From 9744e41c40598c6a0b74440f3b5be63f9f3708a5 Mon Sep 17 00:00:00 2001
From: Fraunhofer IIS FDK <audio-fdk@iis.fraunhofer.de>
Date: Fri, 8 Jun 2018 18:03:16 +0200
Subject: Prevent bit buffer counter overflow.

While long-term test we discovered a bit counter overflow in the bit buffer.
The bit buffer state was only used by HCR and RVLC tool and can easily be substituted with FDKgetValidBits() call.
The following patch completely removes the bit counter and all its obsolete functions.

Bug: 112662184
Test: atest DecoderTestXheAac ; atest DecoderTestAacDrc

Change-Id: Icee0519d26a2aa62367d2dece59cd3d60ffcade7
(cherry picked from commit 15292f7e9620caf9e8df26a62efc2a2891ea822e)
---
 libAACdec/src/rvlc.cpp | 29 ++++++++++++++++-------------
 1 file changed, 16 insertions(+), 13 deletions(-)

(limited to 'libAACdec/src/rvlc.cpp')

diff --git a/libAACdec/src/rvlc.cpp b/libAACdec/src/rvlc.cpp
index 92f9f02..b7a9be1 100644
--- a/libAACdec/src/rvlc.cpp
+++ b/libAACdec/src/rvlc.cpp
@@ -168,13 +168,14 @@ static void rvlcInit(CErRvlcInfo *pRvlc,
   /* set base bitstream ptr to the RVL-coded part (start of RVLC data (ESC 2))
    */
   FDKsyncCache(bs);
+  pRvlc->bsAnchor = (INT)FDKgetValidBits(bs);
 
-  pRvlc->bitstreamIndexRvlFwd = FDKgetBitCnt(
-      bs); /* first bit within RVL coded block as start address for  forward
-              decoding */
-  pRvlc->bitstreamIndexRvlBwd = FDKgetBitCnt(bs) + pRvlc->length_of_rvlc_sf -
-                                1; /* last bit within RVL coded block as start
-                                      address for backward decoding */
+  pRvlc->bitstreamIndexRvlFwd =
+      0; /* first bit within RVL coded block as start address for  forward
+            decoding */
+  pRvlc->bitstreamIndexRvlBwd =
+      pRvlc->length_of_rvlc_sf - 1; /* last bit within RVL coded block as start
+                                       address for backward decoding */
 
   /* skip RVLC-bitstream-part -- pointing now to escapes (if present) or to TNS
    * data (if present) */
@@ -183,7 +184,7 @@ static void rvlcInit(CErRvlcInfo *pRvlc,
   if (pRvlc->sf_escapes_present != 0) {
     /* locate internal bitstream ptr at escapes (which is the second part) */
     FDKsyncCache(bs);
-    pRvlc->bitstreamIndexEsc = FDKgetBitCnt(bs);
+    pRvlc->bitstreamIndexEsc = pRvlc->bsAnchor - (INT)FDKgetValidBits(bs);
 
     /* skip escapeRVLC-bitstream-part -- pointing to TNS data (if present)   to
      * make decoder continue */
@@ -259,8 +260,9 @@ static SCHAR rvlcDecodeEscapeWord(CErRvlcInfo *pRvlc, HANDLE_FDK_BITSTREAM bs) {
   treeNode = *pEscTree; /* init at starting node */
 
   for (i = MAX_LEN_RVLC_ESCAPE_WORD - 1; i >= 0; i--) {
-    carryBit = rvlcReadBitFromBitstream(bs, /* get next bit */
-                                        pBitstreamIndexEsc, FWD);
+    carryBit =
+        rvlcReadBitFromBitstream(bs, /* get next bit */
+                                 pRvlc->bsAnchor, pBitstreamIndexEsc, FWD);
 
     CarryBitToBranchValue(carryBit, /* huffman decoding, do a single step in
                                        huffman decoding tree */
@@ -370,8 +372,9 @@ SCHAR decodeRVLCodeword(HANDLE_FDK_BITSTREAM bs, CErRvlcInfo *pRvlc) {
   UINT treeNode = *pRvlCodeTree;
 
   for (i = MAX_LEN_RVLC_CODE_WORD - 1; i >= 0; i--) {
-    carryBit = rvlcReadBitFromBitstream(bs, /* get next bit */
-                                        pBitstrIndxRvl, direction);
+    carryBit =
+        rvlcReadBitFromBitstream(bs, /* get next bit */
+                                 pRvlc->bsAnchor, pBitstrIndxRvl, direction);
 
     CarryBitToBranchValue(carryBit, /* huffman decoding, do a single step in
                                        huffman decoding tree */
@@ -1140,7 +1143,7 @@ void CRvlc_Decode(CAacDecoderChannelInfo *pAacDecoderChannelInfo,
   rvlcInit(pRvlc, pAacDecoderChannelInfo, bs);
 
   /* save bitstream position */
-  saveBitCnt = FDKgetBitCnt(bs);
+  saveBitCnt = (INT)FDKgetValidBits(bs);
 
   if (pRvlc->sf_escapes_present)
     rvlcDecodeEscapes(
@@ -1155,7 +1158,7 @@ void CRvlc_Decode(CAacDecoderChannelInfo *pAacDecoderChannelInfo,
   pAacDecoderChannelInfo->data.aac.PnsData.PnsActive = pRvlc->noise_used;
 
   /* restore bitstream position */
-  bitCntOffst = saveBitCnt - FDKgetBitCnt(bs);
+  bitCntOffst = (INT)FDKgetValidBits(bs) - saveBitCnt;
   if (bitCntOffst) {
     FDKpushBiDirectional(bs, bitCntOffst);
   }
-- 
cgit v1.2.3