diff options
| author | Fraunhofer IIS FDK <audio-fdk@iis.fraunhofer.de> | 2019-08-09 17:10:29 +0200 |
|---|---|---|
| committer | Jean-Michel Trivi <jmtrivi@google.com> | 2019-10-14 15:19:19 -0700 |
| commit | da5b0dcb3c01197b3499e0b569babcb0f5a09bbe (patch) | |
| tree | de347f8af20db2eabac232391c34ea8ee7eae36c | |
| parent | 15965e3feb9025e1db65a7c9a7408b3970430cb8 (diff) | |
| download | fdk-aac-da5b0dcb3c01197b3499e0b569babcb0f5a09bbe.tar.gz fdk-aac-da5b0dcb3c01197b3499e0b569babcb0f5a09bbe.tar.bz2 fdk-aac-da5b0dcb3c01197b3499e0b569babcb0f5a09bbe.zip | |
Restrict size of huffman escape sequence to prevent shift with too large exponent in DecodeEscapeSequence().
Bug: 131430997
Test: atest DecoderTestXheAac ; atest DecoderTestAacDrc
Change-Id: Ibcd182e313e9ef480e92619023bf424762b92e23
| -rw-r--r-- | libAACdec/src/aacdec_hcr.cpp | 28 |
1 files changed, 19 insertions, 9 deletions
diff --git a/libAACdec/src/aacdec_hcr.cpp b/libAACdec/src/aacdec_hcr.cpp index 6114756..a7e9cce 100644 --- a/libAACdec/src/aacdec_hcr.cpp +++ b/libAACdec/src/aacdec_hcr.cpp @@ -1,7 +1,7 @@ /* ----------------------------------------------------------------------------- Software License for The Fraunhofer FDK AAC Codec Library for Android -© Copyright 1995 - 2018 Fraunhofer-Gesellschaft zur Förderung der angewandten +© Copyright 1995 - 2019 Fraunhofer-Gesellschaft zur Förderung der angewandten Forschung e.V. All rights reserved. 1. INTRODUCTION @@ -137,7 +137,7 @@ static void DeriveNumberOfExtendedSortedSectionsInSets( static INT DecodeEscapeSequence(HANDLE_FDK_BITSTREAM bs, const INT bsAnchor, INT quantSpecCoef, INT *pLeftStartOfSegment, SCHAR *pRemainingBitsInSegment, - int *pNumDecodedBits); + int *pNumDecodedBits, UINT *errorWord); static int DecodePCW_Sign(HANDLE_FDK_BITSTREAM bs, const INT bsAnchor, UINT codebookDim, const SCHAR *pQuantVal, @@ -1179,8 +1179,8 @@ static void DecodePCWs(HANDLE_FDK_BITSTREAM bs, H_HCR_INFO pHcr) { bs, pHcr->decInOut.bitstreamAnchor, pQuantizedSpectralCoefficients [quantizedSpectralCoefficientsIdx], - pLeftStartOfSegment, pRemainingBitsInSegment, - &numDecodedBits); + pLeftStartOfSegment, pRemainingBitsInSegment, &numDecodedBits, + &pHcr->decInOut.errorLog); } quantizedSpectralCoefficientsIdx++; if (quantizedSpectralCoefficientsIdx >= 1024) { @@ -1195,8 +1195,8 @@ static void DecodePCWs(HANDLE_FDK_BITSTREAM bs, H_HCR_INFO pHcr) { bs, pHcr->decInOut.bitstreamAnchor, pQuantizedSpectralCoefficients [quantizedSpectralCoefficientsIdx], - pLeftStartOfSegment, pRemainingBitsInSegment, - &numDecodedBits); + pLeftStartOfSegment, pRemainingBitsInSegment, &numDecodedBits, + &pHcr->decInOut.errorLog); } quantizedSpectralCoefficientsIdx++; if (quantizedSpectralCoefficientsIdx >= 1024) { @@ -1386,7 +1386,7 @@ value == 16, a escapeSequence is decoded in two steps: static INT DecodeEscapeSequence(HANDLE_FDK_BITSTREAM bs, const INT bsAnchor, INT quantSpecCoef, INT *pLeftStartOfSegment, SCHAR *pRemainingBitsInSegment, - int *pNumDecodedBits) { + int *pNumDecodedBits, UINT *errorWord) { UINT i; INT sign; UINT escapeOnesCounter = 0; @@ -1400,6 +1400,9 @@ static INT DecodeEscapeSequence(HANDLE_FDK_BITSTREAM bs, const INT bsAnchor, FROM_LEFT_TO_RIGHT); *pRemainingBitsInSegment -= 1; *pNumDecodedBits += 1; + if (*pRemainingBitsInSegment < 0) { + return Q_VALUE_INVALID; + } if (carryBit != 0) { escapeOnesCounter += 1; @@ -1416,6 +1419,9 @@ static INT DecodeEscapeSequence(HANDLE_FDK_BITSTREAM bs, const INT bsAnchor, FROM_LEFT_TO_RIGHT); *pRemainingBitsInSegment -= 1; *pNumDecodedBits += 1; + if (*pRemainingBitsInSegment < 0) { + return Q_VALUE_INVALID; + } escape_word <<= 1; escape_word = escape_word | carryBit; @@ -1423,8 +1429,12 @@ static INT DecodeEscapeSequence(HANDLE_FDK_BITSTREAM bs, const INT bsAnchor, sign = (quantSpecCoef >= 0) ? 1 : -1; - quantSpecCoef = sign * (((INT)1 << escapeOnesCounter) + escape_word); - + if (escapeOnesCounter < 13) { + quantSpecCoef = sign * (((INT)1 << escapeOnesCounter) + escape_word); + } else { + *errorWord |= TOO_MANY_PCW_BODY_SIGN_ESC_BITS_DECODED; + quantSpecCoef = Q_VALUE_INVALID; + } return quantSpecCoef; } |