINGRATE; + } } } From f26eb8af7c38047ad113072a6de38e069dc5cf3f Mon Sep 17 00:00:00 2001 From: Fraunhofer IIS FDK Date: Fri, 9 Aug 2019 17:06:59 +0200 Subject: [PATCH 4/4] Fix CpePersistentData memory leak. Bug: 131430997 Test: atest DecoderTestXheAac ; atest DecoderTestAacDrc Change-Id: Iee5c93d61088bbda2328099ad20413adae3fa09b --- libAACdec/src/aacdecoder.cpp | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/libAACdec/src/aacdecoder.cpp b/libAACdec/src/aacdecoder.cpp index 38ef4f8..b15fc80 100644 --- a/libAACdec/src/aacdecoder.cpp +++ b/libAACdec/src/aacdecoder.cpp @@ -1303,7 +1303,8 @@ static void CAacDecoder_DeInit(HANDLE_AACDECODER self, const int subStreamIndex) { int ch; int aacChannelOffset = 0, aacChannels = (8); - int numElements = (((8)) + (8)), elementOffset = 0; + int numElements = (3 * ((8) * 2) + (((8) * 2)) / 2 + 4 * (1) + 1), + elementOffset = 0; if (self == NULL) return;