From 15292f7e9620caf9e8df26a62efc2a2891ea822e Mon Sep 17 00:00:00 2001 From: Fraunhofer IIS FDK Date: Fri, 8 Jun 2018 18:03:16 +0200 Subject: Prevent bit buffer counter overflow. While long-term test we discovered a bit counter overflow in the bit buffer. The bit buffer state was only used by HCR and RVLC tool and can easily be substituted with FDKgetValidBits() call. The following patch completely removes the bit counter and all its obsolete functions. Bug: 112662184 Test: atest DecoderTestXheAac ; atest DecoderTestAacDrc Change-Id: Icee0519d26a2aa62367d2dece59cd3d60ffcade7 --- libAACdec/src/aacdec_hcr.cpp | 82 ++++++++++++++++++++-------------------- libAACdec/src/aacdec_hcr_bit.cpp | 7 ++-- libAACdec/src/aacdec_hcr_bit.h | 3 +- libAACdec/src/aacdec_hcr_types.h | 2 +- libAACdec/src/aacdec_hcrs.cpp | 42 ++++++++++---------- libAACdec/src/rvlc.cpp | 29 +++++++------- libAACdec/src/rvlc_info.h | 1 + libAACdec/src/rvlcbit.cpp | 6 +-- libAACdec/src/rvlcbit.h | 4 +- 9 files changed, 91 insertions(+), 85 deletions(-) (limited to 'libAACdec') diff --git a/libAACdec/src/aacdec_hcr.cpp b/libAACdec/src/aacdec_hcr.cpp index 84e05b0..6114756 100644 --- a/libAACdec/src/aacdec_hcr.cpp +++ b/libAACdec/src/aacdec_hcr.cpp @@ -134,17 +134,18 @@ static void DeriveNumberOfExtendedSortedSectionsInSets( USHORT *pNumExtendedSortedSectionsInSets, int numExtendedSortedSectionsInSetsIdx); -static INT DecodeEscapeSequence(HANDLE_FDK_BITSTREAM bs, INT quantSpecCoef, - INT *pLeftStartOfSegment, +static INT DecodeEscapeSequence(HANDLE_FDK_BITSTREAM bs, const INT bsAnchor, + INT quantSpecCoef, INT *pLeftStartOfSegment, SCHAR *pRemainingBitsInSegment, int *pNumDecodedBits); -static int DecodePCW_Sign(HANDLE_FDK_BITSTREAM bs, UINT codebookDim, - const SCHAR *pQuantVal, FIXP_DBL *pQuantSpecCoef, - int *quantSpecCoefIdx, INT *pLeftStartOfSegment, +static int DecodePCW_Sign(HANDLE_FDK_BITSTREAM bs, const INT bsAnchor, + UINT codebookDim, const SCHAR *pQuantVal, + FIXP_DBL *pQuantSpecCoef, int *quantSpecCoefIdx, + INT *pLeftStartOfSegment, SCHAR *pRemainingBitsInSegment, int *pNumDecodedBits); -static const SCHAR *DecodePCW_Body(HANDLE_FDK_BITSTREAM bs, +static const SCHAR *DecodePCW_Body(HANDLE_FDK_BITSTREAM bs, const INT bsAnchor, const UINT *pCurrentTree, const SCHAR *pQuantValBase, INT *pLeftStartOfSegment, @@ -291,7 +292,7 @@ UINT HcrInit(H_HCR_INFO pHcr, CAacDecoderChannelInfo *pAacDecoderChannelInfo, SPEC_LONG(pAacDecoderChannelInfo->pSpectralCoefficient); FDKsyncCache(bs); - pHcr->decInOut.bitstreamIndex = FDKgetBitCnt(bs); + pHcr->decInOut.bitstreamAnchor = (INT)FDKgetValidBits(bs); if (!IsLongBlock(&pAacDecoderChannelInfo->icsInfo)) /* short block */ { @@ -436,7 +437,7 @@ UINT HcrDecoder(H_HCR_INFO pHcr, CAacDecoderChannelInfo *pAacDecoderChannelInfo, int pTmp5; INT bitCntOffst; - INT saveBitCnt = FDKgetBitCnt(bs); /* save bitstream position */ + INT saveBitCnt = (INT)FDKgetValidBits(bs); /* save bitstream position */ HcrCalcNumCodeword(pHcr); @@ -487,7 +488,7 @@ UINT HcrDecoder(H_HCR_INFO pHcr, CAacDecoderChannelInfo *pAacDecoderChannelInfo, pSamplingRateInfo); /* restore bitstream position */ - bitCntOffst = saveBitCnt - FDKgetBitCnt(bs); + bitCntOffst = (INT)FDKgetValidBits(bs) - saveBitCnt; if (bitCntOffst) { FDKpushBiDirectional(bs, bitCntOffst); } @@ -815,7 +816,6 @@ static void HcrPrepareSegmentationGrid(H_HCR_INFO pHcr) { INT *pLeftStartOfSegment = pHcr->segmentInfo.pLeftStartOfSegment; INT *pRightStartOfSegment = pHcr->segmentInfo.pRightStartOfSegment; SCHAR *pRemainingBitsInSegment = pHcr->segmentInfo.pRemainingBitsInSegment; - INT bitstreamIndex = pHcr->decInOut.bitstreamIndex; const UCHAR *pMaxCwLength = aMaxCwLen; for (i = numSortedSection; i != 0; i--) { @@ -825,7 +825,7 @@ static void HcrPrepareSegmentationGrid(H_HCR_INFO pHcr) { for (j = *pNumSortedCodewordInSection; j != 0; j--) { /* width allows a new segment */ - intermediateResult = bitstreamIndex + segmentStart; + intermediateResult = segmentStart; if ((segmentStart + segmentWidth) <= lengthOfReorderedSpectralData) { /* store segment start, segment length and increment the number of * segments */ @@ -841,12 +841,11 @@ static void HcrPrepareSegmentationGrid(H_HCR_INFO pHcr) { pLeftStartOfSegment--; pRightStartOfSegment--; pRemainingBitsInSegment--; - segmentStart = *pLeftStartOfSegment - bitstreamIndex; + segmentStart = *pLeftStartOfSegment; lastSegmentWidth = lengthOfReorderedSpectralData - segmentStart; *pRemainingBitsInSegment = lastSegmentWidth; - *pRightStartOfSegment = - bitstreamIndex + segmentStart + lastSegmentWidth - 1; + *pRightStartOfSegment = segmentStart + lastSegmentWidth - 1; endFlag = 1; break; } @@ -1071,9 +1070,9 @@ static void DecodePCWs(HANDLE_FDK_BITSTREAM bs, H_HCR_INFO pHcr) { numDecodedBits = 0; /* decode PCW_BODY */ - pQuantVal = - DecodePCW_Body(bs, pCurrentTree, pQuantValBase, pLeftStartOfSegment, - pRemainingBitsInSegment, &numDecodedBits); + pQuantVal = DecodePCW_Body( + bs, pHcr->decInOut.bitstreamAnchor, pCurrentTree, pQuantValBase, + pLeftStartOfSegment, pRemainingBitsInSegment, &numDecodedBits); /* result is written out here because NO sign bits follow the body */ for (i = dimension; i != 0; i--) { @@ -1115,14 +1114,14 @@ static void DecodePCWs(HANDLE_FDK_BITSTREAM bs, H_HCR_INFO pHcr) { int err; numDecodedBits = 0; - pQuantVal = - DecodePCW_Body(bs, pCurrentTree, pQuantValBase, pLeftStartOfSegment, - pRemainingBitsInSegment, &numDecodedBits); + pQuantVal = DecodePCW_Body( + bs, pHcr->decInOut.bitstreamAnchor, pCurrentTree, pQuantValBase, + pLeftStartOfSegment, pRemainingBitsInSegment, &numDecodedBits); err = DecodePCW_Sign( - bs, dimension, pQuantVal, pQuantizedSpectralCoefficients, - &quantizedSpectralCoefficientsIdx, pLeftStartOfSegment, - pRemainingBitsInSegment, &numDecodedBits); + bs, pHcr->decInOut.bitstreamAnchor, dimension, pQuantVal, + pQuantizedSpectralCoefficients, &quantizedSpectralCoefficientsIdx, + pLeftStartOfSegment, pRemainingBitsInSegment, &numDecodedBits); if (err != 0) { return; } @@ -1157,14 +1156,14 @@ static void DecodePCWs(HANDLE_FDK_BITSTREAM bs, H_HCR_INFO pHcr) { numDecodedBits = 0; /* decode PCW_BODY */ - pQuantVal = - DecodePCW_Body(bs, pCurrentTree, pQuantValBase, pLeftStartOfSegment, - pRemainingBitsInSegment, &numDecodedBits); + pQuantVal = DecodePCW_Body( + bs, pHcr->decInOut.bitstreamAnchor, pCurrentTree, pQuantValBase, + pLeftStartOfSegment, pRemainingBitsInSegment, &numDecodedBits); err = DecodePCW_Sign( - bs, dimension, pQuantVal, pQuantizedSpectralCoefficients, - &quantizedSpectralCoefficientsIdx, pLeftStartOfSegment, - pRemainingBitsInSegment, &numDecodedBits); + bs, pHcr->decInOut.bitstreamAnchor, dimension, pQuantVal, + pQuantizedSpectralCoefficients, &quantizedSpectralCoefficientsIdx, + pLeftStartOfSegment, pRemainingBitsInSegment, &numDecodedBits); if (err != 0) { return; } @@ -1177,7 +1176,7 @@ static void DecodePCWs(HANDLE_FDK_BITSTREAM bs, H_HCR_INFO pHcr) { (FIXP_DBL)ESCAPE_VALUE) { pQuantizedSpectralCoefficients[quantizedSpectralCoefficientsIdx] = (FIXP_DBL)DecodeEscapeSequence( - bs, + bs, pHcr->decInOut.bitstreamAnchor, pQuantizedSpectralCoefficients [quantizedSpectralCoefficientsIdx], pLeftStartOfSegment, pRemainingBitsInSegment, @@ -1193,7 +1192,7 @@ static void DecodePCWs(HANDLE_FDK_BITSTREAM bs, H_HCR_INFO pHcr) { (FIXP_DBL)ESCAPE_VALUE) { pQuantizedSpectralCoefficients[quantizedSpectralCoefficientsIdx] = (FIXP_DBL)DecodeEscapeSequence( - bs, + bs, pHcr->decInOut.bitstreamAnchor, pQuantizedSpectralCoefficients [quantizedSpectralCoefficientsIdx], pLeftStartOfSegment, pRemainingBitsInSegment, @@ -1331,7 +1330,7 @@ void CarryBitToBranchValue(UCHAR carryBit, UINT treeNode, UINT *branchValue, spectral coefficients -------------------------------------------------------------------------------------------- */ -static const SCHAR *DecodePCW_Body(HANDLE_FDK_BITSTREAM bs, +static const SCHAR *DecodePCW_Body(HANDLE_FDK_BITSTREAM bs, const INT bsAnchor, const UINT *pCurrentTree, const SCHAR *pQuantValBase, INT *pLeftStartOfSegment, @@ -1349,7 +1348,7 @@ static const SCHAR *DecodePCW_Body(HANDLE_FDK_BITSTREAM bs, /* decode whole PCW-codeword-body */ while (1) { - carryBit = HcrGetABitFromBitstream(bs, pLeftStartOfSegment, + carryBit = HcrGetABitFromBitstream(bs, bsAnchor, pLeftStartOfSegment, pLeftStartOfSegment, /* dummy */ FROM_LEFT_TO_RIGHT); *pRemainingBitsInSegment -= 1; @@ -1384,8 +1383,8 @@ value == 16, a escapeSequence is decoded in two steps: -------------------------------------------------------------------------------------------- */ -static INT DecodeEscapeSequence(HANDLE_FDK_BITSTREAM bs, INT quantSpecCoef, - INT *pLeftStartOfSegment, +static INT DecodeEscapeSequence(HANDLE_FDK_BITSTREAM bs, const INT bsAnchor, + INT quantSpecCoef, INT *pLeftStartOfSegment, SCHAR *pRemainingBitsInSegment, int *pNumDecodedBits) { UINT i; @@ -1396,7 +1395,7 @@ static INT DecodeEscapeSequence(HANDLE_FDK_BITSTREAM bs, INT quantSpecCoef, /* decode escape prefix */ while (1) { - carryBit = HcrGetABitFromBitstream(bs, pLeftStartOfSegment, + carryBit = HcrGetABitFromBitstream(bs, bsAnchor, pLeftStartOfSegment, pLeftStartOfSegment, /* dummy */ FROM_LEFT_TO_RIGHT); *pRemainingBitsInSegment -= 1; @@ -1412,7 +1411,7 @@ static INT DecodeEscapeSequence(HANDLE_FDK_BITSTREAM bs, INT quantSpecCoef, /* decode escape word */ for (i = escapeOnesCounter; i != 0; i--) { - carryBit = HcrGetABitFromBitstream(bs, pLeftStartOfSegment, + carryBit = HcrGetABitFromBitstream(bs, bsAnchor, pLeftStartOfSegment, pLeftStartOfSegment, /* dummy */ FROM_LEFT_TO_RIGHT); *pRemainingBitsInSegment -= 1; @@ -1441,9 +1440,10 @@ the last of eight function of HCR) line) -------------------------------------------------------------------------------------------- */ -static int DecodePCW_Sign(HANDLE_FDK_BITSTREAM bs, UINT codebookDim, - const SCHAR *pQuantVal, FIXP_DBL *pQuantSpecCoef, - int *quantSpecCoefIdx, INT *pLeftStartOfSegment, +static int DecodePCW_Sign(HANDLE_FDK_BITSTREAM bs, const INT bsAnchor, + UINT codebookDim, const SCHAR *pQuantVal, + FIXP_DBL *pQuantSpecCoef, int *quantSpecCoefIdx, + INT *pLeftStartOfSegment, SCHAR *pRemainingBitsInSegment, int *pNumDecodedBits) { UINT i; @@ -1453,7 +1453,7 @@ static int DecodePCW_Sign(HANDLE_FDK_BITSTREAM bs, UINT codebookDim, for (i = codebookDim; i != 0; i--) { quantSpecCoef = *pQuantVal++; if (quantSpecCoef != 0) { - carryBit = HcrGetABitFromBitstream(bs, pLeftStartOfSegment, + carryBit = HcrGetABitFromBitstream(bs, bsAnchor, pLeftStartOfSegment, pLeftStartOfSegment, /* dummy */ FROM_LEFT_TO_RIGHT); *pRemainingBitsInSegment -= 1; diff --git a/libAACdec/src/aacdec_hcr_bit.cpp b/libAACdec/src/aacdec_hcr_bit.cpp index a53ef16..0198659 100644 --- a/libAACdec/src/aacdec_hcr_bit.cpp +++ b/libAACdec/src/aacdec_hcr_bit.cpp @@ -132,13 +132,14 @@ read direction. It is called very often, therefore it makes sense to inline it return: - bit from bitstream -------------------------------------------------------------------------------------------- */ -UINT HcrGetABitFromBitstream(HANDLE_FDK_BITSTREAM bs, INT *pLeftStartOfSegment, +UINT HcrGetABitFromBitstream(HANDLE_FDK_BITSTREAM bs, const INT bsAnchor, + INT *pLeftStartOfSegment, INT *pRightStartOfSegment, UCHAR readDirection) { UINT bit; INT readBitOffset; if (readDirection == FROM_LEFT_TO_RIGHT) { - readBitOffset = *pLeftStartOfSegment - FDKgetBitCnt(bs); + readBitOffset = (INT)FDKgetValidBits(bs) - bsAnchor + *pLeftStartOfSegment; if (readBitOffset) { FDKpushBiDirectional(bs, readBitOffset); } @@ -147,7 +148,7 @@ UINT HcrGetABitFromBitstream(HANDLE_FDK_BITSTREAM bs, INT *pLeftStartOfSegment, *pLeftStartOfSegment += 1; } else { - readBitOffset = *pRightStartOfSegment - FDKgetBitCnt(bs); + readBitOffset = (INT)FDKgetValidBits(bs) - bsAnchor + *pRightStartOfSegment; if (readBitOffset) { FDKpushBiDirectional(bs, readBitOffset); } diff --git a/libAACdec/src/aacdec_hcr_bit.h b/libAACdec/src/aacdec_hcr_bit.h index 7a57c8c..77242ac 100644 --- a/libAACdec/src/aacdec_hcr_bit.h +++ b/libAACdec/src/aacdec_hcr_bit.h @@ -107,7 +107,8 @@ amm-info@iis.fraunhofer.de UCHAR ToggleReadDirection(UCHAR readDirection); -UINT HcrGetABitFromBitstream(HANDLE_FDK_BITSTREAM bs, INT *pLeftStartOfSegment, +UINT HcrGetABitFromBitstream(HANDLE_FDK_BITSTREAM bs, const INT bsAnchor, + INT *pLeftStartOfSegment, INT *pRightStartOfSegment, UCHAR readDirection); #endif /* AACDEC_HCR_BIT_H */ diff --git a/libAACdec/src/aacdec_hcr_types.h b/libAACdec/src/aacdec_hcr_types.h index d550bc2..1cc3cb0 100644 --- a/libAACdec/src/aacdec_hcr_types.h +++ b/libAACdec/src/aacdec_hcr_types.h @@ -350,7 +350,7 @@ typedef struct { SHORT lengthOfReorderedSpectralData; SHORT numSection; SHORT *pNumLineInSect; - INT bitstreamIndex; + INT bitstreamAnchor; SCHAR lengthOfLongestCodeword; UCHAR *pCodebook; } HCR_INPUT_OUTPUT; diff --git a/libAACdec/src/aacdec_hcrs.cpp b/libAACdec/src/aacdec_hcrs.cpp index e2b7cd8..1d5aa27 100644 --- a/libAACdec/src/aacdec_hcrs.cpp +++ b/libAACdec/src/aacdec_hcrs.cpp @@ -615,9 +615,9 @@ UINT Hcr_State_BODY_ONLY(HANDLE_FDK_BITSTREAM bs, void *ptr) { for (; pRemainingBitsInSegment[segmentOffset] > 0; pRemainingBitsInSegment[segmentOffset] -= 1) { - carryBit = HcrGetABitFromBitstream(bs, &pLeftStartOfSegment[segmentOffset], - &pRightStartOfSegment[segmentOffset], - readDirection); + carryBit = HcrGetABitFromBitstream( + bs, pHcr->decInOut.bitstreamAnchor, &pLeftStartOfSegment[segmentOffset], + &pRightStartOfSegment[segmentOffset], readDirection); CarryBitToBranchValue(carryBit, /* make a step in decoding tree */ treeNode, &branchValue, &branchNode); @@ -749,9 +749,9 @@ UINT Hcr_State_BODY_SIGN__BODY(HANDLE_FDK_BITSTREAM bs, void *ptr) { for (; pRemainingBitsInSegment[segmentOffset] > 0; pRemainingBitsInSegment[segmentOffset] -= 1) { - carryBit = HcrGetABitFromBitstream(bs, &pLeftStartOfSegment[segmentOffset], - &pRightStartOfSegment[segmentOffset], - readDirection); + carryBit = HcrGetABitFromBitstream( + bs, pHcr->decInOut.bitstreamAnchor, &pLeftStartOfSegment[segmentOffset], + &pRightStartOfSegment[segmentOffset], readDirection); CarryBitToBranchValue(carryBit, /* make a step in decoding tree */ treeNode, &branchValue, &branchNode); @@ -884,9 +884,9 @@ UINT Hcr_State_BODY_SIGN__SIGN(HANDLE_FDK_BITSTREAM bs, void *ptr) { /* loop for sign bit decoding */ for (; pRemainingBitsInSegment[segmentOffset] > 0; pRemainingBitsInSegment[segmentOffset] -= 1) { - carryBit = HcrGetABitFromBitstream(bs, &pLeftStartOfSegment[segmentOffset], - &pRightStartOfSegment[segmentOffset], - readDirection); + carryBit = HcrGetABitFromBitstream( + bs, pHcr->decInOut.bitstreamAnchor, &pLeftStartOfSegment[segmentOffset], + &pRightStartOfSegment[segmentOffset], readDirection); cntSign -= 1; /* decrement sign counter because one sign bit has been read */ @@ -997,9 +997,9 @@ UINT Hcr_State_BODY_SIGN_ESC__BODY(HANDLE_FDK_BITSTREAM bs, void *ptr) { for (; pRemainingBitsInSegment[segmentOffset] > 0; pRemainingBitsInSegment[segmentOffset] -= 1) { - carryBit = HcrGetABitFromBitstream(bs, &pLeftStartOfSegment[segmentOffset], - &pRightStartOfSegment[segmentOffset], - readDirection); + carryBit = HcrGetABitFromBitstream( + bs, pHcr->decInOut.bitstreamAnchor, &pLeftStartOfSegment[segmentOffset], + &pRightStartOfSegment[segmentOffset], readDirection); /* make a step in tree */ CarryBitToBranchValue(carryBit, treeNode, &branchValue, &branchNode); @@ -1159,9 +1159,9 @@ UINT Hcr_State_BODY_SIGN_ESC__SIGN(HANDLE_FDK_BITSTREAM bs, void *ptr) { /* loop for sign bit decoding */ for (; pRemainingBitsInSegment[segmentOffset] > 0; pRemainingBitsInSegment[segmentOffset] -= 1) { - carryBit = HcrGetABitFromBitstream(bs, &pLeftStartOfSegment[segmentOffset], - &pRightStartOfSegment[segmentOffset], - readDirection); + carryBit = HcrGetABitFromBitstream( + bs, pHcr->decInOut.bitstreamAnchor, &pLeftStartOfSegment[segmentOffset], + &pRightStartOfSegment[segmentOffset], readDirection); /* decrement sign counter because one sign bit has been read */ cntSign -= 1; @@ -1314,9 +1314,9 @@ UINT Hcr_State_BODY_SIGN_ESC__ESC_PREFIX(HANDLE_FDK_BITSTREAM bs, void *ptr) { /* decode escape prefix */ for (; pRemainingBitsInSegment[segmentOffset] > 0; pRemainingBitsInSegment[segmentOffset] -= 1) { - carryBit = HcrGetABitFromBitstream(bs, &pLeftStartOfSegment[segmentOffset], - &pRightStartOfSegment[segmentOffset], - readDirection); + carryBit = HcrGetABitFromBitstream( + bs, pHcr->decInOut.bitstreamAnchor, &pLeftStartOfSegment[segmentOffset], + &pRightStartOfSegment[segmentOffset], readDirection); /* count ones and store sum in escapePrefixUp */ if (carryBit == 1) { @@ -1435,9 +1435,9 @@ UINT Hcr_State_BODY_SIGN_ESC__ESC_WORD(HANDLE_FDK_BITSTREAM bs, void *ptr) { /* decode escape word */ for (; pRemainingBitsInSegment[segmentOffset] > 0; pRemainingBitsInSegment[segmentOffset] -= 1) { - carryBit = HcrGetABitFromBitstream(bs, &pLeftStartOfSegment[segmentOffset], - &pRightStartOfSegment[segmentOffset], - readDirection); + carryBit = HcrGetABitFromBitstream( + bs, pHcr->decInOut.bitstreamAnchor, &pLeftStartOfSegment[segmentOffset], + &pRightStartOfSegment[segmentOffset], readDirection); /* build escape word */ escapeWord <<= diff --git a/libAACdec/src/rvlc.cpp b/libAACdec/src/rvlc.cpp index 92f9f02..b7a9be1 100644 --- a/libAACdec/src/rvlc.cpp +++ b/libAACdec/src/rvlc.cpp @@ -168,13 +168,14 @@ static void rvlcInit(CErRvlcInfo *pRvlc, /* set base bitstream ptr to the RVL-coded part (start of RVLC data (ESC 2)) */ FDKsyncCache(bs); + pRvlc->bsAnchor = (INT)FDKgetValidBits(bs); - pRvlc->bitstreamIndexRvlFwd = FDKgetBitCnt( - bs); /* first bit within RVL coded block as start address for forward - decoding */ - pRvlc->bitstreamIndexRvlBwd = FDKgetBitCnt(bs) + pRvlc->length_of_rvlc_sf - - 1; /* last bit within RVL coded block as start - address for backward decoding */ + pRvlc->bitstreamIndexRvlFwd = + 0; /* first bit within RVL coded block as start address for forward + decoding */ + pRvlc->bitstreamIndexRvlBwd = + pRvlc->length_of_rvlc_sf - 1; /* last bit within RVL coded block as start + address for backward decoding */ /* skip RVLC-bitstream-part -- pointing now to escapes (if present) or to TNS * data (if present) */ @@ -183,7 +184,7 @@ static void rvlcInit(CErRvlcInfo *pRvlc, if (pRvlc->sf_escapes_present != 0) { /* locate internal bitstream ptr at escapes (which is the second part) */ FDKsyncCache(bs); - pRvlc->bitstreamIndexEsc = FDKgetBitCnt(bs); + pRvlc->bitstreamIndexEsc = pRvlc->bsAnchor - (INT)FDKgetValidBits(bs); /* skip escapeRVLC-bitstream-part -- pointing to TNS data (if present) to * make decoder continue */ @@ -259,8 +260,9 @@ static SCHAR rvlcDecodeEscapeWord(CErRvlcInfo *pRvlc, HANDLE_FDK_BITSTREAM bs) { treeNode = *pEscTree; /* init at starting node */ for (i = MAX_LEN_RVLC_ESCAPE_WORD - 1; i >= 0; i--) { - carryBit = rvlcReadBitFromBitstream(bs, /* get next bit */ - pBitstreamIndexEsc, FWD); + carryBit = + rvlcReadBitFromBitstream(bs, /* get next bit */ + pRvlc->bsAnchor, pBitstreamIndexEsc, FWD); CarryBitToBranchValue(carryBit, /* huffman decoding, do a single step in huffman decoding tree */ @@ -370,8 +372,9 @@ SCHAR decodeRVLCodeword(HANDLE_FDK_BITSTREAM bs, CErRvlcInfo *pRvlc) { UINT treeNode = *pRvlCodeTree; for (i = MAX_LEN_RVLC_CODE_WORD - 1; i >= 0; i--) { - carryBit = rvlcReadBitFromBitstream(bs, /* get next bit */ - pBitstrIndxRvl, direction); + carryBit = + rvlcReadBitFromBitstream(bs, /* get next bit */ + pRvlc->bsAnchor, pBitstrIndxRvl, direction); CarryBitToBranchValue(carryBit, /* huffman decoding, do a single step in huffman decoding tree */ @@ -1140,7 +1143,7 @@ void CRvlc_Decode(CAacDecoderChannelInfo *pAacDecoderChannelInfo, rvlcInit(pRvlc, pAacDecoderChannelInfo, bs); /* save bitstream position */ - saveBitCnt = FDKgetBitCnt(bs); + saveBitCnt = (INT)FDKgetValidBits(bs); if (pRvlc->sf_escapes_present) rvlcDecodeEscapes( @@ -1155,7 +1158,7 @@ void CRvlc_Decode(CAacDecoderChannelInfo *pAacDecoderChannelInfo, pAacDecoderChannelInfo->data.aac.PnsData.PnsActive = pRvlc->noise_used; /* restore bitstream position */ - bitCntOffst = saveBitCnt - FDKgetBitCnt(bs); + bitCntOffst = (INT)FDKgetValidBits(bs) - saveBitCnt; if (bitCntOffst) { FDKpushBiDirectional(bs, bitCntOffst); } diff --git a/libAACdec/src/rvlc_info.h b/libAACdec/src/rvlc_info.h index fc9c19d..e7b3b99 100644 --- a/libAACdec/src/rvlc_info.h +++ b/libAACdec/src/rvlc_info.h @@ -164,6 +164,7 @@ typedef struct { UCHAR direction; /* bitstream indices */ + INT bsAnchor; /* hcr bit buffer reference index */ INT bitstreamIndexRvlFwd; /* base address of RVL-coded-scalefactor data (ESC 2) for forward decoding */ INT bitstreamIndexRvlBwd; /* base address of RVL-coded-scalefactor data (ESC diff --git a/libAACdec/src/rvlcbit.cpp b/libAACdec/src/rvlcbit.cpp index c06cf96..b0c4596 100644 --- a/libAACdec/src/rvlcbit.cpp +++ b/libAACdec/src/rvlcbit.cpp @@ -123,10 +123,10 @@ read direction. It is called very often, therefore it makes sense to inline it -------------------------------------------------------------------------------------------- */ -UCHAR rvlcReadBitFromBitstream(HANDLE_FDK_BITSTREAM bs, INT *pPosition, - UCHAR readDirection) { +UCHAR rvlcReadBitFromBitstream(HANDLE_FDK_BITSTREAM bs, const INT bsAnchor, + INT *pPosition, UCHAR readDirection) { UINT bit; - INT readBitOffset = *pPosition - FDKgetBitCnt(bs); + INT readBitOffset = (INT)FDKgetValidBits(bs) - bsAnchor + *pPosition; if (readBitOffset) { FDKpushBiDirectional(bs, readBitOffset); diff --git a/libAACdec/src/rvlcbit.h b/libAACdec/src/rvlcbit.h index 5c6a3f1..2578453 100644 --- a/libAACdec/src/rvlcbit.h +++ b/libAACdec/src/rvlcbit.h @@ -105,7 +105,7 @@ amm-info@iis.fraunhofer.de #include "rvlc.h" -UCHAR rvlcReadBitFromBitstream(HANDLE_FDK_BITSTREAM bs, INT *pPosition, - UCHAR readDirection); +UCHAR rvlcReadBitFromBitstream(HANDLE_FDK_BITSTREAM bs, const INT bsAnchor, + INT *pPosition, UCHAR readDirection); #endif /* RVLCBIT_H */ -- cgit v1.2.3 From 3347cfb91a7ecabf5800d72e936f04ce44752bf3 Mon Sep 17 00:00:00 2001 From: Fraunhofer IIS FDK Date: Wed, 15 Aug 2018 14:35:00 +0200 Subject: Break audio element loop in case element_count becomes too large. Bug: 112891564 Test: atest DecoderTestXheAac ; atest DecoderTestAacDrc Change-Id: I35f02d23c0cfd620088291a52d9996a0d5a17199 --- libAACdec/src/aacdecoder.cpp | 25 ++++++++++++++++++++++++- 1 file changed, 24 insertions(+), 1 deletion(-) (limited to 'libAACdec') diff --git a/libAACdec/src/aacdecoder.cpp b/libAACdec/src/aacdecoder.cpp index b8b1327..362e0b6 100644 --- a/libAACdec/src/aacdecoder.cpp +++ b/libAACdec/src/aacdecoder.cpp @@ -2519,8 +2519,14 @@ LINKSPEC_CPP AAC_DECODER_ERROR CAacDecoder_DecodeFrame( if (!(self->flags[0] & (AC_USAC | AC_RSVD50 | AC_RSV603DA | AC_ELD | AC_SCALABLE | AC_ER))) type = (MP4_ELEMENT_ID)FDKreadBits(bs, 3); - else + else { + if (element_count >= (3 * ((8) * 2) + (((8) * 2)) / 2 + 4 * (1) + 1)) { + self->frameOK = 0; + ErrorStatus = AAC_DEC_PARSE_ERROR; + break; + } type = self->elements[element_count]; + } if ((self->flags[streamIndex] & (AC_USAC | AC_RSVD50) && element_count == 0) || @@ -2564,6 +2570,11 @@ LINKSPEC_CPP AAC_DECODER_ERROR CAacDecoder_DecodeFrame( case ID_USAC_SCE: case ID_USAC_CPE: case ID_USAC_LFE: + if (element_count >= (3 * ((8) * 2) + (((8) * 2)) / 2 + 4 * (1) + 1)) { + self->frameOK = 0; + ErrorStatus = AAC_DEC_PARSE_ERROR; + break; + } el_channels = CAacDecoder_GetELChannels( type, self->usacStereoConfigIndex[element_count]); @@ -2795,12 +2806,24 @@ LINKSPEC_CPP AAC_DECODER_ERROR CAacDecoder_DecodeFrame( } break; case ID_EXT: + if (element_count >= (3 * ((8) * 2) + (((8) * 2)) / 2 + 4 * (1) + 1)) { + self->frameOK = 0; + ErrorStatus = AAC_DEC_PARSE_ERROR; + break; + } + ErrorStatus = aacDecoder_ParseExplicitMpsAndSbr( self, bs, previous_element, previous_element_index, element_count, el_cnt); break; case ID_USAC_EXT: { + if ((element_count - element_count_prev_streams) >= + TP_USAC_MAX_ELEMENTS) { + self->frameOK = 0; + ErrorStatus = AAC_DEC_PARSE_ERROR; + break; + } /* parse extension element payload q.v. rsv603daExtElement() ISO/IEC DIS 23008-3 Table 30 or UsacExElement() ISO/IEC FDIS 23003-3:2011(E) Table 21 -- cgit v1.2.3 From f44b50b83529604f1b22e77084f50d575262c4fc Mon Sep 17 00:00:00 2001 From: Fraunhofer IIS FDK Date: Wed, 15 Aug 2018 14:42:23 +0200 Subject: Prevent overflow in concealment clipping check Bug: 112890225 Test: atest DecoderTestXheAac ; atest DecoderTestAacDrc Change-Id: Ie386e4b6fe5cdb38180f673edde8f84c36c7b522 --- libAACdec/src/conceal.cpp | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) (limited to 'libAACdec') diff --git a/libAACdec/src/conceal.cpp b/libAACdec/src/conceal.cpp index a6064b6..569d672 100644 --- a/libAACdec/src/conceal.cpp +++ b/libAACdec/src/conceal.cpp @@ -2080,11 +2080,11 @@ static void CConcealment_TDNoise_Apply(CConcealmentInfo *const pConcealmentInfo, noiseVal = FX_DBL2FX_PCM(fMult(noiseValLong, TDNoiseAtt)); /* add filtered noise - check for clipping, before */ - if (pcmdata[ii] > (FIXP_PCM)MAXVAL_FIXP_PCM - noiseVal && - noiseVal > (FIXP_PCM)0) { + if (noiseVal > (FIXP_PCM)0 && + pcmdata[ii] > (FIXP_PCM)MAXVAL_FIXP_PCM - noiseVal) { noiseVal = noiseVal * (FIXP_PCM)-1; - } else if (pcmdata[ii] < (FIXP_PCM)MINVAL_FIXP_PCM - noiseVal && - noiseVal < (FIXP_PCM)0) { + } else if (noiseVal < (FIXP_PCM)0 && + pcmdata[ii] < (FIXP_PCM)MINVAL_FIXP_PCM - noiseVal) { noiseVal = noiseVal * (FIXP_PCM)-1; } -- cgit v1.2.3 From f2bc07da2ed70eb069f3faab1179c4c89792bf3d Mon Sep 17 00:00:00 2001 From: Fraunhofer IIS FDK Date: Wed, 15 Aug 2018 14:33:56 +0200 Subject: Unify audio element loop abort criterion in ER syntax Bug: 112891548 Test: atest DecoderTestXheAac ; atest DecoderTestAacDrc Change-Id: Iea56cf804cfb9d396810124c718fc91bdff68392 --- libAACdec/src/aacdecoder.cpp | 11 ++++------- 1 file changed, 4 insertions(+), 7 deletions(-) (limited to 'libAACdec') diff --git a/libAACdec/src/aacdecoder.cpp b/libAACdec/src/aacdecoder.cpp index b8b1327..272de9f 100644 --- a/libAACdec/src/aacdecoder.cpp +++ b/libAACdec/src/aacdecoder.cpp @@ -2055,17 +2055,12 @@ CAacDecoder_Init(HANDLE_AACDECODER self, const CSAudioSpecificConfig *asc, if (self->flags[streamIndex] & (AC_RSV603DA | AC_USAC)) { _numElements = (int)asc->m_sc.m_usacConfig.m_usacNumElements; } - if (self->flags[streamIndex] & (AC_ER | AC_LD | AC_ELD)) { - _numElements = (asc->m_channelConfiguration == 7) - ? 8 - : asc->m_channelConfiguration; - } for (int _el = 0; _el < _numElements; _el++) { int el_channels = 0; int el = elementOffset + _el; if (self->flags[streamIndex] & - (AC_ELD | AC_RSV603DA | AC_USAC | AC_RSVD50)) { + (AC_ER | AC_LD | AC_ELD | AC_RSV603DA | AC_USAC | AC_RSVD50)) { if (ch >= ascChannels) { break; } @@ -2115,7 +2110,9 @@ CAacDecoder_Init(HANDLE_AACDECODER self, const CSAudioSpecificConfig *asc, (SPECTRAL_PTR)&self->workBufferCore2[ch * 1024]; if (el_channels == 2) { - FDK_ASSERT(ch < (8) - 1); + if (ch >= (8) - 1) { + return AAC_DEC_UNSUPPORTED_CHANNELCONFIG; + } self->pAacDecoderChannelInfo[ch + 1]->pComData = self->pAacDecoderChannelInfo[ch]->pComData; self->pAacDecoderChannelInfo[ch + 1]->pComStaticData = -- cgit v1.2.3 From 25b209f229879a155759d791fe463b8abd283677 Mon Sep 17 00:00:00 2001 From: Fraunhofer IIS FDK Date: Fri, 8 Jun 2018 18:07:14 +0200 Subject: Always check whether given channel config is supported. Bug: 112660981 Test: atest DecoderTestXheAac ; atest DecoderTestAacDrc Change-Id: I169161dd31bc624f2cab6be2b4c6518946ed32ba Merged-In: I169161dd31bc624f2cab6be2b4c6518946ed32ba --- libAACdec/src/aacdecoder.cpp | 14 +++----------- 1 file changed, 3 insertions(+), 11 deletions(-) (limited to 'libAACdec') diff --git a/libAACdec/src/aacdecoder.cpp b/libAACdec/src/aacdecoder.cpp index 362e0b6..fab30de 100644 --- a/libAACdec/src/aacdecoder.cpp +++ b/libAACdec/src/aacdecoder.cpp @@ -1630,17 +1630,9 @@ CAacDecoder_Init(HANDLE_AACDECODER self, const CSAudioSpecificConfig *asc, aacChannelsOffset = 0; aacChannelsOffsetIdx = 0; elementOffset = 0; - if (configMode & AC_CM_ALLOC_MEM) { - if ((ascChannels <= 0) || - (asc->m_channelConfiguration > AACDEC_MAX_CH_CONF)) { - return AAC_DEC_UNSUPPORTED_CHANNELCONFIG; - } - if ((ascChannels + aacChannelsOffsetIdx) > ((8) * 2)) { - return AAC_DEC_UNSUPPORTED_CHANNELCONFIG; - } - if ((ascChannels + aacChannelsOffset) > (8)) { - return AAC_DEC_UNSUPPORTED_CHANNELCONFIG; - } + if ((ascChannels <= 0) || (ascChannels > (8)) || + (asc->m_channelConfiguration > AACDEC_MAX_CH_CONF)) { + return AAC_DEC_UNSUPPORTED_CHANNELCONFIG; } /* Set syntax flags */ -- cgit v1.2.3