From 9744e41c40598c6a0b74440f3b5be63f9f3708a5 Mon Sep 17 00:00:00 2001
From: Fraunhofer IIS FDK <audio-fdk@iis.fraunhofer.de>
Date: Fri, 8 Jun 2018 18:03:16 +0200
Subject: Prevent bit buffer counter overflow.
While long-term test we discovered a bit counter overflow in the bit buffer.
The bit buffer state was only used by HCR and RVLC tool and can easily be substituted with FDKgetValidBits() call.
The following patch completely removes the bit counter and all its obsolete functions.
Bug: 112662184
Test: atest DecoderTestXheAac ; atest DecoderTestAacDrc
Change-Id: Icee0519d26a2aa62367d2dece59cd3d60ffcade7
(cherry picked from commit 15292f7e9620caf9e8df26a62efc2a2891ea822e)
---
libAACdec/src/aacdec_hcrs.cpp | 42 +++++++++++++++++++++---------------------
1 file changed, 21 insertions(+), 21 deletions(-)
(limited to 'libAACdec/src/aacdec_hcrs.cpp')
diff --git a/libAACdec/src/aacdec_hcrs.cpp b/libAACdec/src/aacdec_hcrs.cpp
index e2b7cd8..1d5aa27 100644
--- a/libAACdec/src/aacdec_hcrs.cpp
+++ b/libAACdec/src/aacdec_hcrs.cpp
@@ -615,9 +615,9 @@ UINT Hcr_State_BODY_ONLY(HANDLE_FDK_BITSTREAM bs, void *ptr) {
for (; pRemainingBitsInSegment[segmentOffset] > 0;
pRemainingBitsInSegment[segmentOffset] -= 1) {
- carryBit = HcrGetABitFromBitstream(bs, &pLeftStartOfSegment[segmentOffset],
- &pRightStartOfSegment[segmentOffset],
- readDirection);
+ carryBit = HcrGetABitFromBitstream(
+ bs, pHcr->decInOut.bitstreamAnchor, &pLeftStartOfSegment[segmentOffset],
+ &pRightStartOfSegment[segmentOffset], readDirection);
CarryBitToBranchValue(carryBit, /* make a step in decoding tree */
treeNode, &branchValue, &branchNode);
@@ -749,9 +749,9 @@ UINT Hcr_State_BODY_SIGN__BODY(HANDLE_FDK_BITSTREAM bs, void *ptr) {
for (; pRemainingBitsInSegment[segmentOffset] > 0;
pRemainingBitsInSegment[segmentOffset] -= 1) {
- carryBit = HcrGetABitFromBitstream(bs, &pLeftStartOfSegment[segmentOffset],
- &pRightStartOfSegment[segmentOffset],
- readDirection);
+ carryBit = HcrGetABitFromBitstream(
+ bs, pHcr->decInOut.bitstreamAnchor, &pLeftStartOfSegment[segmentOffset],
+ &pRightStartOfSegment[segmentOffset], readDirection);
CarryBitToBranchValue(carryBit, /* make a step in decoding tree */
treeNode, &branchValue, &branchNode);
@@ -884,9 +884,9 @@ UINT Hcr_State_BODY_SIGN__SIGN(HANDLE_FDK_BITSTREAM bs, void *ptr) {
/* loop for sign bit decoding */
for (; pRemainingBitsInSegment[segmentOffset] > 0;
pRemainingBitsInSegment[segmentOffset] -= 1) {
- carryBit = HcrGetABitFromBitstream(bs, &pLeftStartOfSegment[segmentOffset],
- &pRightStartOfSegment[segmentOffset],
- readDirection);
+ carryBit = HcrGetABitFromBitstream(
+ bs, pHcr->decInOut.bitstreamAnchor, &pLeftStartOfSegment[segmentOffset],
+ &pRightStartOfSegment[segmentOffset], readDirection);
cntSign -=
1; /* decrement sign counter because one sign bit has been read */
@@ -997,9 +997,9 @@ UINT Hcr_State_BODY_SIGN_ESC__BODY(HANDLE_FDK_BITSTREAM bs, void *ptr) {
for (; pRemainingBitsInSegment[segmentOffset] > 0;
pRemainingBitsInSegment[segmentOffset] -= 1) {
- carryBit = HcrGetABitFromBitstream(bs, &pLeftStartOfSegment[segmentOffset],
- &pRightStartOfSegment[segmentOffset],
- readDirection);
+ carryBit = HcrGetABitFromBitstream(
+ bs, pHcr->decInOut.bitstreamAnchor, &pLeftStartOfSegment[segmentOffset],
+ &pRightStartOfSegment[segmentOffset], readDirection);
/* make a step in tree */
CarryBitToBranchValue(carryBit, treeNode, &branchValue, &branchNode);
@@ -1159,9 +1159,9 @@ UINT Hcr_State_BODY_SIGN_ESC__SIGN(HANDLE_FDK_BITSTREAM bs, void *ptr) {
/* loop for sign bit decoding */
for (; pRemainingBitsInSegment[segmentOffset] > 0;
pRemainingBitsInSegment[segmentOffset] -= 1) {
- carryBit = HcrGetABitFromBitstream(bs, &pLeftStartOfSegment[segmentOffset],
- &pRightStartOfSegment[segmentOffset],
- readDirection);
+ carryBit = HcrGetABitFromBitstream(
+ bs, pHcr->decInOut.bitstreamAnchor, &pLeftStartOfSegment[segmentOffset],
+ &pRightStartOfSegment[segmentOffset], readDirection);
/* decrement sign counter because one sign bit has been read */
cntSign -= 1;
@@ -1314,9 +1314,9 @@ UINT Hcr_State_BODY_SIGN_ESC__ESC_PREFIX(HANDLE_FDK_BITSTREAM bs, void *ptr) {
/* decode escape prefix */
for (; pRemainingBitsInSegment[segmentOffset] > 0;
pRemainingBitsInSegment[segmentOffset] -= 1) {
- carryBit = HcrGetABitFromBitstream(bs, &pLeftStartOfSegment[segmentOffset],
- &pRightStartOfSegment[segmentOffset],
- readDirection);
+ carryBit = HcrGetABitFromBitstream(
+ bs, pHcr->decInOut.bitstreamAnchor, &pLeftStartOfSegment[segmentOffset],
+ &pRightStartOfSegment[segmentOffset], readDirection);
/* count ones and store sum in escapePrefixUp */
if (carryBit == 1) {
@@ -1435,9 +1435,9 @@ UINT Hcr_State_BODY_SIGN_ESC__ESC_WORD(HANDLE_FDK_BITSTREAM bs, void *ptr) {
/* decode escape word */
for (; pRemainingBitsInSegment[segmentOffset] > 0;
pRemainingBitsInSegment[segmentOffset] -= 1) {
- carryBit = HcrGetABitFromBitstream(bs, &pLeftStartOfSegment[segmentOffset],
- &pRightStartOfSegment[segmentOffset],
- readDirection);
+ carryBit = HcrGetABitFromBitstream(
+ bs, pHcr->decInOut.bitstreamAnchor, &pLeftStartOfSegment[segmentOffset],
+ &pRightStartOfSegment[segmentOffset], readDirection);
/* build escape word */
escapeWord <<=
--
cgit v1.2.3
From 950d8efb1a0562d1402b6c3379db4e17d71c7578 Mon Sep 17 00:00:00 2001
From: Fraunhofer IIS FDK <audio-fdk@iis.fraunhofer.de>
Date: Fri, 29 Jun 2018 16:34:55 +0200
Subject: Unsigned Integer Overflow in InitSegmentBitfield()
Bug: 112662995
Test: atest DecoderTestXheAac ; atest DecoderTestAacDrc
Change-Id: Ida3b1d49dc35a03a3ff02f6e150cfb55e9e1da11
---
libAACdec/src/aacdec_hcrs.cpp | 5 ++++-
1 file changed, 4 insertions(+), 1 deletion(-)
(limited to 'libAACdec/src/aacdec_hcrs.cpp')
diff --git a/libAACdec/src/aacdec_hcrs.cpp b/libAACdec/src/aacdec_hcrs.cpp
index 1d5aa27..d2bc867 100644
--- a/libAACdec/src/aacdec_hcrs.cpp
+++ b/libAACdec/src/aacdec_hcrs.cpp
@@ -367,7 +367,10 @@ static UINT InitSegmentBitfield(UINT *pNumSegment,
UINT tempWord;
USHORT numValidSegment;
- *pNumWordForBitfield = ((*pNumSegment - 1) >> THIRTYTWO_LOG_DIV_TWO_LOG) + 1;
+ *pNumWordForBitfield =
+ (*pNumSegment == 0)
+ ? 0
+ : ((*pNumSegment - 1) >> THIRTYTWO_LOG_DIV_TWO_LOG) + 1;
/* loop over all words, which are completely used or only partial */
/* bit in pSegmentBitfield is zero if segment is empty; bit in
--
cgit v1.2.3