From 39e13c1acbca94f562f9776e1555ced50dd0dfcd Mon Sep 17 00:00:00 2001
From: Martin Storsjo <martin@martin.st>
Date: Wed, 7 Jun 2017 15:29:59 +0300
Subject: Fix "Stack-buffer-overflow in FDKmemset"

This probably doesn't fix the root cause, but at least fixes
the issues found in this particular fuzzed sample.

Fixes: 1973/clusterfuzz-testcase-minimized-6319232084082688

Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
---
 libFDK/src/qmf.cpp | 4 ++++
 1 file changed, 4 insertions(+)

(limited to 'libFDK/src/qmf.cpp')

diff --git a/libFDK/src/qmf.cpp b/libFDK/src/qmf.cpp
index 54526dd..13e6ff2 100644
--- a/libFDK/src/qmf.cpp
+++ b/libFDK/src/qmf.cpp
@@ -791,6 +791,10 @@ qmfInverseModulationHQ( HANDLE_QMF_FILTER_BANK synQmf,  /*!< Handle of Qmf Synth
     scaleValues(&tImag[0+synQmf->lsb], &qmfImag[0+synQmf->lsb], synQmf->usb-synQmf->lsb, scaleFactorHighBand);
   }
 
+  if (synQmf->usb >= synQmf->no_channels) {
+    return;
+  }
+
   FDKmemclear(&tReal[synQmf->usb], (synQmf->no_channels-synQmf->usb)*sizeof(FIXP_QMF));
   FDKmemclear(&tImag[synQmf->usb], (synQmf->no_channels-synQmf->usb)*sizeof(FIXP_QMF));
 
-- 
cgit v1.2.3


From a9c8cb2cf64004a8d4089aef953734c6e98f7c52 Mon Sep 17 00:00:00 2001
From: Martin Storsjo <martin@martin.st>
Date: Thu, 22 Jun 2017 11:52:08 +0300
Subject: Revert "Fix "Stack-buffer-overflow in FDKmemset""

This reverts commit 39e13c1acbca94f562f9776e1555ced50dd0dfcd.

This turned out to break HE-AACv2 encoding. Will look for a better
fix for the issue found by the fuzzed sample.

This fixes issue #69.
---
 libFDK/src/qmf.cpp | 4 ----
 1 file changed, 4 deletions(-)

(limited to 'libFDK/src/qmf.cpp')

diff --git a/libFDK/src/qmf.cpp b/libFDK/src/qmf.cpp
index 13e6ff2..54526dd 100644
--- a/libFDK/src/qmf.cpp
+++ b/libFDK/src/qmf.cpp
@@ -791,10 +791,6 @@ qmfInverseModulationHQ( HANDLE_QMF_FILTER_BANK synQmf,  /*!< Handle of Qmf Synth
     scaleValues(&tImag[0+synQmf->lsb], &qmfImag[0+synQmf->lsb], synQmf->usb-synQmf->lsb, scaleFactorHighBand);
   }
 
-  if (synQmf->usb >= synQmf->no_channels) {
-    return;
-  }
-
   FDKmemclear(&tReal[synQmf->usb], (synQmf->no_channels-synQmf->usb)*sizeof(FIXP_QMF));
   FDKmemclear(&tImag[synQmf->usb], (synQmf->no_channels-synQmf->usb)*sizeof(FIXP_QMF));
 
-- 
cgit v1.2.3


From af5863a78efdfccd003dd6bea68c4a2cd2ad9f37 Mon Sep 17 00:00:00 2001
From: Martin Storsjo <martin@martin.st>
Date: Wed, 7 Jun 2017 15:29:59 +0300
Subject: Re-fix "Stack-buffer-overflow in FDKmemset"

This probably doesn't fix the root cause, but at least fixes
the issues found in this particular fuzzed sample.

Compared to the previous fix in 39e13c1acbca94f562f9776e1555ced50dd0dfcd,
this doesn't break HE-AACv2 encoding, by allowing the case with
usb==no_channels.

Fixes: 1973/clusterfuzz-testcase-minimized-6319232084082688

Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
---
 libFDK/src/qmf.cpp | 4 ++++
 1 file changed, 4 insertions(+)

(limited to 'libFDK/src/qmf.cpp')

diff --git a/libFDK/src/qmf.cpp b/libFDK/src/qmf.cpp
index 54526dd..595fe94 100644
--- a/libFDK/src/qmf.cpp
+++ b/libFDK/src/qmf.cpp
@@ -791,6 +791,10 @@ qmfInverseModulationHQ( HANDLE_QMF_FILTER_BANK synQmf,  /*!< Handle of Qmf Synth
     scaleValues(&tImag[0+synQmf->lsb], &qmfImag[0+synQmf->lsb], synQmf->usb-synQmf->lsb, scaleFactorHighBand);
   }
 
+  if (synQmf->usb > synQmf->no_channels) {
+    return;
+  }
+
   FDKmemclear(&tReal[synQmf->usb], (synQmf->no_channels-synQmf->usb)*sizeof(FIXP_QMF));
   FDKmemclear(&tImag[synQmf->usb], (synQmf->no_channels-synQmf->usb)*sizeof(FIXP_QMF));
 
-- 
cgit v1.2.3