From a4d1f0ad52e2cf6f168d2193216602f52033fc27 Mon Sep 17 00:00:00 2001
From: Fraunhofer IIS FDK <audio-fdk@iis.fraunhofer.de>
Date: Wed, 23 May 2018 18:26:27 +0200
Subject: FDKv2 ubsan patches

Bug: 80053205
Test: see bug for repro with FB "wow"
   atest DecoderTestAacDrc

Fix signed integer overflows in CLpc_SynthesisLattice()

Change-Id: Icbddfcc8c5fc73382ae5bf8c2a7703802c688e06

Fix signed integer overflows in imlt

Change-Id: I687834fca2f1aab6210ed9862576b4f38fcdeb24

Fix overflow in addLowbandEnergies()

Change-Id: Iaa9fdf9deb49c33ec6ca7ed3081c4ddaa920e9aa

Concealment fix for audio frames containing acelp components

Change-Id: Ibe5e83a6efa75a48f729984a161a76b826878f4e

Fix out-of-bounds access in PS concealment

Change-Id: I08809a03a40d1feaf00e41278db314d67e1efe88

Fix potential memory leak in setup of qmf domain

Change-Id: Id9fc2448354dc7f1b439469128407305efa3def2

Reject channel config 13

Change-Id: Idf5236f6cd054df994e69c9c972c97f6768cf9e5

Fix unsigned integer overflow in configExtension()

Change-Id: I8a1668810b85e6237c3892891444ff08f04b019b

Fix unsigned integer overflow in CAacDecoder_DecodeFrame()

Change-Id: I79678c571690178e6c37680f70a9b94dd3cbc439

Fix unsigned integer overflow in aacDecoder_UpdateBitStreamCounters()

Change-Id: I3bff959da9f53fabb18cd0ae6c260e6256194526

Fix unsigned integer overflow in transportDec_readStream()

Change-Id: I6a6f9f4acaa32fae0b5de9641f8787bbc7f8286b
---
 libFDK/src/FDK_qmf_domain.cpp | 97 +++++++++++++++++++++++++++++--------------
 1 file changed, 66 insertions(+), 31 deletions(-)

(limited to 'libFDK/src/FDK_qmf_domain.cpp')

diff --git a/libFDK/src/FDK_qmf_domain.cpp b/libFDK/src/FDK_qmf_domain.cpp
index 4b78931..043a372 100644
--- a/libFDK/src/FDK_qmf_domain.cpp
+++ b/libFDK/src/FDK_qmf_domain.cpp
@@ -274,17 +274,28 @@ static int FDK_QmfDomain_AllocatePersistentMemory(HANDLE_FDK_QMF_DOMAIN qd) {
     size = gc->nBandsAnalysis * 10;
     if (size > 0) {
       if (gc->nBandsAnalysis == QMF_DOMAIN_ANALYSIS_QMF_BANDS_16) {
-        if (NULL == (qd->QmfDomainIn[ch].pAnaQmfStates = GetAnaQmfStates16(ch)))
-          goto bail;
+        if (qd->QmfDomainIn[ch].pAnaQmfStates == NULL) {
+          if (NULL ==
+              (qd->QmfDomainIn[ch].pAnaQmfStates = GetAnaQmfStates16(ch)))
+            goto bail;
+        }
       } else if (gc->nBandsAnalysis == QMF_DOMAIN_ANALYSIS_QMF_BANDS_24) {
-        if (NULL == (qd->QmfDomainIn[ch].pAnaQmfStates = GetAnaQmfStates24(ch)))
-          goto bail;
+        if (qd->QmfDomainIn[ch].pAnaQmfStates == NULL) {
+          if (NULL ==
+              (qd->QmfDomainIn[ch].pAnaQmfStates = GetAnaQmfStates24(ch)))
+            goto bail;
+        }
       } else if (gc->nBandsAnalysis == QMF_DOMAIN_ANALYSIS_QMF_BANDS_32) {
-        if (NULL == (qd->QmfDomainIn[ch].pAnaQmfStates = GetAnaQmfStates32(ch)))
-          goto bail;
+        if (qd->QmfDomainIn[ch].pAnaQmfStates == NULL) {
+          if (NULL ==
+              (qd->QmfDomainIn[ch].pAnaQmfStates = GetAnaQmfStates32(ch)))
+            goto bail;
+        }
       } else {
-        if (NULL == (qd->QmfDomainIn[ch].pAnaQmfStates = GetAnaQmfStates(ch)))
-          goto bail;
+        if (qd->QmfDomainIn[ch].pAnaQmfStates == NULL) {
+          if (NULL == (qd->QmfDomainIn[ch].pAnaQmfStates = GetAnaQmfStates(ch)))
+            goto bail;
+        }
       }
     } else {
       qd->QmfDomainIn[ch].pAnaQmfStates = NULL;
@@ -293,20 +304,36 @@ static int FDK_QmfDomain_AllocatePersistentMemory(HANDLE_FDK_QMF_DOMAIN qd) {
     size = gc->nQmfOvTimeSlots + gc->nQmfTimeSlots;
     if (size > 0) {
       if (gc->nQmfTimeSlots == QMF_DOMAIN_TIMESLOTS_16) {
-        if (NULL == (qd->QmfDomainIn[ch].hQmfSlotsReal = GetQmfSlotsReal16(ch)))
-          goto bail;
-        if (NULL == (qd->QmfDomainIn[ch].hQmfSlotsImag = GetQmfSlotsImag16(ch)))
-          goto bail;
+        if (qd->QmfDomainIn[ch].hQmfSlotsReal == NULL) {
+          if (NULL ==
+              (qd->QmfDomainIn[ch].hQmfSlotsReal = GetQmfSlotsReal16(ch)))
+            goto bail;
+        }
+        if (qd->QmfDomainIn[ch].hQmfSlotsImag == NULL) {
+          if (NULL ==
+              (qd->QmfDomainIn[ch].hQmfSlotsImag = GetQmfSlotsImag16(ch)))
+            goto bail;
+        }
       } else if (gc->nQmfTimeSlots == QMF_DOMAIN_TIMESLOTS_32) {
-        if (NULL == (qd->QmfDomainIn[ch].hQmfSlotsReal = GetQmfSlotsReal32(ch)))
-          goto bail;
-        if (NULL == (qd->QmfDomainIn[ch].hQmfSlotsImag = GetQmfSlotsImag32(ch)))
-          goto bail;
+        if (qd->QmfDomainIn[ch].hQmfSlotsReal == NULL) {
+          if (NULL ==
+              (qd->QmfDomainIn[ch].hQmfSlotsReal = GetQmfSlotsReal32(ch)))
+            goto bail;
+        }
+        if (qd->QmfDomainIn[ch].hQmfSlotsImag == NULL) {
+          if (NULL ==
+              (qd->QmfDomainIn[ch].hQmfSlotsImag = GetQmfSlotsImag32(ch)))
+            goto bail;
+        }
       } else {
-        if (NULL == (qd->QmfDomainIn[ch].hQmfSlotsReal = GetQmfSlotsReal(ch)))
-          goto bail;
-        if (NULL == (qd->QmfDomainIn[ch].hQmfSlotsImag = GetQmfSlotsImag(ch)))
-          goto bail;
+        if (qd->QmfDomainIn[ch].hQmfSlotsReal == NULL) {
+          if (NULL == (qd->QmfDomainIn[ch].hQmfSlotsReal = GetQmfSlotsReal(ch)))
+            goto bail;
+        }
+        if (qd->QmfDomainIn[ch].hQmfSlotsImag == NULL) {
+          if (NULL == (qd->QmfDomainIn[ch].hQmfSlotsImag = GetQmfSlotsImag(ch)))
+            goto bail;
+        }
       }
     } else {
       qd->QmfDomainIn[ch].hQmfSlotsReal = NULL;
@@ -316,17 +343,23 @@ static int FDK_QmfDomain_AllocatePersistentMemory(HANDLE_FDK_QMF_DOMAIN qd) {
     size = gc->nQmfOvTimeSlots * gc->nQmfProcBands * CMPLX_MOD;
     if (size > 0) {
       if (gc->nQmfOvTimeSlots == QMF_DOMAIN_OV_TIMESLOTS_16) {
-        if (NULL ==
-            (qd->QmfDomainIn[ch].pOverlapBuffer = GetQmfOverlapBuffer16(ch)))
-          goto bail;
+        if (qd->QmfDomainIn[ch].pOverlapBuffer == NULL) {
+          if (NULL ==
+              (qd->QmfDomainIn[ch].pOverlapBuffer = GetQmfOverlapBuffer16(ch)))
+            goto bail;
+        }
       } else if (gc->nQmfOvTimeSlots == QMF_DOMAIN_OV_TIMESLOTS_32) {
-        if (NULL ==
-            (qd->QmfDomainIn[ch].pOverlapBuffer = GetQmfOverlapBuffer32(ch)))
-          goto bail;
+        if (qd->QmfDomainIn[ch].pOverlapBuffer == NULL) {
+          if (NULL ==
+              (qd->QmfDomainIn[ch].pOverlapBuffer = GetQmfOverlapBuffer32(ch)))
+            goto bail;
+        }
       } else {
-        if (NULL ==
-            (qd->QmfDomainIn[ch].pOverlapBuffer = GetQmfOverlapBuffer(ch)))
-          goto bail;
+        if (qd->QmfDomainIn[ch].pOverlapBuffer == NULL) {
+          if (NULL ==
+              (qd->QmfDomainIn[ch].pOverlapBuffer = GetQmfOverlapBuffer(ch)))
+            goto bail;
+        }
       }
     } else {
       qd->QmfDomainIn[ch].pOverlapBuffer = NULL;
@@ -336,8 +369,10 @@ static int FDK_QmfDomain_AllocatePersistentMemory(HANDLE_FDK_QMF_DOMAIN qd) {
   for (ch = 0; ch < gc->nOutputChannels; ch++) {
     int size = gc->nBandsSynthesis * 9;
     if (size > 0) {
-      if (NULL == (qd->QmfDomainOut[ch].pSynQmfStates = GetSynQmfStates(ch)))
-        goto bail;
+      if (qd->QmfDomainOut[ch].pSynQmfStates == NULL) {
+        if (NULL == (qd->QmfDomainOut[ch].pSynQmfStates = GetSynQmfStates(ch)))
+          goto bail;
+      }
     } else {
       qd->QmfDomainOut[ch].pSynQmfStates = NULL;
     }
-- 
cgit v1.2.3