From 4a22282fe0cbf79555ea4535fa9723966509912a Mon Sep 17 00:00:00 2001 From: Fraunhofer IIS FDK Date: Thu, 20 Dec 2018 15:52:46 +0100 Subject: [PATCH 1/2] Add sanity check in SpatialDecParseSpecificConfig() Test: atest DecoderTestXheAac ; atest DecoderTestAacDrc Change-Id: I0249f75839829fdbc96218425e59ad914f9dfeda --- libSACdec/src/sac_bitdec.cpp | 14 ++++++++------ 1 file changed, 8 insertions(+), 6 deletions(-) diff --git a/libSACdec/src/sac_bitdec.cpp b/libSACdec/src/sac_bitdec.cpp index 159cf84..da5b262 100644 --- a/libSACdec/src/sac_bitdec.cpp +++ b/libSACdec/src/sac_bitdec.cpp @@ -572,16 +572,18 @@ SACDEC_ERROR SpatialDecParseSpecificConfig( numHeaderBits = cfgStartPos - (INT)FDKgetValidBits(bitstream); bitsAvailable -= numHeaderBits; + if (bitsAvailable < 0) { + err = MPS_PARSE_ERROR; + goto bail; + } pSpatialSpecificConfig->sacExtCnt = 0; pSpatialSpecificConfig->bResidualCoding = 0; - if ((err == MPS_OK) && (bitsAvailable > 0)) { - err = SpatialDecParseExtensionConfig( - bitstream, pSpatialSpecificConfig, pSpatialSpecificConfig->nOttBoxes, - pSpatialSpecificConfig->nTttBoxes, - pSpatialSpecificConfig->nOutputChannels, bitsAvailable); - } + err = SpatialDecParseExtensionConfig( + bitstream, pSpatialSpecificConfig, pSpatialSpecificConfig->nOttBoxes, + pSpatialSpecificConfig->nTttBoxes, + pSpatialSpecificConfig->nOutputChannels, bitsAvailable); FDKbyteAlign( bitstream, From f440f28aa3cfa02d52abb89e7db24d16f6eb0172 Mon Sep 17 00:00:00 2001 From: Fraunhofer IIS FDK Date: Thu, 20 Dec 2018 15:52:46 +0100 Subject: [PATCH 2/2] Return SpatialDecDecodeFrame() parse error in case extended frame does not match the spatial frame Test: atest DecoderTestXheAac ; atest DecoderTestAacDrc Change-Id: I7add6dff3b60ba0b36e5c83cee8031b37e970890 --- libSACdec/src/sac_bitdec.cpp | 10 ++++++++++ 1 file changed, 10 insertions(+) diff --git a/libSACdec/src/sac_bitdec.cpp b/libSACdec/src/sac_bitdec.cpp index da5b262..1049c3d 100644 --- a/libSACdec/src/sac_bitdec.cpp +++ b/libSACdec/src/sac_bitdec.cpp @@ -1870,6 +1870,16 @@ SACDEC_ERROR SpatialDecDecodeFrame(spatialDec *self, SPATIAL_BS_FRAME *frame) { frame->numParameterSets = fixMin(MAX_PARAMETER_SETS, frame->numParameterSets + 1); frame->paramSlot[frame->numParameterSets - 1] = self->timeSlots - 1; + + for (int p = 0; p < frame->numParameterSets; p++) { + if (frame->paramSlot[p] > self->timeSlots - 1) { + frame->paramSlot[p] = self->timeSlots - 1; + err = MPS_PARSE_ERROR; + } + } + if (err != MPS_OK) { + goto bail; + } } bail: