aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorTreeHugger Robot <treehugger-gerrit@google.com>2021-05-06 20:54:51 +0000
committerAutomerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com>2021-05-06 20:54:51 +0000
commit97d79d70546905aa6d5c723ca2f83f7890afe26a (patch)
treed7a7a6e6074f207dd8e8ee86618dc82dcf90bbe0
parent480c182ae933b2d06daca925bb08e08d5d7df51a (diff)
parentf633fc085e852d6ead6ca0cc9dc256fe42995630 (diff)
downloadfdk-aac-97d79d70546905aa6d5c723ca2f83f7890afe26a.tar.gz
fdk-aac-97d79d70546905aa6d5c723ca2f83f7890afe26a.tar.bz2
fdk-aac-97d79d70546905aa6d5c723ca2f83f7890afe26a.zip
Merge "Avoid integer overflows in CLatmDemux_ReadAuChunkLengthInfo() and FDK_get32() to prevent endless loop." into sc-dev am: f633fc085e
Original change: https://googleplex-android-review.googlesource.com/c/platform/external/aac/+/14373121 Change-Id: I51b0c8c03fe7f1b6e14a802f7340e121d4186fe9
-rw-r--r--libMpegTPDec/src/tpdec_latm.cpp41
-rw-r--r--libMpegTPDec/src/tpdec_latm.h4
2 files changed, 22 insertions, 23 deletions
diff --git a/libMpegTPDec/src/tpdec_latm.cpp b/libMpegTPDec/src/tpdec_latm.cpp
index 3b71db8..c32be54 100644
--- a/libMpegTPDec/src/tpdec_latm.cpp
+++ b/libMpegTPDec/src/tpdec_latm.cpp
@@ -1,7 +1,7 @@
/* -----------------------------------------------------------------------------
Software License for The Fraunhofer FDK AAC Codec Library for Android
-© Copyright 1995 - 2019 Fraunhofer-Gesellschaft zur Förderung der angewandten
+© Copyright 1995 - 2021 Fraunhofer-Gesellschaft zur Förderung der angewandten
Forschung e.V. All rights reserved.
1. INTRODUCTION
@@ -591,6 +591,18 @@ bail:
return (ErrorStatus);
}
+static int CLatmDemux_ReadAuChunkLengthInfo(HANDLE_FDK_BITSTREAM bs) {
+ int len = 0, tmp = 255;
+ int validBytes = (int)FDKgetValidBits(bs) >> 3;
+
+ while (tmp == 255 && validBytes-- > 0) {
+ tmp = (int)FDKreadBits(bs, 8);
+ len += tmp;
+ }
+
+ return ((tmp == 255) ? -1 : (len << 3));
+}
+
TRANSPORTDEC_ERROR CLatmDemux_ReadPayloadLengthInfo(HANDLE_FDK_BITSTREAM bs,
CLatmDemux *pLatmDemux) {
TRANSPORTDEC_ERROR ErrorStatus = TRANSPORTDEC_OK;
@@ -602,11 +614,17 @@ TRANSPORTDEC_ERROR CLatmDemux_ReadPayloadLengthInfo(HANDLE_FDK_BITSTREAM bs,
FDK_ASSERT(pLatmDemux->m_numLayer[prog] <= LATM_MAX_LAYER);
for (UINT lay = 0; lay < pLatmDemux->m_numLayer[prog]; lay++) {
LATM_LAYER_INFO *p_linfo = &pLatmDemux->m_linfo[prog][lay];
+ int auChunkLengthInfo = 0;
switch (p_linfo->m_frameLengthType) {
case 0:
- p_linfo->m_frameLengthInBits = CLatmDemux_ReadAuChunkLengthInfo(bs);
- totalPayloadBits += p_linfo->m_frameLengthInBits;
+ auChunkLengthInfo = CLatmDemux_ReadAuChunkLengthInfo(bs);
+ if (auChunkLengthInfo >= 0) {
+ p_linfo->m_frameLengthInBits = (UINT)auChunkLengthInfo;
+ totalPayloadBits += p_linfo->m_frameLengthInBits;
+ } else {
+ return TRANSPORTDEC_PARSE_ERROR;
+ }
break;
case 3:
case 5:
@@ -627,23 +645,6 @@ TRANSPORTDEC_ERROR CLatmDemux_ReadPayloadLengthInfo(HANDLE_FDK_BITSTREAM bs,
return (ErrorStatus);
}
-int CLatmDemux_ReadAuChunkLengthInfo(HANDLE_FDK_BITSTREAM bs) {
- UCHAR endFlag;
- int len = 0;
-
- do {
- UCHAR tmp = (UCHAR)FDKreadBits(bs, 8);
- endFlag = (tmp < 255);
-
- len += tmp;
-
- } while (endFlag == 0);
-
- len <<= 3; /* convert from bytes to bits */
-
- return len;
-}
-
UINT CLatmDemux_GetFrameLengthInBits(CLatmDemux *pLatmDemux, const UINT prog,
const UINT layer) {
UINT nFrameLenBits = 0;
diff --git a/libMpegTPDec/src/tpdec_latm.h b/libMpegTPDec/src/tpdec_latm.h
index 6af553d..8b8c971 100644
--- a/libMpegTPDec/src/tpdec_latm.h
+++ b/libMpegTPDec/src/tpdec_latm.h
@@ -1,7 +1,7 @@
/* -----------------------------------------------------------------------------
Software License for The Fraunhofer FDK AAC Codec Library for Android
-© Copyright 1995 - 2018 Fraunhofer-Gesellschaft zur Förderung der angewandten
+© Copyright 1995 - 2021 Fraunhofer-Gesellschaft zur Förderung der angewandten
Forschung e.V. All rights reserved.
1. INTRODUCTION
@@ -151,8 +151,6 @@ typedef struct {
AudioPreRoll */
} CLatmDemux;
-int CLatmDemux_ReadAuChunkLengthInfo(HANDLE_FDK_BITSTREAM bs);
-
TRANSPORTDEC_ERROR CLatmDemux_Read(HANDLE_FDK_BITSTREAM bs,
CLatmDemux *pLatmDemux, TRANSPORT_TYPE tt,
CSTpCallBacks *pTpDecCallbacks,