From a4d1f0ad52e2cf6f168d2193216602f52033fc27 Mon Sep 17 00:00:00 2001 From: Fraunhofer IIS FDK Date: Wed, 23 May 2018 18:26:27 +0200 Subject: FDKv2 ubsan patches Bug: 80053205 Test: see bug for repro with FB "wow" atest DecoderTestAacDrc Fix signed integer overflows in CLpc_SynthesisLattice() Change-Id: Icbddfcc8c5fc73382ae5bf8c2a7703802c688e06 Fix signed integer overflows in imlt Change-Id: I687834fca2f1aab6210ed9862576b4f38fcdeb24 Fix overflow in addLowbandEnergies() Change-Id: Iaa9fdf9deb49c33ec6ca7ed3081c4ddaa920e9aa Concealment fix for audio frames containing acelp components Change-Id: Ibe5e83a6efa75a48f729984a161a76b826878f4e Fix out-of-bounds access in PS concealment Change-Id: I08809a03a40d1feaf00e41278db314d67e1efe88 Fix potential memory leak in setup of qmf domain Change-Id: Id9fc2448354dc7f1b439469128407305efa3def2 Reject channel config 13 Change-Id: Idf5236f6cd054df994e69c9c972c97f6768cf9e5 Fix unsigned integer overflow in configExtension() Change-Id: I8a1668810b85e6237c3892891444ff08f04b019b Fix unsigned integer overflow in CAacDecoder_DecodeFrame() Change-Id: I79678c571690178e6c37680f70a9b94dd3cbc439 Fix unsigned integer overflow in aacDecoder_UpdateBitStreamCounters() Change-Id: I3bff959da9f53fabb18cd0ae6c260e6256194526 Fix unsigned integer overflow in transportDec_readStream() Change-Id: I6a6f9f4acaa32fae0b5de9641f8787bbc7f8286b --- libFDK/src/mdct.cpp | 74 +++++++++++++++++++---------------------------------- 1 file changed, 27 insertions(+), 47 deletions(-) (limited to 'libFDK/src/mdct.cpp') diff --git a/libFDK/src/mdct.cpp b/libFDK/src/mdct.cpp index 6a6604c..d697cfb 100644 --- a/libFDK/src/mdct.cpp +++ b/libFDK/src/mdct.cpp @@ -541,11 +541,16 @@ INT imlt_block(H_MDCT hMdct, FIXP_DBL *output, FIXP_DBL *spectrum, */ /* and de-scale current spectrum signal (time domain, no yet windowed) */ if (gain != (FIXP_DBL)0) { - scaleValuesWithFactor(pSpec, gain, tl, scalefactor[w] + specShiftScale); - } else { - int loc_scale = scalefactor[w] + specShiftScale; + for (i = 0; i < tl; i++) { + pSpec[i] = fMult(pSpec[i], gain); + } + } + + { + int loc_scale = + fixmin_I(scalefactor[w] + specShiftScale, (INT)DFRACT_BITS - 1); DWORD_ALIGNED(pSpec); - scaleValues(pSpec, tl, loc_scale); + scaleValuesSaturate(pSpec, tl, loc_scale); } if (noOutSamples <= nrSamples) { @@ -614,59 +619,34 @@ INT imlt_block(H_MDCT hMdct, FIXP_DBL *output, FIXP_DBL *spectrum, if (!hMdct->pAsymOvlp) { for (i = 0; i < fl / 2; i++) { FIXP_DBL x0, x1; -#ifdef FUNCTION_cplxMult_nIm - /* This macro negates 4th parameter (*pOvl--) */ - /* and inverts the sign of result x1 */ - - /* This subroutine calculates the two output segments (C,D) from the - two availabe DCT IV data blocks, namely, (-D-Cr,A-Br) and - (-F-Er,C-Dr). "pOvl" is the pointer to the overlap block and points - to the end of the (-D-Cr) part of the overlap buffer (-D-Cr,A-Br). - It points to the end of the (-D-Cr) because it will read this part - in a flipped order. "pCurr" is the pointer to the current block - (-F-Er,C-Dr) and points to the beginning of the (C-Dr) block, - because this block will be read consequitively. "pWindow" is a - pointer to the used window coefficients. In pointer "x1" we get the - already computed from the function "Dr" segment. In pointer "x0" we - get the "C" segment. Since we have to output them sequentially the - "x0" pointer points to the beginnig of the output buffer (X,X), and - pointer "x1" points to the end of the output buffer (X,X). When we - get the output of the cplxMult_nIm function we write it sequentially - in the output buffer from the left to right ("x0"=>C) and right to - left ("x1"=>Dr) implementing flipping. At the end we get an output - in the form (C,D). */ - cplxMult_nIm(&x1, &x0, *pCurr++, *pOvl--, pWindow[i]); - *pOut0++ = IMDCT_SCALE_DBL(x0); - *pOut1-- = IMDCT_SCALE_DBL(x1); -#else - cplxMult(&x1, &x0, *pCurr++, -*pOvl--, pWindow[i]); - *pOut0 = IMDCT_SCALE_DBL(x0); - *pOut1 = IMDCT_SCALE_DBL(-x1); + cplxMultDiv2(&x1, &x0, *pCurr++, -*pOvl--, pWindow[i]); + *pOut0 = IMDCT_SCALE_DBL_LSH1(x0); + *pOut1 = IMDCT_SCALE_DBL_LSH1(-x1); pOut0++; pOut1--; -#endif /* #ifdef FUNCTION_cplxMult_nIm */ } } else { FIXP_DBL *pAsymOvl = hMdct->pAsymOvlp + fl / 2 - 1; for (i = 0; i < fl / 2; i++) { FIXP_DBL x0, x1; - x1 = -fMult(*pCurr, pWindow[i].v.re) + - fMult(*pAsymOvl, pWindow[i].v.im); - x0 = fMult(*pCurr, pWindow[i].v.im) - fMult(*pOvl, pWindow[i].v.re); + x1 = -fMultDiv2(*pCurr, pWindow[i].v.re) + + fMultDiv2(*pAsymOvl, pWindow[i].v.im); + x0 = fMultDiv2(*pCurr, pWindow[i].v.im) - + fMultDiv2(*pOvl, pWindow[i].v.re); pCurr++; pOvl--; pAsymOvl--; - *pOut0++ = IMDCT_SCALE_DBL(x0); - *pOut1-- = IMDCT_SCALE_DBL(x1); + *pOut0++ = IMDCT_SCALE_DBL_LSH1(x0); + *pOut1-- = IMDCT_SCALE_DBL_LSH1(x1); } hMdct->pAsymOvlp = NULL; } } else { /* prevAliasingSymmetry == 1 */ for (i = 0; i < fl / 2; i++) { FIXP_DBL x0, x1; - cplxMult(&x1, &x0, *pCurr++, -*pOvl--, pWindow[i]); - *pOut0 = IMDCT_SCALE_DBL(x0); - *pOut1 = IMDCT_SCALE_DBL(x1); + cplxMultDiv2(&x1, &x0, *pCurr++, -*pOvl--, pWindow[i]); + *pOut0 = IMDCT_SCALE_DBL_LSH1(x0); + *pOut1 = IMDCT_SCALE_DBL_LSH1(x1); pOut0++; pOut1--; } @@ -675,18 +655,18 @@ INT imlt_block(H_MDCT hMdct, FIXP_DBL *output, FIXP_DBL *spectrum, if (hMdct->prevAliasSymmetry == 0) { for (i = 0; i < fl / 2; i++) { FIXP_DBL x0, x1; - cplxMult(&x1, &x0, *pCurr++, *pOvl--, pWindow[i]); - *pOut0 = IMDCT_SCALE_DBL(x0); - *pOut1 = IMDCT_SCALE_DBL(-x1); + cplxMultDiv2(&x1, &x0, *pCurr++, *pOvl--, pWindow[i]); + *pOut0 = IMDCT_SCALE_DBL_LSH1(x0); + *pOut1 = IMDCT_SCALE_DBL_LSH1(-x1); pOut0++; pOut1--; } } else { /* prevAliasingSymmetry == 1 */ for (i = 0; i < fl / 2; i++) { FIXP_DBL x0, x1; - cplxMult(&x1, &x0, *pCurr++, *pOvl--, pWindow[i]); - *pOut0 = IMDCT_SCALE_DBL(x0); - *pOut1 = IMDCT_SCALE_DBL(x1); + cplxMultDiv2(&x1, &x0, *pCurr++, *pOvl--, pWindow[i]); + *pOut0 = IMDCT_SCALE_DBL_LSH1(x0); + *pOut1 = IMDCT_SCALE_DBL_LSH1(x1); pOut0++; pOut1--; } -- cgit v1.2.3