From 44ac411683e7cfbfdb1f58e02d54377d709c8dd4 Mon Sep 17 00:00:00 2001 From: Fraunhofer IIS FDK Date: Wed, 9 May 2018 13:32:45 +0200 Subject: FDK patches: fix overflows in decoder out-of-band config Bug: 71430241 Bug: 79220129 Test: cts-tradefed run commandAndExit cts-dev -m CtsMediaTestCases -t android.media.cts.DecoderTestXheAac cts-tradefed run commandAndExit cts-dev -m CtsMediaTestCases -t android.media.cts.DecoderTestAacDrc Unsigned Integer Overflows in CDataStreamElement_Read() Change-Id: Ic2f5b3ae111bf984d4d0db664823798957b0a979 Unsigned Integer Overflow in CProgramConfig_ReadHeightExt() Change-Id: Iaebc458bb59504203e604a28ed6d5cecaa875c42 Unsigned Integer Overflow in transportDec_OutOfBandConfig() Change-Id: I24a4b32d736f28c55147f0e2ca06fe5537da19c2 Unsigned Integer Overflows in CDKcrcEndReg() & crcCalc() Change-Id: I6ebbe541a4d3b6bacbd5ace17264972951de7ca8 Unsigned Integer Overflows in ReadPsData() Change-Id: Id36576fe545236860a06f17971494ecd4484c494 Unsigned Integer Overflow in SpatialDecParseSpecificConfig() Change-Id: Ib468f129a951c69776b88468407f008ab4cfd2c7 Unsigned Integer Overflows in _readUniDrcConfigExtension() & _readLoudnessInfoSetExtension() Change-Id: Ibcf7c6a23af49239206ea9301c58adac36e3ceba --- libDRCdec/src/drcDec_reader.cpp | 14 ++++++++------ 1 file changed, 8 insertions(+), 6 deletions(-) (limited to 'libDRCdec') diff --git a/libDRCdec/src/drcDec_reader.cpp b/libDRCdec/src/drcDec_reader.cpp index db5fab7..6fe7a04 100644 --- a/libDRCdec/src/drcDec_reader.cpp +++ b/libDRCdec/src/drcDec_reader.cpp @@ -1622,7 +1622,7 @@ static DRC_ERROR _readUniDrcConfigExtension( HANDLE_FDK_BITSTREAM hBs, HANDLE_UNI_DRC_CONFIG hUniDrcConfig) { DRC_ERROR err = DE_OK; int k, bitSizeLen, extSizeBits, bitSize; - UINT nBitsRemaining; + INT nBitsRemaining; UNI_DRC_CONFIG_EXTENSION* pExt = &(hUniDrcConfig->uniDrcConfigExt); k = 0; @@ -1634,13 +1634,14 @@ static DRC_ERROR _readUniDrcConfigExtension( bitSize = FDKreadBits(hBs, extSizeBits); pExt->extBitSize[k] = bitSize + 1; - nBitsRemaining = FDKgetValidBits(hBs); + nBitsRemaining = (INT)FDKgetValidBits(hBs); switch (pExt->uniDrcConfigExtType[k]) { case UNIDRCCONFEXT_V1: err = _readDrcExtensionV1(hBs, hUniDrcConfig); if (err) return err; - if (nBitsRemaining != (pExt->extBitSize[k] + FDKgetValidBits(hBs))) + if (nBitsRemaining != + ((INT)pExt->extBitSize[k] + (INT)FDKgetValidBits(hBs))) return DE_NOT_OK; break; case UNIDRCCONFEXT_PARAM_DRC: @@ -1940,7 +1941,7 @@ static DRC_ERROR _readLoudnessInfoSetExtension( HANDLE_FDK_BITSTREAM hBs, HANDLE_LOUDNESS_INFO_SET hLoudnessInfoSet) { DRC_ERROR err = DE_OK; int k, bitSizeLen, extSizeBits, bitSize; - UINT nBitsRemaining; + INT nBitsRemaining; LOUDNESS_INFO_SET_EXTENSION* pExt = &(hLoudnessInfoSet->loudnessInfoSetExt); k = 0; @@ -1952,13 +1953,14 @@ static DRC_ERROR _readLoudnessInfoSetExtension( bitSize = FDKreadBits(hBs, extSizeBits); pExt->extBitSize[k] = bitSize + 1; - nBitsRemaining = FDKgetValidBits(hBs); + nBitsRemaining = (INT)FDKgetValidBits(hBs); switch (pExt->loudnessInfoSetExtType[k]) { case UNIDRCLOUDEXT_EQ: err = _readLoudnessInfoSetExtEq(hBs, hLoudnessInfoSet); if (err) return err; - if (nBitsRemaining != (pExt->extBitSize[k] + FDKgetValidBits(hBs))) + if (nBitsRemaining != + ((INT)pExt->extBitSize[k] + (INT)FDKgetValidBits(hBs))) return DE_NOT_OK; break; /* add future extensions here */ -- cgit v1.2.3