From 9f9bffb7633f69d4578167d40ff310c62897d51c Mon Sep 17 00:00:00 2001 From: Fraunhofer IIS FDK Date: Thu, 9 Apr 2020 17:50:10 +0200 Subject: Prevent integer overflows in dualChannelFiltering() and eightChannelFiltering(). Bug: 176246647 Test: atest DecoderTestXheAac DecoderTestAacDrc Change-Id: Ic9217bbb3980807036ae6ae121e6ddb7cc1bce35 --- libFDK/src/FDK_hybrid.cpp | 26 +++++++++++++------------- 1 file changed, 13 insertions(+), 13 deletions(-) (limited to 'libFDK/src') diff --git a/libFDK/src/FDK_hybrid.cpp b/libFDK/src/FDK_hybrid.cpp index 08d32a8..d208abd 100644 --- a/libFDK/src/FDK_hybrid.cpp +++ b/libFDK/src/FDK_hybrid.cpp @@ -1,7 +1,7 @@ /* ----------------------------------------------------------------------------- Software License for The Fraunhofer FDK AAC Codec Library for Android -© Copyright 1995 - 2019 Fraunhofer-Gesellschaft zur Förderung der angewandten +© Copyright 1995 - 2020 Fraunhofer-Gesellschaft zur Förderung der angewandten Forschung e.V. All rights reserved. 1. INTRODUCTION @@ -539,11 +539,11 @@ static void dualChannelFiltering(const FIXP_DBL *const pQmfReal, i6 = pQmfImag[pReadIdx[6]] >> 2; FDK_ASSERT((invert == 0) || (invert == 1)); - mHybridReal[0 + invert] = (r6 + r1) << 1; - mHybridImag[0 + invert] = (i6 + i1) << 1; + mHybridReal[0 + invert] = SATURATE_LEFT_SHIFT((r6 + r1), 1, DFRACT_BITS); + mHybridImag[0 + invert] = SATURATE_LEFT_SHIFT((i6 + i1), 1, DFRACT_BITS); - mHybridReal[1 - invert] = (r6 - r1) << 1; - mHybridImag[1 - invert] = (i6 - i1) << 1; + mHybridReal[1 - invert] = SATURATE_LEFT_SHIFT((r6 - r1), 1, DFRACT_BITS); + mHybridImag[1 - invert] = SATURATE_LEFT_SHIFT((i6 - i1), 1, DFRACT_BITS); } static void fourChannelFiltering(const FIXP_DBL *const pQmfReal, @@ -766,15 +766,15 @@ static void eightChannelFiltering(const FIXP_DBL *const pQmfReal, mHybridReal[3] = pfft[FFT_IDX_R(1)] << sc; mHybridImag[3] = pfft[FFT_IDX_I(1)] << sc; - mHybridReal[4] = pfft[FFT_IDX_R(2)] << sc; - mHybridReal[4] += pfft[FFT_IDX_R(5)] << sc; - mHybridImag[4] = pfft[FFT_IDX_I(2)] << sc; - mHybridImag[4] += pfft[FFT_IDX_I(5)] << sc; + mHybridReal[4] = SATURATE_LEFT_SHIFT( + (pfft[FFT_IDX_R(2)] + pfft[FFT_IDX_R(5)]), sc, DFRACT_BITS); + mHybridImag[4] = SATURATE_LEFT_SHIFT( + (pfft[FFT_IDX_I(2)] + pfft[FFT_IDX_I(5)]), sc, DFRACT_BITS); - mHybridReal[5] = pfft[FFT_IDX_R(3)] << sc; - mHybridReal[5] += pfft[FFT_IDX_R(4)] << sc; - mHybridImag[5] = pfft[FFT_IDX_I(3)] << sc; - mHybridImag[5] += pfft[FFT_IDX_I(4)] << sc; + mHybridReal[5] = SATURATE_LEFT_SHIFT( + (pfft[FFT_IDX_R(3)] + pfft[FFT_IDX_R(4)]), sc, DFRACT_BITS); + mHybridImag[5] = SATURATE_LEFT_SHIFT( + (pfft[FFT_IDX_I(3)] + pfft[FFT_IDX_I(4)]), sc, DFRACT_BITS); } else { for (k = 0; k < 8; k++) { mHybridReal[k] = pfft[FFT_IDX_R(k)] << sc; -- cgit v1.2.3 From 2b281bb5a38685988e145b5b2fcbbcb6fb547bdc Mon Sep 17 00:00:00 2001 From: Fraunhofer IIS FDK Date: Thu, 9 Apr 2020 17:52:56 +0200 Subject: Avoid integer overflow in dct_II(). Bug: 176246647 Test: atest DecoderTestXheAac DecoderTestAacDrc Change-Id: I6c30c4dec3f85410c2748eb42d38f5eb72521ec5 --- libFDK/src/dct.cpp | 28 +++++++++++++--------------- 1 file changed, 13 insertions(+), 15 deletions(-) (limited to 'libFDK/src') diff --git a/libFDK/src/dct.cpp b/libFDK/src/dct.cpp index bd26736..35507b5 100644 --- a/libFDK/src/dct.cpp +++ b/libFDK/src/dct.cpp @@ -1,7 +1,7 @@ /* ----------------------------------------------------------------------------- Software License for The Fraunhofer FDK AAC Codec Library for Android -© Copyright 1995 - 2019 Fraunhofer-Gesellschaft zur Förderung der angewandten +© Copyright 1995 - 2020 Fraunhofer-Gesellschaft zur Förderung der angewandten Forschung e.V. All rights reserved. 1. INTRODUCTION @@ -305,9 +305,8 @@ void dct_II( { for (i = 0; i < M; i++) { - tmp[i] = pDat[2 * i] >> 1; /* dit_fft expects 1 bit scaled input values */ - tmp[L - 1 - i] = - pDat[2 * i + 1] >> 1; /* dit_fft expects 1 bit scaled input values */ + tmp[i] = pDat[2 * i] >> 2; + tmp[L - 1 - i] = pDat[2 * i + 1] >> 2; } } @@ -337,15 +336,14 @@ void dct_II( a1 = ((pTmp_0[0] >> 1) + (pTmp_1[0] >> 1)); a2 = ((pTmp_0[1] >> 1) - (pTmp_1[1] >> 1)); - cplxMultDiv2(&accu3, &accu4, (a1 + accu2), -(accu1 + a2), - sin_twiddle[i * inc]); - pDat[L - i] = accu4; - pDat[i] = accu3; + cplxMult(&accu3, &accu4, (accu1 + a2), (a1 + accu2), sin_twiddle[i * inc]); + pDat[L - i] = -accu3; + pDat[i] = accu4; - cplxMultDiv2(&accu3, &accu4, (a1 - accu2), -(accu1 - a2), - sin_twiddle[(M - i) * inc]); - pDat[M + i] = accu4; - pDat[M - i] = accu3; + cplxMult(&accu3, &accu4, (accu1 - a2), (a1 - accu2), + sin_twiddle[(M - i) * inc]); + pDat[M + i] = -accu3; + pDat[M - i] = accu4; /* Create index helper variables for (4*i)*inc indexed equivalent values of * short tables. */ @@ -356,12 +354,12 @@ void dct_II( } } - cplxMultDiv2(&accu1, &accu2, tmp[M], tmp[M + 1], sin_twiddle[(M / 2) * inc]); + cplxMult(&accu1, &accu2, tmp[M], tmp[M + 1], sin_twiddle[(M / 2) * inc]); pDat[L - (M / 2)] = accu2; pDat[M / 2] = accu1; - pDat[0] = (tmp[0] >> 1) + (tmp[1] >> 1); - pDat[M] = fMult(((tmp[0] >> 1) - (tmp[1] >> 1)), + pDat[0] = tmp[0] + tmp[1]; + pDat[M] = fMult(tmp[0] - tmp[1], sin_twiddle[M * inc].v.re); /* cos((PI/(2*L))*M); */ *pDat_e += 2; -- cgit v1.2.3 From d8515f231fea359c20514dd3e36d104f1341b04d Mon Sep 17 00:00:00 2001 From: Fraunhofer IIS FDK Date: Fri, 8 May 2020 16:39:30 +0200 Subject: Use dynamic scaling depending on autocorr length to avoid signed integer overflow. Bug: 186706541 Test: atest android.media.cts.DecoderTestAacFormat android.media.cts.DecoderTestXheAac android.media.cts.DecoderTestAacDrc Change-Id: Ibc035ce2eafe4b0d98377d090adad77bbf5cbb5c --- libFDK/src/autocorr2nd.cpp | 43 +++++++++++++++++++++---------------------- 1 file changed, 21 insertions(+), 22 deletions(-) (limited to 'libFDK/src') diff --git a/libFDK/src/autocorr2nd.cpp b/libFDK/src/autocorr2nd.cpp index 718a555..8c5673c 100644 --- a/libFDK/src/autocorr2nd.cpp +++ b/libFDK/src/autocorr2nd.cpp @@ -1,7 +1,7 @@ /* ----------------------------------------------------------------------------- Software License for The Fraunhofer FDK AAC Codec Library for Android -© Copyright 1995 - 2018 Fraunhofer-Gesellschaft zur Förderung der angewandten +© Copyright 1995 - 2020 Fraunhofer-Gesellschaft zur Förderung der angewandten Forschung e.V. All rights reserved. 1. INTRODUCTION @@ -102,11 +102,6 @@ amm-info@iis.fraunhofer.de #include "autocorr2nd.h" -/* If the accumulator does not provide enough overflow bits, - products have to be shifted down in the autocorrelation below. */ -#define SHIFT_FACTOR (5) -#define SHIFT >> (SHIFT_FACTOR) - /*! * * \brief Calculate second order autocorrelation using 2 accumulators @@ -126,45 +121,49 @@ INT autoCorr2nd_real( const FIXP_DBL *realBuf = reBuffer; + const int len_scale = fMax(DFRACT_BITS - fNormz((FIXP_DBL)(len / 2)), 1); /* r11r,r22r r01r,r12r r02r */ pReBuf = realBuf - 2; - accu5 = ((fMultDiv2(pReBuf[0], pReBuf[2]) + fMultDiv2(pReBuf[1], pReBuf[3])) - SHIFT); + accu5 = + ((fMultDiv2(pReBuf[0], pReBuf[2]) + fMultDiv2(pReBuf[1], pReBuf[3])) >> + len_scale); pReBuf++; /* len must be even */ - accu1 = fPow2Div2(pReBuf[0]) SHIFT; - accu3 = fMultDiv2(pReBuf[0], pReBuf[1]) SHIFT; + accu1 = fPow2Div2(pReBuf[0]) >> len_scale; + accu3 = fMultDiv2(pReBuf[0], pReBuf[1]) >> len_scale; pReBuf++; for (j = (len - 2) >> 1; j != 0; j--, pReBuf += 2) { - accu1 += ((fPow2Div2(pReBuf[0]) + fPow2Div2(pReBuf[1])) SHIFT); + accu1 += ((fPow2Div2(pReBuf[0]) + fPow2Div2(pReBuf[1])) >> len_scale); - accu3 += ((fMultDiv2(pReBuf[0], pReBuf[1]) + - fMultDiv2(pReBuf[1], pReBuf[2])) SHIFT); + accu3 += + ((fMultDiv2(pReBuf[0], pReBuf[1]) + fMultDiv2(pReBuf[1], pReBuf[2])) >> + len_scale); - accu5 += ((fMultDiv2(pReBuf[0], pReBuf[2]) + - fMultDiv2(pReBuf[1], pReBuf[3])) SHIFT); + accu5 += + ((fMultDiv2(pReBuf[0], pReBuf[2]) + fMultDiv2(pReBuf[1], pReBuf[3])) >> + len_scale); } - accu2 = (fPow2Div2(realBuf[-2]) SHIFT); + accu2 = (fPow2Div2(realBuf[-2]) >> len_scale); accu2 += accu1; - accu1 += (fPow2Div2(realBuf[len - 2]) SHIFT); + accu1 += (fPow2Div2(realBuf[len - 2]) >> len_scale); - accu4 = (fMultDiv2(realBuf[-1], realBuf[-2]) SHIFT); + accu4 = (fMultDiv2(realBuf[-1], realBuf[-2]) >> len_scale); accu4 += accu3; - accu3 += (fMultDiv2(realBuf[len - 1], realBuf[len - 2]) SHIFT); + accu3 += (fMultDiv2(realBuf[len - 1], realBuf[len - 2]) >> len_scale); mScale = CntLeadingZeros( (accu1 | accu2 | fAbs(accu3) | fAbs(accu4) | fAbs(accu5))) - 1; - autoCorrScaling = mScale - 1 - SHIFT_FACTOR; /* -1 because of fMultDiv2*/ + autoCorrScaling = mScale - 1 - len_scale; /* -1 because of fMultDiv2*/ /* Scale to common scale factor */ ac->r11r = accu1 << mScale; @@ -190,7 +189,7 @@ INT autoCorr2nd_cplx( const FIXP_DBL *imBuffer, /*!< Pointer to imag part of input samples */ const int len /*!< Number of input samples (should be smaller than 128) */ ) { - int j, autoCorrScaling, mScale, len_scale; + int j, autoCorrScaling, mScale; FIXP_DBL accu0, accu1, accu2, accu3, accu4, accu5, accu6, accu7, accu8; @@ -199,7 +198,7 @@ INT autoCorr2nd_cplx( const FIXP_DBL *realBuf = reBuffer; const FIXP_DBL *imagBuf = imBuffer; - (len > 64) ? (len_scale = 6) : (len_scale = 5); + const int len_scale = fMax(DFRACT_BITS - fNormz((FIXP_DBL)len), 1); /* r00r, r11r,r22r -- cgit v1.2.3 From a43c9f8822c3066efc91de366bb1b3c3bf88387a Mon Sep 17 00:00:00 2001 From: Fraunhofer IIS FDK Date: Fri, 17 Apr 2020 15:15:06 +0200 Subject: Prevent undefined values for CODING_SCHEME type in huff_decode(). Bug: 186706541 Test: atest android.media.cts.DecoderTestAacFormat android.media.cts.DecoderTestXheAac android.media.cts.DecoderTestAacDrc Change-Id: I82da4a5660289d1c96888d48c315f96a4a5c1c2a --- libFDK/include/nlc_dec.h | 5 +---- libFDK/src/nlc_dec.cpp | 28 +++++++++++++--------------- 2 files changed, 14 insertions(+), 19 deletions(-) (limited to 'libFDK/src') diff --git a/libFDK/include/nlc_dec.h b/libFDK/include/nlc_dec.h index cca97f1..aded569 100644 --- a/libFDK/include/nlc_dec.h +++ b/libFDK/include/nlc_dec.h @@ -1,7 +1,7 @@ /* ----------------------------------------------------------------------------- Software License for The Fraunhofer FDK AAC Codec Library for Android -© Copyright 1995 - 2018 Fraunhofer-Gesellschaft zur Förderung der angewandten +© Copyright 1995 - 2020 Fraunhofer-Gesellschaft zur Förderung der angewandten Forschung e.V. All rights reserved. 1. INTRODUCTION @@ -159,9 +159,6 @@ typedef enum { #ifndef HUFFDEC_PARAMS #define HUFFDEC_PARMS -#define PAIR_SHIFT 4 -#define PAIR_MASK 0xf - #define MAX_ENTRIES 168 #define HANDLE_HUFF_NODE const SHORT(*)[MAX_ENTRIES][2] diff --git a/libFDK/src/nlc_dec.cpp b/libFDK/src/nlc_dec.cpp index 6e98ce0..3733d98 100644 --- a/libFDK/src/nlc_dec.cpp +++ b/libFDK/src/nlc_dec.cpp @@ -1,7 +1,7 @@ /* ----------------------------------------------------------------------------- Software License for The Fraunhofer FDK AAC Codec Library for Android -© Copyright 1995 - 2018 Fraunhofer-Gesellschaft zur Förderung der angewandten +© Copyright 1995 - 2020 Fraunhofer-Gesellschaft zur Förderung der angewandten Forschung e.V. All rights reserved. 1. INTRODUCTION @@ -568,12 +568,12 @@ bail: static ERROR_t huff_decode(HANDLE_FDK_BITSTREAM strm, SCHAR* out_data_1, SCHAR* out_data_2, DATA_TYPE data_type, DIFF_TYPE diff_type_1, DIFF_TYPE diff_type_2, - int num_val, CODING_SCHEME* cdg_scheme, int ldMode) { + int num_val, PAIRING* pairing_scheme, int ldMode) { ERROR_t err = HUFFDEC_OK; + CODING_SCHEME coding_scheme = HUFF_1D; DIFF_TYPE diff_type; int i = 0; - ULONG data = 0; SCHAR pair_vec[28][2]; @@ -596,15 +596,13 @@ static ERROR_t huff_decode(HANDLE_FDK_BITSTREAM strm, SCHAR* out_data_1, int hufYY; /* Coding scheme */ - data = FDKreadBits(strm, 1); - *cdg_scheme = (CODING_SCHEME)(data << PAIR_SHIFT); + coding_scheme = (CODING_SCHEME)FDKreadBits(strm, 1); - if (*cdg_scheme >> PAIR_SHIFT == HUFF_2D) { + if (coding_scheme == HUFF_2D) { if ((out_data_1 != NULL) && (out_data_2 != NULL) && (ldMode == 0)) { - data = FDKreadBits(strm, 1); - *cdg_scheme = (CODING_SCHEME)(*cdg_scheme | data); + *pairing_scheme = (PAIRING)FDKreadBits(strm, 1); } else { - *cdg_scheme = (CODING_SCHEME)(*cdg_scheme | FREQ_PAIR); + *pairing_scheme = FREQ_PAIR; } } @@ -613,7 +611,7 @@ static ERROR_t huff_decode(HANDLE_FDK_BITSTREAM strm, SCHAR* out_data_1, hufYY2 = diff_type_2; } - switch (*cdg_scheme >> PAIR_SHIFT) { + switch (coding_scheme) { case HUFF_1D: p0_flag[0] = (diff_type_1 == DIFF_FREQ); p0_flag[1] = (diff_type_2 == DIFF_FREQ); @@ -634,7 +632,7 @@ static ERROR_t huff_decode(HANDLE_FDK_BITSTREAM strm, SCHAR* out_data_1, case HUFF_2D: - switch (*cdg_scheme & PAIR_MASK) { + switch (*pairing_scheme) { case FREQ_PAIR: if (out_data_1 != NULL) { @@ -843,7 +841,7 @@ ERROR_t EcDataPairDec(DECODER_TYPE DECODER, HANDLE_FDK_BITSTREAM strm, SCHAR* pDataVec[2] = {NULL, NULL}; DIFF_TYPE diff_type[2] = {DIFF_FREQ, DIFF_FREQ}; - CODING_SCHEME cdg_scheme = HUFF_1D; + PAIRING pairing = FREQ_PAIR; DIRECTION direction = BACKWARDS; switch (data_type) { @@ -959,7 +957,7 @@ ERROR_t EcDataPairDec(DECODER_TYPE DECODER, HANDLE_FDK_BITSTREAM strm, } /* Huffman decoding */ err = huff_decode(strm, pDataVec[0], pDataVec[1], data_type, diff_type[0], - diff_type[1], dataBands, &cdg_scheme, + diff_type[1], dataBands, &pairing, (DECODER == SAOC_DECODER)); if (err != HUFFDEC_OK) { return HUFFDEC_NOTOK; @@ -986,8 +984,8 @@ ERROR_t EcDataPairDec(DECODER_TYPE DECODER, HANDLE_FDK_BITSTREAM strm, } } - mixed_time_pair = (diff_type[0] != diff_type[1]) && - ((cdg_scheme & PAIR_MASK) == TIME_PAIR); + mixed_time_pair = + (diff_type[0] != diff_type[1]) && (pairing == TIME_PAIR); if (direction == BACKWARDS) { if (diff_type[0] == DIFF_FREQ) { -- cgit v1.2.3