diff options
author | TreeHugger Robot <treehugger-gerrit@google.com> | 2021-05-06 20:55:56 +0000 |
---|---|---|
committer | Automerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com> | 2021-05-06 20:55:56 +0000 |
commit | ad6ba7f548b009da6a5265845804ca37b3955c00 (patch) | |
tree | d7a7a6e6074f207dd8e8ee86618dc82dcf90bbe0 | |
parent | 47ee0b94ab44add7dfeb004b74714038e98d4d31 (diff) | |
parent | f633fc085e852d6ead6ca0cc9dc256fe42995630 (diff) | |
download | fdk-aac-ad6ba7f548b009da6a5265845804ca37b3955c00.tar.gz fdk-aac-ad6ba7f548b009da6a5265845804ca37b3955c00.tar.bz2 fdk-aac-ad6ba7f548b009da6a5265845804ca37b3955c00.zip |
Merge "Avoid integer overflows in CLatmDemux_ReadAuChunkLengthInfo() and FDK_get32() to prevent endless loop." into sc-dev am: f633fc085e
Original change: https://googleplex-android-review.googlesource.com/c/platform/external/aac/+/14373121
Change-Id: Ica864c2a1ea78200a44882b593fe5b5bbb014f5f
-rw-r--r-- | libMpegTPDec/src/tpdec_latm.cpp | 41 | ||||
-rw-r--r-- | libMpegTPDec/src/tpdec_latm.h | 4 |
2 files changed, 22 insertions, 23 deletions
diff --git a/libMpegTPDec/src/tpdec_latm.cpp b/libMpegTPDec/src/tpdec_latm.cpp index 3b71db8..c32be54 100644 --- a/libMpegTPDec/src/tpdec_latm.cpp +++ b/libMpegTPDec/src/tpdec_latm.cpp @@ -1,7 +1,7 @@ /* ----------------------------------------------------------------------------- Software License for The Fraunhofer FDK AAC Codec Library for Android -© Copyright 1995 - 2019 Fraunhofer-Gesellschaft zur Förderung der angewandten +© Copyright 1995 - 2021 Fraunhofer-Gesellschaft zur Förderung der angewandten Forschung e.V. All rights reserved. 1. INTRODUCTION @@ -591,6 +591,18 @@ bail: return (ErrorStatus); } +static int CLatmDemux_ReadAuChunkLengthInfo(HANDLE_FDK_BITSTREAM bs) { + int len = 0, tmp = 255; + int validBytes = (int)FDKgetValidBits(bs) >> 3; + + while (tmp == 255 && validBytes-- > 0) { + tmp = (int)FDKreadBits(bs, 8); + len += tmp; + } + + return ((tmp == 255) ? -1 : (len << 3)); +} + TRANSPORTDEC_ERROR CLatmDemux_ReadPayloadLengthInfo(HANDLE_FDK_BITSTREAM bs, CLatmDemux *pLatmDemux) { TRANSPORTDEC_ERROR ErrorStatus = TRANSPORTDEC_OK; @@ -602,11 +614,17 @@ TRANSPORTDEC_ERROR CLatmDemux_ReadPayloadLengthInfo(HANDLE_FDK_BITSTREAM bs, FDK_ASSERT(pLatmDemux->m_numLayer[prog] <= LATM_MAX_LAYER); for (UINT lay = 0; lay < pLatmDemux->m_numLayer[prog]; lay++) { LATM_LAYER_INFO *p_linfo = &pLatmDemux->m_linfo[prog][lay]; + int auChunkLengthInfo = 0; switch (p_linfo->m_frameLengthType) { case 0: - p_linfo->m_frameLengthInBits = CLatmDemux_ReadAuChunkLengthInfo(bs); - totalPayloadBits += p_linfo->m_frameLengthInBits; + auChunkLengthInfo = CLatmDemux_ReadAuChunkLengthInfo(bs); + if (auChunkLengthInfo >= 0) { + p_linfo->m_frameLengthInBits = (UINT)auChunkLengthInfo; + totalPayloadBits += p_linfo->m_frameLengthInBits; + } else { + return TRANSPORTDEC_PARSE_ERROR; + } break; case 3: case 5: @@ -627,23 +645,6 @@ TRANSPORTDEC_ERROR CLatmDemux_ReadPayloadLengthInfo(HANDLE_FDK_BITSTREAM bs, return (ErrorStatus); } -int CLatmDemux_ReadAuChunkLengthInfo(HANDLE_FDK_BITSTREAM bs) { - UCHAR endFlag; - int len = 0; - - do { - UCHAR tmp = (UCHAR)FDKreadBits(bs, 8); - endFlag = (tmp < 255); - - len += tmp; - - } while (endFlag == 0); - - len <<= 3; /* convert from bytes to bits */ - - return len; -} - UINT CLatmDemux_GetFrameLengthInBits(CLatmDemux *pLatmDemux, const UINT prog, const UINT layer) { UINT nFrameLenBits = 0; diff --git a/libMpegTPDec/src/tpdec_latm.h b/libMpegTPDec/src/tpdec_latm.h index 6af553d..8b8c971 100644 --- a/libMpegTPDec/src/tpdec_latm.h +++ b/libMpegTPDec/src/tpdec_latm.h @@ -1,7 +1,7 @@ /* ----------------------------------------------------------------------------- Software License for The Fraunhofer FDK AAC Codec Library for Android -© Copyright 1995 - 2018 Fraunhofer-Gesellschaft zur Förderung der angewandten +© Copyright 1995 - 2021 Fraunhofer-Gesellschaft zur Förderung der angewandten Forschung e.V. All rights reserved. 1. INTRODUCTION @@ -151,8 +151,6 @@ typedef struct { AudioPreRoll */ } CLatmDemux; -int CLatmDemux_ReadAuChunkLengthInfo(HANDLE_FDK_BITSTREAM bs); - TRANSPORTDEC_ERROR CLatmDemux_Read(HANDLE_FDK_BITSTREAM bs, CLatmDemux *pLatmDemux, TRANSPORT_TYPE tt, CSTpCallBacks *pTpDecCallbacks, |