From a4d1f0ad52e2cf6f168d2193216602f52033fc27 Mon Sep 17 00:00:00 2001 From: Fraunhofer IIS FDK Date: Wed, 23 May 2018 18:26:27 +0200 Subject: FDKv2 ubsan patches Bug: 80053205 Test: see bug for repro with FB "wow" atest DecoderTestAacDrc Fix signed integer overflows in CLpc_SynthesisLattice() Change-Id: Icbddfcc8c5fc73382ae5bf8c2a7703802c688e06 Fix signed integer overflows in imlt Change-Id: I687834fca2f1aab6210ed9862576b4f38fcdeb24 Fix overflow in addLowbandEnergies() Change-Id: Iaa9fdf9deb49c33ec6ca7ed3081c4ddaa920e9aa Concealment fix for audio frames containing acelp components Change-Id: Ibe5e83a6efa75a48f729984a161a76b826878f4e Fix out-of-bounds access in PS concealment Change-Id: I08809a03a40d1feaf00e41278db314d67e1efe88 Fix potential memory leak in setup of qmf domain Change-Id: Id9fc2448354dc7f1b439469128407305efa3def2 Reject channel config 13 Change-Id: Idf5236f6cd054df994e69c9c972c97f6768cf9e5 Fix unsigned integer overflow in configExtension() Change-Id: I8a1668810b85e6237c3892891444ff08f04b019b Fix unsigned integer overflow in CAacDecoder_DecodeFrame() Change-Id: I79678c571690178e6c37680f70a9b94dd3cbc439 Fix unsigned integer overflow in aacDecoder_UpdateBitStreamCounters() Change-Id: I3bff959da9f53fabb18cd0ae6c260e6256194526 Fix unsigned integer overflow in transportDec_readStream() Change-Id: I6a6f9f4acaa32fae0b5de9641f8787bbc7f8286b --- libAACdec/src/usacdec_acelp.cpp | 11 +++++++++-- 1 file changed, 9 insertions(+), 2 deletions(-) (limited to 'libAACdec/src/usacdec_acelp.cpp') diff --git a/libAACdec/src/usacdec_acelp.cpp b/libAACdec/src/usacdec_acelp.cpp index ec4437f..af1f488 100644 --- a/libAACdec/src/usacdec_acelp.cpp +++ b/libAACdec/src/usacdec_acelp.cpp @@ -1116,7 +1116,8 @@ void CLpd_AcelpPrepareInternalMem(const FIXP_DBL *synth, UCHAR last_lpd_mode, const FIXP_LPC *A_new, const INT A_new_exp, const FIXP_LPC *A_old, const INT A_old_exp, CAcelpStaticMem *acelp_mem, - INT coreCoderFrameLength, UCHAR lpd_mode) { + INT coreCoderFrameLength, INT clearOldExc, + UCHAR lpd_mode) { int l_div = coreCoderFrameLength / NB_DIV; /* length of one ACELP/TCX20 frame */ int l_div_partial; @@ -1154,6 +1155,13 @@ void CLpd_AcelpPrepareInternalMem(const FIXP_DBL *synth, UCHAR last_lpd_mode, &syn[PIT_MAX_MAX + L_INTERPOL - M_LP_FILTER_ORDER], M_LP_FILTER_ORDER * sizeof(FIXP_DBL)); + if (clearOldExc) { + FDKmemclear(old_exc_mem, (PIT_MAX_MAX + L_INTERPOL) * sizeof(FIXP_DBL)); + C_ALLOC_SCRATCH_END(synth_buf, FIXP_DBL, + PIT_MAX_MAX + L_INTERPOL + M_LP_FILTER_ORDER); + return; + } + /* update past [PIT_MAX_MAX+L_INTERPOL] samples of exc memory */ if (last_lpd_mode == 1) { /* last frame was TCX20 */ if (last_last_lpd_mode == 0) { /* ACELP -> TCX20 -> ACELP transition */ @@ -1170,7 +1178,6 @@ void CLpd_AcelpPrepareInternalMem(const FIXP_DBL *synth, UCHAR last_lpd_mode, int exc_A_new_length = (coreCoderFrameLength / 2 > PIT_MAX_MAX + L_INTERPOL) ? PIT_MAX_MAX + L_INTERPOL : coreCoderFrameLength / 2; - int exc_A_old_length = PIT_MAX_MAX + L_INTERPOL - exc_A_new_length; E_UTIL_residu(A_old, A_old_exp, syn, old_exc_mem, exc_A_old_length); E_UTIL_residu(A_new, A_new_exp, &syn[exc_A_old_length], -- cgit v1.2.3