From 61381bd0f4bc012876ccf4b63eafddd2d60c35c9 Mon Sep 17 00:00:00 2001 From: Fraunhofer IIS FDK Date: Wed, 15 Aug 2018 14:35:00 +0200 Subject: Break audio element loop in case element_count becomes too large. Bug: 112891564 Test: atest DecoderTestXheAac ; atest DecoderTestAacDrc Change-Id: I35f02d23c0cfd620088291a52d9996a0d5a17199 (cherry picked from commit 3347cfb91a7ecabf5800d72e936f04ce44752bf3) --- libAACdec/src/aacdecoder.cpp | 25 ++++++++++++++++++++++++- 1 file changed, 24 insertions(+), 1 deletion(-) (limited to 'libAACdec/src/aacdecoder.cpp') diff --git a/libAACdec/src/aacdecoder.cpp b/libAACdec/src/aacdecoder.cpp index b8b1327..362e0b6 100644 --- a/libAACdec/src/aacdecoder.cpp +++ b/libAACdec/src/aacdecoder.cpp @@ -2519,8 +2519,14 @@ LINKSPEC_CPP AAC_DECODER_ERROR CAacDecoder_DecodeFrame( if (!(self->flags[0] & (AC_USAC | AC_RSVD50 | AC_RSV603DA | AC_ELD | AC_SCALABLE | AC_ER))) type = (MP4_ELEMENT_ID)FDKreadBits(bs, 3); - else + else { + if (element_count >= (3 * ((8) * 2) + (((8) * 2)) / 2 + 4 * (1) + 1)) { + self->frameOK = 0; + ErrorStatus = AAC_DEC_PARSE_ERROR; + break; + } type = self->elements[element_count]; + } if ((self->flags[streamIndex] & (AC_USAC | AC_RSVD50) && element_count == 0) || @@ -2564,6 +2570,11 @@ LINKSPEC_CPP AAC_DECODER_ERROR CAacDecoder_DecodeFrame( case ID_USAC_SCE: case ID_USAC_CPE: case ID_USAC_LFE: + if (element_count >= (3 * ((8) * 2) + (((8) * 2)) / 2 + 4 * (1) + 1)) { + self->frameOK = 0; + ErrorStatus = AAC_DEC_PARSE_ERROR; + break; + } el_channels = CAacDecoder_GetELChannels( type, self->usacStereoConfigIndex[element_count]); @@ -2795,12 +2806,24 @@ LINKSPEC_CPP AAC_DECODER_ERROR CAacDecoder_DecodeFrame( } break; case ID_EXT: + if (element_count >= (3 * ((8) * 2) + (((8) * 2)) / 2 + 4 * (1) + 1)) { + self->frameOK = 0; + ErrorStatus = AAC_DEC_PARSE_ERROR; + break; + } + ErrorStatus = aacDecoder_ParseExplicitMpsAndSbr( self, bs, previous_element, previous_element_index, element_count, el_cnt); break; case ID_USAC_EXT: { + if ((element_count - element_count_prev_streams) >= + TP_USAC_MAX_ELEMENTS) { + self->frameOK = 0; + ErrorStatus = AAC_DEC_PARSE_ERROR; + break; + } /* parse extension element payload q.v. rsv603daExtElement() ISO/IEC DIS 23008-3 Table 30 or UsacExElement() ISO/IEC FDIS 23003-3:2011(E) Table 21 -- cgit v1.2.3 From ce97e7d55e1f69683b5bc8f19cc8da8c85bc2cd4 Mon Sep 17 00:00:00 2001 From: Fraunhofer IIS FDK Date: Fri, 8 Jun 2018 18:07:14 +0200 Subject: Always check whether given channel config is supported. Bug: 112660981 Test: atest DecoderTestXheAac ; atest DecoderTestAacDrc Change-Id: I169161dd31bc624f2cab6be2b4c6518946ed32ba Merged-In: I169161dd31bc624f2cab6be2b4c6518946ed32ba (cherry picked from commit 25b209f229879a155759d791fe463b8abd283677) --- libAACdec/src/aacdecoder.cpp | 14 +++----------- 1 file changed, 3 insertions(+), 11 deletions(-) (limited to 'libAACdec/src/aacdecoder.cpp') diff --git a/libAACdec/src/aacdecoder.cpp b/libAACdec/src/aacdecoder.cpp index 362e0b6..fab30de 100644 --- a/libAACdec/src/aacdecoder.cpp +++ b/libAACdec/src/aacdecoder.cpp @@ -1630,17 +1630,9 @@ CAacDecoder_Init(HANDLE_AACDECODER self, const CSAudioSpecificConfig *asc, aacChannelsOffset = 0; aacChannelsOffsetIdx = 0; elementOffset = 0; - if (configMode & AC_CM_ALLOC_MEM) { - if ((ascChannels <= 0) || - (asc->m_channelConfiguration > AACDEC_MAX_CH_CONF)) { - return AAC_DEC_UNSUPPORTED_CHANNELCONFIG; - } - if ((ascChannels + aacChannelsOffsetIdx) > ((8) * 2)) { - return AAC_DEC_UNSUPPORTED_CHANNELCONFIG; - } - if ((ascChannels + aacChannelsOffset) > (8)) { - return AAC_DEC_UNSUPPORTED_CHANNELCONFIG; - } + if ((ascChannels <= 0) || (ascChannels > (8)) || + (asc->m_channelConfiguration > AACDEC_MAX_CH_CONF)) { + return AAC_DEC_UNSUPPORTED_CHANNELCONFIG; } /* Set syntax flags */ -- cgit v1.2.3 From 0e5db9fee912d367a572b88f0d86f9a33006fa29 Mon Sep 17 00:00:00 2001 From: Fraunhofer IIS FDK Date: Wed, 15 Aug 2018 14:33:56 +0200 Subject: Unify audio element loop abort criterion in ER syntax Bug: 112891548 Test: atest DecoderTestXheAac ; atest DecoderTestAacDrc Change-Id: Iea56cf804cfb9d396810124c718fc91bdff68392 (cherry picked from commit f2bc07da2ed70eb069f3faab1179c4c89792bf3d) --- libAACdec/src/aacdecoder.cpp | 11 ++++------- 1 file changed, 4 insertions(+), 7 deletions(-) (limited to 'libAACdec/src/aacdecoder.cpp') diff --git a/libAACdec/src/aacdecoder.cpp b/libAACdec/src/aacdecoder.cpp index fab30de..24907ee 100644 --- a/libAACdec/src/aacdecoder.cpp +++ b/libAACdec/src/aacdecoder.cpp @@ -2047,17 +2047,12 @@ CAacDecoder_Init(HANDLE_AACDECODER self, const CSAudioSpecificConfig *asc, if (self->flags[streamIndex] & (AC_RSV603DA | AC_USAC)) { _numElements = (int)asc->m_sc.m_usacConfig.m_usacNumElements; } - if (self->flags[streamIndex] & (AC_ER | AC_LD | AC_ELD)) { - _numElements = (asc->m_channelConfiguration == 7) - ? 8 - : asc->m_channelConfiguration; - } for (int _el = 0; _el < _numElements; _el++) { int el_channels = 0; int el = elementOffset + _el; if (self->flags[streamIndex] & - (AC_ELD | AC_RSV603DA | AC_USAC | AC_RSVD50)) { + (AC_ER | AC_LD | AC_ELD | AC_RSV603DA | AC_USAC | AC_RSVD50)) { if (ch >= ascChannels) { break; } @@ -2107,7 +2102,9 @@ CAacDecoder_Init(HANDLE_AACDECODER self, const CSAudioSpecificConfig *asc, (SPECTRAL_PTR)&self->workBufferCore2[ch * 1024]; if (el_channels == 2) { - FDK_ASSERT(ch < (8) - 1); + if (ch >= (8) - 1) { + return AAC_DEC_UNSUPPORTED_CHANNELCONFIG; + } self->pAacDecoderChannelInfo[ch + 1]->pComData = self->pAacDecoderChannelInfo[ch]->pComData; self->pAacDecoderChannelInfo[ch + 1]->pComStaticData = -- cgit v1.2.3