From 96ed25264928777573294d1549db6f6aaa700c43 Mon Sep 17 00:00:00 2001
From: Chih-Hung Hsieh <chh@google.com>
Date: Tue, 4 Sep 2018 14:05:05 -0700
Subject: Suppress -Wimplicit-fallthrough.

-Wimplicit-fallthrough will be enabled globally.

Test: build with global -Wimplicit-fallthrough.
Change-Id: I13b4402d9df23a888bdc80be4ce39cd5cd4cff7f
---
 Android.bp | 1 +
 1 file changed, 1 insertion(+)

(limited to 'Android.bp')

diff --git a/Android.bp b/Android.bp
index 50cc092..b322d07 100644
--- a/Android.bp
+++ b/Android.bp
@@ -22,6 +22,7 @@ cc_library_static {
         "-Wno-#warnings",
         "-Wuninitialized",
         "-Wno-self-assign",
+        "-Wno-implicit-fallthrough",
     ],
     sanitize: {
         misc_undefined:["unsigned-integer-overflow", "signed-integer-overflow"],
-- 
cgit v1.2.3


From 5e5701952535e22ad38d6735bbf4f1f92ce99ceb Mon Sep 17 00:00:00 2001
From: Fraunhofer IIS FDK <audio-fdk@iis.fraunhofer.de>
Date: Mon, 10 Sep 2018 16:39:30 +0200
Subject: Prevent out of bounds accesses in lppTransposer() and
 lppTransposerHBE()

Bug: 112160868
Test: see poc in bug
Change-Id: I6a2161865d9cb9b51dc37c09d6e3a4a8e5d11f86
(cherry picked from commit 4dad829df00932b89858b9833cf5dcded8d97c37)
---
 Android.bp                 |  3 ++
 libSBRdec/src/lpp_tran.cpp | 74 +++++++++++++++++++++++++++++-----------------
 2 files changed, 50 insertions(+), 27 deletions(-)

(limited to 'Android.bp')

diff --git a/Android.bp b/Android.bp
index 50cc092..c89a95c 100644
--- a/Android.bp
+++ b/Android.bp
@@ -27,6 +27,9 @@ cc_library_static {
         misc_undefined:["unsigned-integer-overflow", "signed-integer-overflow"],
         cfi: true,
     },
+    shared_libs: [
+        "liblog",
+    ],
     export_include_dirs: [
         "libAACdec/include",
         "libAACenc/include",
diff --git a/libSBRdec/src/lpp_tran.cpp b/libSBRdec/src/lpp_tran.cpp
index aa1fd5d..2ef07eb 100644
--- a/libSBRdec/src/lpp_tran.cpp
+++ b/libSBRdec/src/lpp_tran.cpp
@@ -118,6 +118,10 @@ amm-info@iis.fraunhofer.de
   \sa lppTransposer(), main_audio.cpp, sbr_scale.h, \ref documentationOverview
 */
 
+#ifdef __ANDROID__
+#include "log/log.h"
+#endif
+
 #include "lpp_tran.h"
 
 #include "sbr_ram.h"
@@ -295,7 +299,6 @@ void lppTransposer(
   int ovLowBandShift;
   int lowBandShift;
   /*  int ovHighBandShift;*/
-  int targetStopBand;
 
   alphai[0] = FL2FXCONST_SGL(0.0f);
   alphai[1] = FL2FXCONST_SGL(0.0f);
@@ -311,25 +314,34 @@ void lppTransposer(
 
   autoCorrLength = pSettings->nCols + pSettings->overlap;
 
-  /* Set upper subbands to zero:
-     This is required in case that the patches do not cover the complete
-     highband (because the last patch would be too short). Possible
-     optimization: Clearing bands up to usb would be sufficient here. */
-  targetStopBand = patchParam[pSettings->noOfPatches - 1].targetStartBand +
-                   patchParam[pSettings->noOfPatches - 1].numBandsInPatch;
+  if (pSettings->noOfPatches > 0) {
+    /* Set upper subbands to zero:
+       This is required in case that the patches do not cover the complete
+       highband (because the last patch would be too short). Possible
+       optimization: Clearing bands up to usb would be sufficient here. */
+    int targetStopBand =
+        patchParam[pSettings->noOfPatches - 1].targetStartBand +
+        patchParam[pSettings->noOfPatches - 1].numBandsInPatch;
 
-  int memSize = ((64) - targetStopBand) * sizeof(FIXP_DBL);
+    int memSize = ((64) - targetStopBand) * sizeof(FIXP_DBL);
 
-  if (!useLP) {
-    for (i = startSample; i < stopSampleClear; i++) {
-      FDKmemclear(&qmfBufferReal[i][targetStopBand], memSize);
-      FDKmemclear(&qmfBufferImag[i][targetStopBand], memSize);
-    }
-  } else {
-    for (i = startSample; i < stopSampleClear; i++) {
-      FDKmemclear(&qmfBufferReal[i][targetStopBand], memSize);
+    if (!useLP) {
+      for (i = startSample; i < stopSampleClear; i++) {
+        FDKmemclear(&qmfBufferReal[i][targetStopBand], memSize);
+        FDKmemclear(&qmfBufferImag[i][targetStopBand], memSize);
+      }
+    } else {
+      for (i = startSample; i < stopSampleClear; i++) {
+        FDKmemclear(&qmfBufferReal[i][targetStopBand], memSize);
+      }
     }
   }
+#ifdef __ANDROID__
+  else {
+    // Safetynet logging
+    android_errorWriteLog(0x534e4554, "112160868");
+  }
+#endif
 
   /* init bwIndex for each patch */
   FDKmemclear(bwIndex, sizeof(bwIndex));
@@ -874,7 +886,6 @@ void lppTransposerHBE(
   int ovLowBandShift;
   int lowBandShift;
   /*  int ovHighBandShift;*/
-  int targetStopBand;
 
   alphai[0] = FL2FXCONST_SGL(0.0f);
   alphai[1] = FL2FXCONST_SGL(0.0f);
@@ -889,19 +900,28 @@ void lppTransposerHBE(
 
   autoCorrLength = pSettings->nCols + pSettings->overlap;
 
-  /* Set upper subbands to zero:
-     This is required in case that the patches do not cover the complete
-     highband (because the last patch would be too short). Possible
-     optimization: Clearing bands up to usb would be sufficient here. */
-  targetStopBand = patchParam[pSettings->noOfPatches - 1].targetStartBand +
-                   patchParam[pSettings->noOfPatches - 1].numBandsInPatch;
+  if (pSettings->noOfPatches > 0) {
+    /* Set upper subbands to zero:
+       This is required in case that the patches do not cover the complete
+       highband (because the last patch would be too short). Possible
+       optimization: Clearing bands up to usb would be sufficient here. */
+    int targetStopBand =
+        patchParam[pSettings->noOfPatches - 1].targetStartBand +
+        patchParam[pSettings->noOfPatches - 1].numBandsInPatch;
 
-  int memSize = ((64) - targetStopBand) * sizeof(FIXP_DBL);
+    int memSize = ((64) - targetStopBand) * sizeof(FIXP_DBL);
 
-  for (i = startSample; i < stopSampleClear; i++) {
-    FDKmemclear(&qmfBufferReal[i][targetStopBand], memSize);
-    FDKmemclear(&qmfBufferImag[i][targetStopBand], memSize);
+    for (i = startSample; i < stopSampleClear; i++) {
+      FDKmemclear(&qmfBufferReal[i][targetStopBand], memSize);
+      FDKmemclear(&qmfBufferImag[i][targetStopBand], memSize);
+    }
+  }
+#ifdef __ANDROID__
+  else {
+    // Safetynet logging
+    android_errorWriteLog(0x534e4554, "112160868");
   }
+#endif
 
   /*
   Calc common low band scale factor
-- 
cgit v1.2.3


From 26a9da724f4f6f14f3a863a56434b9e6ac360afa Mon Sep 17 00:00:00 2001
From: Ivan Lozano <ivanlozano@google.com>
Date: Tue, 11 Dec 2018 09:14:39 -0800
Subject: Enable bounds sanitization in libaac.

Enables the UBSan bounds sanitizer in libaac. This adds bounds checks
around array accesses when the array size is known at compile time.

Bug: 117221610
Test: make -j
Test: Device boots.
Change-Id: Ib820c7ec6ef6bcbf98d8526ed213c90ab29169c2
---
 Android.bp | 6 +++++-
 1 file changed, 5 insertions(+), 1 deletion(-)

(limited to 'Android.bp')

diff --git a/Android.bp b/Android.bp
index b322d07..73957f6 100644
--- a/Android.bp
+++ b/Android.bp
@@ -25,7 +25,11 @@ cc_library_static {
         "-Wno-implicit-fallthrough",
     ],
     sanitize: {
-        misc_undefined:["unsigned-integer-overflow", "signed-integer-overflow"],
+        misc_undefined:[
+           "unsigned-integer-overflow",
+           "signed-integer-overflow",
+           "bounds",
+        ],
         cfi: true,
     },
     export_include_dirs: [
-- 
cgit v1.2.3