diff options
author | Fraunhofer IIS FDK <audio-fdk@iis.fraunhofer.de> | 2018-05-09 13:32:45 +0200 |
---|---|---|
committer | Jean-Michel Trivi <jmtrivi@google.com> | 2018-05-09 15:15:28 -0700 |
commit | 44ac411683e7cfbfdb1f58e02d54377d709c8dd4 (patch) | |
tree | 756d84f186478676d172f1afc3339c05c6b69709 | |
parent | 9ab67882eca7454dc001e158bc1e6e2219d6650b (diff) | |
download | fdk-aac-44ac411683e7cfbfdb1f58e02d54377d709c8dd4.tar.gz fdk-aac-44ac411683e7cfbfdb1f58e02d54377d709c8dd4.tar.bz2 fdk-aac-44ac411683e7cfbfdb1f58e02d54377d709c8dd4.zip |
FDK patches: fix overflows in decoder out-of-band config
Bug: 71430241
Bug: 79220129
Test: cts-tradefed run commandAndExit cts-dev -m CtsMediaTestCases -t android.media.cts.DecoderTestXheAac
cts-tradefed run commandAndExit cts-dev -m CtsMediaTestCases -t android.media.cts.DecoderTestAacDrc
Unsigned Integer Overflows in CDataStreamElement_Read()
Change-Id: Ic2f5b3ae111bf984d4d0db664823798957b0a979
Unsigned Integer Overflow in CProgramConfig_ReadHeightExt()
Change-Id: Iaebc458bb59504203e604a28ed6d5cecaa875c42
Unsigned Integer Overflow in transportDec_OutOfBandConfig()
Change-Id: I24a4b32d736f28c55147f0e2ca06fe5537da19c2
Unsigned Integer Overflows in CDKcrcEndReg() & crcCalc()
Change-Id: I6ebbe541a4d3b6bacbd5ace17264972951de7ca8
Unsigned Integer Overflows in ReadPsData()
Change-Id: Id36576fe545236860a06f17971494ecd4484c494
Unsigned Integer Overflow in SpatialDecParseSpecificConfig()
Change-Id: Ib468f129a951c69776b88468407f008ab4cfd2c7
Unsigned Integer Overflows in _readUniDrcConfigExtension() & _readLoudnessInfoSetExtension()
Change-Id: Ibcf7c6a23af49239206ea9301c58adac36e3ceba
-rw-r--r-- | libAACdec/src/aacdecoder.cpp | 12 | ||||
-rw-r--r-- | libDRCdec/src/drcDec_reader.cpp | 14 | ||||
-rw-r--r-- | libFDK/include/FDK_crc.h | 4 | ||||
-rw-r--r-- | libFDK/src/FDK_crc.cpp | 10 | ||||
-rw-r--r-- | libMpegTPDec/src/tpdec_asc.cpp | 4 | ||||
-rw-r--r-- | libMpegTPDec/src/tpdec_lib.cpp | 2 | ||||
-rw-r--r-- | libSACdec/src/sac_bitdec.cpp | 4 | ||||
-rw-r--r-- | libSBRdec/src/psbitdec.cpp | 4 |
8 files changed, 28 insertions, 26 deletions
diff --git a/libAACdec/src/aacdecoder.cpp b/libAACdec/src/aacdecoder.cpp index 64adb56..3cbdffd 100644 --- a/libAACdec/src/aacdecoder.cpp +++ b/libAACdec/src/aacdecoder.cpp @@ -437,7 +437,8 @@ static AAC_DECODER_ERROR CDataStreamElement_Read(HANDLE_AACDECODER self, UCHAR *elementInstanceTag, UINT alignmentAnchor) { AAC_DECODER_ERROR error = AAC_DEC_OK; - UINT dataStart, dseBits; + UINT dseBits; + INT dataStart; int dataByteAlignFlag, count; FDK_ASSERT(self != NULL); @@ -460,14 +461,14 @@ static AAC_DECODER_ERROR CDataStreamElement_Read(HANDLE_AACDECODER self, FDKbyteAlign(bs, alignmentAnchor); } - dataStart = FDKgetValidBits(bs); + dataStart = (INT)FDKgetValidBits(bs); error = CAacDecoder_AncDataParse(&self->ancData, bs, count); transportDec_CrcEndReg(self->hInput, crcReg); { /* Move to the beginning of the data chunk */ - FDKpushBack(bs, dataStart - FDKgetValidBits(bs)); + FDKpushBack(bs, dataStart - (INT)FDKgetValidBits(bs)); /* Read Anc data if available */ aacDecoder_drcMarkPayload(self->hDrcInfo, bs, DVB_DRC_ANC_DATA); @@ -477,7 +478,7 @@ static AAC_DECODER_ERROR CDataStreamElement_Read(HANDLE_AACDECODER self, PCMDMX_ERROR dmxErr = PCMDMX_OK; /* Move to the beginning of the data chunk */ - FDKpushBack(bs, dataStart - FDKgetValidBits(bs)); + FDKpushBack(bs, dataStart - (INT)FDKgetValidBits(bs)); /* Read DMX meta-data */ dmxErr = pcmDmx_Parse(self->hPcmUtils, bs, dseBits, 0 /* not mpeg2 */); @@ -487,8 +488,7 @@ static AAC_DECODER_ERROR CDataStreamElement_Read(HANDLE_AACDECODER self, } /* Move to the very end of the element. */ - FDKpushBiDirectional( - bs, (INT)FDKgetValidBits(bs) - (INT)dataStart + (INT)dseBits); + FDKpushBiDirectional(bs, (INT)FDKgetValidBits(bs) - dataStart + (INT)dseBits); return error; } diff --git a/libDRCdec/src/drcDec_reader.cpp b/libDRCdec/src/drcDec_reader.cpp index db5fab7..6fe7a04 100644 --- a/libDRCdec/src/drcDec_reader.cpp +++ b/libDRCdec/src/drcDec_reader.cpp @@ -1622,7 +1622,7 @@ static DRC_ERROR _readUniDrcConfigExtension( HANDLE_FDK_BITSTREAM hBs, HANDLE_UNI_DRC_CONFIG hUniDrcConfig) { DRC_ERROR err = DE_OK; int k, bitSizeLen, extSizeBits, bitSize; - UINT nBitsRemaining; + INT nBitsRemaining; UNI_DRC_CONFIG_EXTENSION* pExt = &(hUniDrcConfig->uniDrcConfigExt); k = 0; @@ -1634,13 +1634,14 @@ static DRC_ERROR _readUniDrcConfigExtension( bitSize = FDKreadBits(hBs, extSizeBits); pExt->extBitSize[k] = bitSize + 1; - nBitsRemaining = FDKgetValidBits(hBs); + nBitsRemaining = (INT)FDKgetValidBits(hBs); switch (pExt->uniDrcConfigExtType[k]) { case UNIDRCCONFEXT_V1: err = _readDrcExtensionV1(hBs, hUniDrcConfig); if (err) return err; - if (nBitsRemaining != (pExt->extBitSize[k] + FDKgetValidBits(hBs))) + if (nBitsRemaining != + ((INT)pExt->extBitSize[k] + (INT)FDKgetValidBits(hBs))) return DE_NOT_OK; break; case UNIDRCCONFEXT_PARAM_DRC: @@ -1940,7 +1941,7 @@ static DRC_ERROR _readLoudnessInfoSetExtension( HANDLE_FDK_BITSTREAM hBs, HANDLE_LOUDNESS_INFO_SET hLoudnessInfoSet) { DRC_ERROR err = DE_OK; int k, bitSizeLen, extSizeBits, bitSize; - UINT nBitsRemaining; + INT nBitsRemaining; LOUDNESS_INFO_SET_EXTENSION* pExt = &(hLoudnessInfoSet->loudnessInfoSetExt); k = 0; @@ -1952,13 +1953,14 @@ static DRC_ERROR _readLoudnessInfoSetExtension( bitSize = FDKreadBits(hBs, extSizeBits); pExt->extBitSize[k] = bitSize + 1; - nBitsRemaining = FDKgetValidBits(hBs); + nBitsRemaining = (INT)FDKgetValidBits(hBs); switch (pExt->loudnessInfoSetExtType[k]) { case UNIDRCLOUDEXT_EQ: err = _readLoudnessInfoSetExtEq(hBs, hLoudnessInfoSet); if (err) return err; - if (nBitsRemaining != (pExt->extBitSize[k] + FDKgetValidBits(hBs))) + if (nBitsRemaining != + ((INT)pExt->extBitSize[k] + (INT)FDKgetValidBits(hBs))) return DE_NOT_OK; break; /* add future extensions here */ diff --git a/libFDK/include/FDK_crc.h b/libFDK/include/FDK_crc.h index 17439ab..6c7040c 100644 --- a/libFDK/include/FDK_crc.h +++ b/libFDK/include/FDK_crc.h @@ -115,8 +115,8 @@ amm-info@iis.fraunhofer.de typedef struct { UCHAR isActive; INT maxBits; - UINT bitBufCntBits; - UINT validBits; + INT bitBufCntBits; + INT validBits; } CCrcRegData; diff --git a/libFDK/src/FDK_crc.cpp b/libFDK/src/FDK_crc.cpp index 39f87d3..e208338 100644 --- a/libFDK/src/FDK_crc.cpp +++ b/libFDK/src/FDK_crc.cpp @@ -281,7 +281,7 @@ INT FDKcrcStartReg(HANDLE_FDK_CRCINFO hCrcInfo, const HANDLE_FDK_BITSTREAM hBs, FDK_ASSERT(hCrcInfo->crcRegData[reg].isActive == 0); hCrcInfo->crcRegData[reg].isActive = 1; hCrcInfo->crcRegData[reg].maxBits = mBits; - hCrcInfo->crcRegData[reg].validBits = FDKgetValidBits(hBs); + hCrcInfo->crcRegData[reg].validBits = (INT)FDKgetValidBits(hBs); hCrcInfo->crcRegData[reg].bitBufCntBits = 0; hCrcInfo->regStart = (hCrcInfo->regStart + 1) % MAX_CRC_REGS; @@ -296,10 +296,10 @@ INT FDKcrcEndReg(HANDLE_FDK_CRCINFO hCrcInfo, const HANDLE_FDK_BITSTREAM hBs, if (hBs->ConfigCache == BS_WRITER) { hCrcInfo->crcRegData[reg].bitBufCntBits = - FDKgetValidBits(hBs) - hCrcInfo->crcRegData[reg].validBits; + (INT)FDKgetValidBits(hBs) - hCrcInfo->crcRegData[reg].validBits; } else { hCrcInfo->crcRegData[reg].bitBufCntBits = - hCrcInfo->crcRegData[reg].validBits - FDKgetValidBits(hBs); + hCrcInfo->crcRegData[reg].validBits - (INT)FDKgetValidBits(hBs); } if (hCrcInfo->crcRegData[reg].maxBits == 0) { @@ -432,7 +432,7 @@ static void crcCalc(HANDLE_FDK_CRCINFO hCrcInfo, HANDLE_FDK_BITSTREAM hBs, if (hBs->ConfigCache == BS_READER) { bsReader = *hBs; FDKpushBiDirectional(&bsReader, - -(INT)(rD->validBits - FDKgetValidBits(&bsReader))); + -(rD->validBits - (INT)FDKgetValidBits(&bsReader))); } else { FDKinitBitStream(&bsReader, hBs->hBitBuf.Buffer, hBs->hBitBuf.bufSize, hBs->hBitBuf.ValidBits, BS_READER); @@ -441,7 +441,7 @@ static void crcCalc(HANDLE_FDK_CRCINFO hCrcInfo, HANDLE_FDK_BITSTREAM hBs, int bits, rBits; rBits = (rD->maxBits >= 0) ? rD->maxBits : -rD->maxBits; /* ramaining bits */ - if ((rD->maxBits > 0) && (((INT)rD->bitBufCntBits >> 3 << 3) < rBits)) { + if ((rD->maxBits > 0) && ((rD->bitBufCntBits >> 3 << 3) < rBits)) { bits = rD->bitBufCntBits; } else { bits = rBits; diff --git a/libMpegTPDec/src/tpdec_asc.cpp b/libMpegTPDec/src/tpdec_asc.cpp index 74beaa6..b7fd2a1 100644 --- a/libMpegTPDec/src/tpdec_asc.cpp +++ b/libMpegTPDec/src/tpdec_asc.cpp @@ -257,11 +257,11 @@ static int CProgramConfig_ReadHeightExt(CProgramConfig *pPce, } } else { /* No valid extension data found -> restore the initial bitbuffer state */ - FDKpushBack(bs, startAnchor - FDKgetValidBits(bs)); + FDKpushBack(bs, (INT)startAnchor - (INT)FDKgetValidBits(bs)); } /* Always report the bytes read. */ - *bytesAvailable -= (startAnchor - FDKgetValidBits(bs)) >> 3; + *bytesAvailable -= ((INT)startAnchor - (INT)FDKgetValidBits(bs)) >> 3; return (err); } diff --git a/libMpegTPDec/src/tpdec_lib.cpp b/libMpegTPDec/src/tpdec_lib.cpp index 306bec0..5eeb7fc 100644 --- a/libMpegTPDec/src/tpdec_lib.cpp +++ b/libMpegTPDec/src/tpdec_lib.cpp @@ -283,7 +283,7 @@ TRANSPORTDEC_ERROR transportDec_OutOfBandConfig(HANDLE_TRANSPORTDEC hTp, for (i = 0; i < 2; i++) { if (i > 0) { - FDKpushBack(hBs, length * 8 - FDKgetValidBits(hBs)); + FDKpushBack(hBs, (INT)length * 8 - (INT)FDKgetValidBits(hBs)); configMode = AC_CM_ALLOC_MEM; } diff --git a/libSACdec/src/sac_bitdec.cpp b/libSACdec/src/sac_bitdec.cpp index b2f3b7c..37e0cf2 100644 --- a/libSACdec/src/sac_bitdec.cpp +++ b/libSACdec/src/sac_bitdec.cpp @@ -566,7 +566,7 @@ SACDEC_ERROR SpatialDecParseSpecificConfig( with respect to the beginning of the syntactic element in which ByteAlign() occurs. */ - numHeaderBits = cfgStartPos - FDKgetValidBits(bitstream); + numHeaderBits = cfgStartPos - (INT)FDKgetValidBits(bitstream); bitsAvailable -= numHeaderBits; pSpatialSpecificConfig->sacExtCnt = 0; @@ -594,7 +594,7 @@ bail: bitbuffer is exactly at its end when leaving the function. */ FDKpushBiDirectional( bitstream, - (sacHeaderLen * 8) - (cfgStartPos - FDKgetValidBits(bitstream))); + (sacHeaderLen * 8) - (cfgStartPos - (INT)FDKgetValidBits(bitstream))); } return err; diff --git a/libSBRdec/src/psbitdec.cpp b/libSBRdec/src/psbitdec.cpp index b2ea2e9..1521178 100644 --- a/libSBRdec/src/psbitdec.cpp +++ b/libSBRdec/src/psbitdec.cpp @@ -496,7 +496,7 @@ unsigned int ReadPsData( /* no useful PS data could be read from bitstream */ h_ps_d->bPsDataAvail[h_ps_d->bsReadSlot] = ppt_none; /* discard all remaining bits */ - nBitsLeft -= startbits - FDKgetValidBits(hBitBuf); + nBitsLeft -= startbits - (INT)FDKgetValidBits(hBitBuf); while (nBitsLeft > 0) { int i = nBitsLeft; if (i > 8) { @@ -505,7 +505,7 @@ unsigned int ReadPsData( FDKreadBits(hBitBuf, i); nBitsLeft -= i; } - return (startbits - FDKgetValidBits(hBitBuf)); + return (UINT)(startbits - (INT)FDKgetValidBits(hBitBuf)); } if (pBsData->modeIid > 2) { |