aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorFraunhofer IIS FDK <audio-fdk@iis.fraunhofer.de>2018-05-09 13:32:45 +0200
committerJean-Michel Trivi <jmtrivi@google.com>2018-05-09 15:15:28 -0700
commit44ac411683e7cfbfdb1f58e02d54377d709c8dd4 (patch)
tree756d84f186478676d172f1afc3339c05c6b69709
parent9ab67882eca7454dc001e158bc1e6e2219d6650b (diff)
downloadfdk-aac-44ac411683e7cfbfdb1f58e02d54377d709c8dd4.tar.gz
fdk-aac-44ac411683e7cfbfdb1f58e02d54377d709c8dd4.tar.bz2
fdk-aac-44ac411683e7cfbfdb1f58e02d54377d709c8dd4.zip
FDK patches: fix overflows in decoder out-of-band config
Bug: 71430241 Bug: 79220129 Test: cts-tradefed run commandAndExit cts-dev -m CtsMediaTestCases -t android.media.cts.DecoderTestXheAac cts-tradefed run commandAndExit cts-dev -m CtsMediaTestCases -t android.media.cts.DecoderTestAacDrc Unsigned Integer Overflows in CDataStreamElement_Read() Change-Id: Ic2f5b3ae111bf984d4d0db664823798957b0a979 Unsigned Integer Overflow in CProgramConfig_ReadHeightExt() Change-Id: Iaebc458bb59504203e604a28ed6d5cecaa875c42 Unsigned Integer Overflow in transportDec_OutOfBandConfig() Change-Id: I24a4b32d736f28c55147f0e2ca06fe5537da19c2 Unsigned Integer Overflows in CDKcrcEndReg() & crcCalc() Change-Id: I6ebbe541a4d3b6bacbd5ace17264972951de7ca8 Unsigned Integer Overflows in ReadPsData() Change-Id: Id36576fe545236860a06f17971494ecd4484c494 Unsigned Integer Overflow in SpatialDecParseSpecificConfig() Change-Id: Ib468f129a951c69776b88468407f008ab4cfd2c7 Unsigned Integer Overflows in _readUniDrcConfigExtension() & _readLoudnessInfoSetExtension() Change-Id: Ibcf7c6a23af49239206ea9301c58adac36e3ceba
-rw-r--r--libAACdec/src/aacdecoder.cpp12
-rw-r--r--libDRCdec/src/drcDec_reader.cpp14
-rw-r--r--libFDK/include/FDK_crc.h4
-rw-r--r--libFDK/src/FDK_crc.cpp10
-rw-r--r--libMpegTPDec/src/tpdec_asc.cpp4
-rw-r--r--libMpegTPDec/src/tpdec_lib.cpp2
-rw-r--r--libSACdec/src/sac_bitdec.cpp4
-rw-r--r--libSBRdec/src/psbitdec.cpp4
8 files changed, 28 insertions, 26 deletions
diff --git a/libAACdec/src/aacdecoder.cpp b/libAACdec/src/aacdecoder.cpp
index 64adb56..3cbdffd 100644
--- a/libAACdec/src/aacdecoder.cpp
+++ b/libAACdec/src/aacdecoder.cpp
@@ -437,7 +437,8 @@ static AAC_DECODER_ERROR CDataStreamElement_Read(HANDLE_AACDECODER self,
UCHAR *elementInstanceTag,
UINT alignmentAnchor) {
AAC_DECODER_ERROR error = AAC_DEC_OK;
- UINT dataStart, dseBits;
+ UINT dseBits;
+ INT dataStart;
int dataByteAlignFlag, count;
FDK_ASSERT(self != NULL);
@@ -460,14 +461,14 @@ static AAC_DECODER_ERROR CDataStreamElement_Read(HANDLE_AACDECODER self,
FDKbyteAlign(bs, alignmentAnchor);
}
- dataStart = FDKgetValidBits(bs);
+ dataStart = (INT)FDKgetValidBits(bs);
error = CAacDecoder_AncDataParse(&self->ancData, bs, count);
transportDec_CrcEndReg(self->hInput, crcReg);
{
/* Move to the beginning of the data chunk */
- FDKpushBack(bs, dataStart - FDKgetValidBits(bs));
+ FDKpushBack(bs, dataStart - (INT)FDKgetValidBits(bs));
/* Read Anc data if available */
aacDecoder_drcMarkPayload(self->hDrcInfo, bs, DVB_DRC_ANC_DATA);
@@ -477,7 +478,7 @@ static AAC_DECODER_ERROR CDataStreamElement_Read(HANDLE_AACDECODER self,
PCMDMX_ERROR dmxErr = PCMDMX_OK;
/* Move to the beginning of the data chunk */
- FDKpushBack(bs, dataStart - FDKgetValidBits(bs));
+ FDKpushBack(bs, dataStart - (INT)FDKgetValidBits(bs));
/* Read DMX meta-data */
dmxErr = pcmDmx_Parse(self->hPcmUtils, bs, dseBits, 0 /* not mpeg2 */);
@@ -487,8 +488,7 @@ static AAC_DECODER_ERROR CDataStreamElement_Read(HANDLE_AACDECODER self,
}
/* Move to the very end of the element. */
- FDKpushBiDirectional(
- bs, (INT)FDKgetValidBits(bs) - (INT)dataStart + (INT)dseBits);
+ FDKpushBiDirectional(bs, (INT)FDKgetValidBits(bs) - dataStart + (INT)dseBits);
return error;
}
diff --git a/libDRCdec/src/drcDec_reader.cpp b/libDRCdec/src/drcDec_reader.cpp
index db5fab7..6fe7a04 100644
--- a/libDRCdec/src/drcDec_reader.cpp
+++ b/libDRCdec/src/drcDec_reader.cpp
@@ -1622,7 +1622,7 @@ static DRC_ERROR _readUniDrcConfigExtension(
HANDLE_FDK_BITSTREAM hBs, HANDLE_UNI_DRC_CONFIG hUniDrcConfig) {
DRC_ERROR err = DE_OK;
int k, bitSizeLen, extSizeBits, bitSize;
- UINT nBitsRemaining;
+ INT nBitsRemaining;
UNI_DRC_CONFIG_EXTENSION* pExt = &(hUniDrcConfig->uniDrcConfigExt);
k = 0;
@@ -1634,13 +1634,14 @@ static DRC_ERROR _readUniDrcConfigExtension(
bitSize = FDKreadBits(hBs, extSizeBits);
pExt->extBitSize[k] = bitSize + 1;
- nBitsRemaining = FDKgetValidBits(hBs);
+ nBitsRemaining = (INT)FDKgetValidBits(hBs);
switch (pExt->uniDrcConfigExtType[k]) {
case UNIDRCCONFEXT_V1:
err = _readDrcExtensionV1(hBs, hUniDrcConfig);
if (err) return err;
- if (nBitsRemaining != (pExt->extBitSize[k] + FDKgetValidBits(hBs)))
+ if (nBitsRemaining !=
+ ((INT)pExt->extBitSize[k] + (INT)FDKgetValidBits(hBs)))
return DE_NOT_OK;
break;
case UNIDRCCONFEXT_PARAM_DRC:
@@ -1940,7 +1941,7 @@ static DRC_ERROR _readLoudnessInfoSetExtension(
HANDLE_FDK_BITSTREAM hBs, HANDLE_LOUDNESS_INFO_SET hLoudnessInfoSet) {
DRC_ERROR err = DE_OK;
int k, bitSizeLen, extSizeBits, bitSize;
- UINT nBitsRemaining;
+ INT nBitsRemaining;
LOUDNESS_INFO_SET_EXTENSION* pExt = &(hLoudnessInfoSet->loudnessInfoSetExt);
k = 0;
@@ -1952,13 +1953,14 @@ static DRC_ERROR _readLoudnessInfoSetExtension(
bitSize = FDKreadBits(hBs, extSizeBits);
pExt->extBitSize[k] = bitSize + 1;
- nBitsRemaining = FDKgetValidBits(hBs);
+ nBitsRemaining = (INT)FDKgetValidBits(hBs);
switch (pExt->loudnessInfoSetExtType[k]) {
case UNIDRCLOUDEXT_EQ:
err = _readLoudnessInfoSetExtEq(hBs, hLoudnessInfoSet);
if (err) return err;
- if (nBitsRemaining != (pExt->extBitSize[k] + FDKgetValidBits(hBs)))
+ if (nBitsRemaining !=
+ ((INT)pExt->extBitSize[k] + (INT)FDKgetValidBits(hBs)))
return DE_NOT_OK;
break;
/* add future extensions here */
diff --git a/libFDK/include/FDK_crc.h b/libFDK/include/FDK_crc.h
index 17439ab..6c7040c 100644
--- a/libFDK/include/FDK_crc.h
+++ b/libFDK/include/FDK_crc.h
@@ -115,8 +115,8 @@ amm-info@iis.fraunhofer.de
typedef struct {
UCHAR isActive;
INT maxBits;
- UINT bitBufCntBits;
- UINT validBits;
+ INT bitBufCntBits;
+ INT validBits;
} CCrcRegData;
diff --git a/libFDK/src/FDK_crc.cpp b/libFDK/src/FDK_crc.cpp
index 39f87d3..e208338 100644
--- a/libFDK/src/FDK_crc.cpp
+++ b/libFDK/src/FDK_crc.cpp
@@ -281,7 +281,7 @@ INT FDKcrcStartReg(HANDLE_FDK_CRCINFO hCrcInfo, const HANDLE_FDK_BITSTREAM hBs,
FDK_ASSERT(hCrcInfo->crcRegData[reg].isActive == 0);
hCrcInfo->crcRegData[reg].isActive = 1;
hCrcInfo->crcRegData[reg].maxBits = mBits;
- hCrcInfo->crcRegData[reg].validBits = FDKgetValidBits(hBs);
+ hCrcInfo->crcRegData[reg].validBits = (INT)FDKgetValidBits(hBs);
hCrcInfo->crcRegData[reg].bitBufCntBits = 0;
hCrcInfo->regStart = (hCrcInfo->regStart + 1) % MAX_CRC_REGS;
@@ -296,10 +296,10 @@ INT FDKcrcEndReg(HANDLE_FDK_CRCINFO hCrcInfo, const HANDLE_FDK_BITSTREAM hBs,
if (hBs->ConfigCache == BS_WRITER) {
hCrcInfo->crcRegData[reg].bitBufCntBits =
- FDKgetValidBits(hBs) - hCrcInfo->crcRegData[reg].validBits;
+ (INT)FDKgetValidBits(hBs) - hCrcInfo->crcRegData[reg].validBits;
} else {
hCrcInfo->crcRegData[reg].bitBufCntBits =
- hCrcInfo->crcRegData[reg].validBits - FDKgetValidBits(hBs);
+ hCrcInfo->crcRegData[reg].validBits - (INT)FDKgetValidBits(hBs);
}
if (hCrcInfo->crcRegData[reg].maxBits == 0) {
@@ -432,7 +432,7 @@ static void crcCalc(HANDLE_FDK_CRCINFO hCrcInfo, HANDLE_FDK_BITSTREAM hBs,
if (hBs->ConfigCache == BS_READER) {
bsReader = *hBs;
FDKpushBiDirectional(&bsReader,
- -(INT)(rD->validBits - FDKgetValidBits(&bsReader)));
+ -(rD->validBits - (INT)FDKgetValidBits(&bsReader)));
} else {
FDKinitBitStream(&bsReader, hBs->hBitBuf.Buffer, hBs->hBitBuf.bufSize,
hBs->hBitBuf.ValidBits, BS_READER);
@@ -441,7 +441,7 @@ static void crcCalc(HANDLE_FDK_CRCINFO hCrcInfo, HANDLE_FDK_BITSTREAM hBs,
int bits, rBits;
rBits = (rD->maxBits >= 0) ? rD->maxBits : -rD->maxBits; /* ramaining bits */
- if ((rD->maxBits > 0) && (((INT)rD->bitBufCntBits >> 3 << 3) < rBits)) {
+ if ((rD->maxBits > 0) && ((rD->bitBufCntBits >> 3 << 3) < rBits)) {
bits = rD->bitBufCntBits;
} else {
bits = rBits;
diff --git a/libMpegTPDec/src/tpdec_asc.cpp b/libMpegTPDec/src/tpdec_asc.cpp
index 74beaa6..b7fd2a1 100644
--- a/libMpegTPDec/src/tpdec_asc.cpp
+++ b/libMpegTPDec/src/tpdec_asc.cpp
@@ -257,11 +257,11 @@ static int CProgramConfig_ReadHeightExt(CProgramConfig *pPce,
}
} else {
/* No valid extension data found -> restore the initial bitbuffer state */
- FDKpushBack(bs, startAnchor - FDKgetValidBits(bs));
+ FDKpushBack(bs, (INT)startAnchor - (INT)FDKgetValidBits(bs));
}
/* Always report the bytes read. */
- *bytesAvailable -= (startAnchor - FDKgetValidBits(bs)) >> 3;
+ *bytesAvailable -= ((INT)startAnchor - (INT)FDKgetValidBits(bs)) >> 3;
return (err);
}
diff --git a/libMpegTPDec/src/tpdec_lib.cpp b/libMpegTPDec/src/tpdec_lib.cpp
index 306bec0..5eeb7fc 100644
--- a/libMpegTPDec/src/tpdec_lib.cpp
+++ b/libMpegTPDec/src/tpdec_lib.cpp
@@ -283,7 +283,7 @@ TRANSPORTDEC_ERROR transportDec_OutOfBandConfig(HANDLE_TRANSPORTDEC hTp,
for (i = 0; i < 2; i++) {
if (i > 0) {
- FDKpushBack(hBs, length * 8 - FDKgetValidBits(hBs));
+ FDKpushBack(hBs, (INT)length * 8 - (INT)FDKgetValidBits(hBs));
configMode = AC_CM_ALLOC_MEM;
}
diff --git a/libSACdec/src/sac_bitdec.cpp b/libSACdec/src/sac_bitdec.cpp
index b2f3b7c..37e0cf2 100644
--- a/libSACdec/src/sac_bitdec.cpp
+++ b/libSACdec/src/sac_bitdec.cpp
@@ -566,7 +566,7 @@ SACDEC_ERROR SpatialDecParseSpecificConfig(
with respect to the beginning of the syntactic
element in which ByteAlign() occurs. */
- numHeaderBits = cfgStartPos - FDKgetValidBits(bitstream);
+ numHeaderBits = cfgStartPos - (INT)FDKgetValidBits(bitstream);
bitsAvailable -= numHeaderBits;
pSpatialSpecificConfig->sacExtCnt = 0;
@@ -594,7 +594,7 @@ bail:
bitbuffer is exactly at its end when leaving the function. */
FDKpushBiDirectional(
bitstream,
- (sacHeaderLen * 8) - (cfgStartPos - FDKgetValidBits(bitstream)));
+ (sacHeaderLen * 8) - (cfgStartPos - (INT)FDKgetValidBits(bitstream)));
}
return err;
diff --git a/libSBRdec/src/psbitdec.cpp b/libSBRdec/src/psbitdec.cpp
index b2ea2e9..1521178 100644
--- a/libSBRdec/src/psbitdec.cpp
+++ b/libSBRdec/src/psbitdec.cpp
@@ -496,7 +496,7 @@ unsigned int ReadPsData(
/* no useful PS data could be read from bitstream */
h_ps_d->bPsDataAvail[h_ps_d->bsReadSlot] = ppt_none;
/* discard all remaining bits */
- nBitsLeft -= startbits - FDKgetValidBits(hBitBuf);
+ nBitsLeft -= startbits - (INT)FDKgetValidBits(hBitBuf);
while (nBitsLeft > 0) {
int i = nBitsLeft;
if (i > 8) {
@@ -505,7 +505,7 @@ unsigned int ReadPsData(
FDKreadBits(hBitBuf, i);
nBitsLeft -= i;
}
- return (startbits - FDKgetValidBits(hBitBuf));
+ return (UINT)(startbits - (INT)FDKgetValidBits(hBitBuf));
}
if (pBsData->modeIid > 2) {