aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorFraunhofer IIS FDK <audio-fdk@iis.fraunhofer.de>2018-09-10 16:39:30 +0200
committerandroid-build-team Robot <android-build-team-robot@google.com>2018-10-20 00:17:02 +0000
commit5e5701952535e22ad38d6735bbf4f1f92ce99ceb (patch)
tree5cf8e51e0b896f3da4e70112dce18516917d4a7a
parent0e5db9fee912d367a572b88f0d86f9a33006fa29 (diff)
downloadfdk-aac-5e5701952535e22ad38d6735bbf4f1f92ce99ceb.tar.gz
fdk-aac-5e5701952535e22ad38d6735bbf4f1f92ce99ceb.tar.bz2
fdk-aac-5e5701952535e22ad38d6735bbf4f1f92ce99ceb.zip
Prevent out of bounds accesses in lppTransposer() and lppTransposerHBE()
Bug: 112160868 Test: see poc in bug Change-Id: I6a2161865d9cb9b51dc37c09d6e3a4a8e5d11f86 (cherry picked from commit 4dad829df00932b89858b9833cf5dcded8d97c37)
-rw-r--r--Android.bp3
-rw-r--r--libSBRdec/src/lpp_tran.cpp74
2 files changed, 50 insertions, 27 deletions
diff --git a/Android.bp b/Android.bp
index 50cc092..c89a95c 100644
--- a/Android.bp
+++ b/Android.bp
@@ -27,6 +27,9 @@ cc_library_static {
misc_undefined:["unsigned-integer-overflow", "signed-integer-overflow"],
cfi: true,
},
+ shared_libs: [
+ "liblog",
+ ],
export_include_dirs: [
"libAACdec/include",
"libAACenc/include",
diff --git a/libSBRdec/src/lpp_tran.cpp b/libSBRdec/src/lpp_tran.cpp
index aa1fd5d..2ef07eb 100644
--- a/libSBRdec/src/lpp_tran.cpp
+++ b/libSBRdec/src/lpp_tran.cpp
@@ -118,6 +118,10 @@ amm-info@iis.fraunhofer.de
\sa lppTransposer(), main_audio.cpp, sbr_scale.h, \ref documentationOverview
*/
+#ifdef __ANDROID__
+#include "log/log.h"
+#endif
+
#include "lpp_tran.h"
#include "sbr_ram.h"
@@ -295,7 +299,6 @@ void lppTransposer(
int ovLowBandShift;
int lowBandShift;
/* int ovHighBandShift;*/
- int targetStopBand;
alphai[0] = FL2FXCONST_SGL(0.0f);
alphai[1] = FL2FXCONST_SGL(0.0f);
@@ -311,25 +314,34 @@ void lppTransposer(
autoCorrLength = pSettings->nCols + pSettings->overlap;
- /* Set upper subbands to zero:
- This is required in case that the patches do not cover the complete
- highband (because the last patch would be too short). Possible
- optimization: Clearing bands up to usb would be sufficient here. */
- targetStopBand = patchParam[pSettings->noOfPatches - 1].targetStartBand +
- patchParam[pSettings->noOfPatches - 1].numBandsInPatch;
+ if (pSettings->noOfPatches > 0) {
+ /* Set upper subbands to zero:
+ This is required in case that the patches do not cover the complete
+ highband (because the last patch would be too short). Possible
+ optimization: Clearing bands up to usb would be sufficient here. */
+ int targetStopBand =
+ patchParam[pSettings->noOfPatches - 1].targetStartBand +
+ patchParam[pSettings->noOfPatches - 1].numBandsInPatch;
- int memSize = ((64) - targetStopBand) * sizeof(FIXP_DBL);
+ int memSize = ((64) - targetStopBand) * sizeof(FIXP_DBL);
- if (!useLP) {
- for (i = startSample; i < stopSampleClear; i++) {
- FDKmemclear(&qmfBufferReal[i][targetStopBand], memSize);
- FDKmemclear(&qmfBufferImag[i][targetStopBand], memSize);
- }
- } else {
- for (i = startSample; i < stopSampleClear; i++) {
- FDKmemclear(&qmfBufferReal[i][targetStopBand], memSize);
+ if (!useLP) {
+ for (i = startSample; i < stopSampleClear; i++) {
+ FDKmemclear(&qmfBufferReal[i][targetStopBand], memSize);
+ FDKmemclear(&qmfBufferImag[i][targetStopBand], memSize);
+ }
+ } else {
+ for (i = startSample; i < stopSampleClear; i++) {
+ FDKmemclear(&qmfBufferReal[i][targetStopBand], memSize);
+ }
}
}
+#ifdef __ANDROID__
+ else {
+ // Safetynet logging
+ android_errorWriteLog(0x534e4554, "112160868");
+ }
+#endif
/* init bwIndex for each patch */
FDKmemclear(bwIndex, sizeof(bwIndex));
@@ -874,7 +886,6 @@ void lppTransposerHBE(
int ovLowBandShift;
int lowBandShift;
/* int ovHighBandShift;*/
- int targetStopBand;
alphai[0] = FL2FXCONST_SGL(0.0f);
alphai[1] = FL2FXCONST_SGL(0.0f);
@@ -889,19 +900,28 @@ void lppTransposerHBE(
autoCorrLength = pSettings->nCols + pSettings->overlap;
- /* Set upper subbands to zero:
- This is required in case that the patches do not cover the complete
- highband (because the last patch would be too short). Possible
- optimization: Clearing bands up to usb would be sufficient here. */
- targetStopBand = patchParam[pSettings->noOfPatches - 1].targetStartBand +
- patchParam[pSettings->noOfPatches - 1].numBandsInPatch;
+ if (pSettings->noOfPatches > 0) {
+ /* Set upper subbands to zero:
+ This is required in case that the patches do not cover the complete
+ highband (because the last patch would be too short). Possible
+ optimization: Clearing bands up to usb would be sufficient here. */
+ int targetStopBand =
+ patchParam[pSettings->noOfPatches - 1].targetStartBand +
+ patchParam[pSettings->noOfPatches - 1].numBandsInPatch;
- int memSize = ((64) - targetStopBand) * sizeof(FIXP_DBL);
+ int memSize = ((64) - targetStopBand) * sizeof(FIXP_DBL);
- for (i = startSample; i < stopSampleClear; i++) {
- FDKmemclear(&qmfBufferReal[i][targetStopBand], memSize);
- FDKmemclear(&qmfBufferImag[i][targetStopBand], memSize);
+ for (i = startSample; i < stopSampleClear; i++) {
+ FDKmemclear(&qmfBufferReal[i][targetStopBand], memSize);
+ FDKmemclear(&qmfBufferImag[i][targetStopBand], memSize);
+ }
+ }
+#ifdef __ANDROID__
+ else {
+ // Safetynet logging
+ android_errorWriteLog(0x534e4554, "112160868");
}
+#endif
/*
Calc common low band scale factor