From 262c9f28ec50e2ebbd2cdd64bd82831d957cf420 Mon Sep 17 00:00:00 2001
From: Fraunhofer IIS FDK <audio-fdk@iis.fraunhofer.de>
Date: Wed, 13 Nov 2019 16:07:47 +0100
Subject: Avoid negative valid bits in adtsRead_DecodeHeader()

Avoid negative valid bits in adtsRead_DecodeHeader()
and prevent unsigned integer overflow.

Bug: 146937602
Test: atest DecoderTestXheAac ; atest DecoderTestAacDrc
Change-Id: I264ff99e0461352ae5c2b2031393b67a7fa44571
---
 libMpegTPDec/src/tpdec_adts.cpp | 10 ++++++++--
 1 file changed, 8 insertions(+), 2 deletions(-)

(limited to 'libMpegTPDec/src/tpdec_adts.cpp')

diff --git a/libMpegTPDec/src/tpdec_adts.cpp b/libMpegTPDec/src/tpdec_adts.cpp
index 1a4e3fd..63cc44f 100644
--- a/libMpegTPDec/src/tpdec_adts.cpp
+++ b/libMpegTPDec/src/tpdec_adts.cpp
@@ -1,7 +1,7 @@
 /* -----------------------------------------------------------------------------
 Software License for The Fraunhofer FDK AAC Codec Library for Android
 
-© Copyright  1995 - 2018 Fraunhofer-Gesellschaft zur Förderung der angewandten
+© Copyright  1995 - 2020 Fraunhofer-Gesellschaft zur Förderung der angewandten
 Forschung e.V. All rights reserved.
 
  1.    INTRODUCTION
@@ -322,7 +322,13 @@ TRANSPORTDEC_ERROR adtsRead_DecodeHeader(HANDLE_ADTS pAdts,
       CProgramConfig_Read(&pAsc->m_progrConfigElement, hBs, alignAnchor);
 
       adtsRead_CrcEndReg(pAdts, hBs, crcReg);
-      pceBits = alignAnchor - FDKgetValidBits(hBs);
+      pceBits = (INT)alignAnchor - (INT)FDKgetValidBits(hBs);
+      adtsHeaderLength += pceBits;
+
+      if (pceBits > (INT)alignAnchor) {
+        goto bail;
+      }
+
       /* store the number of PCE bits */
       bs.num_pce_bits = pceBits;
     } else {
-- 
cgit v1.2.3


From f04a8a855cf8ddb5996c8e191fd3fa15b3808657 Mon Sep 17 00:00:00 2001
From: Fraunhofer IIS FDK <audio-fdk@iis.fraunhofer.de>
Date: Wed, 13 Nov 2019 16:10:38 +0100
Subject: Do not allow channel configuration change within PCE for ADTS. Fixes
 assert.

Bug: 146938557
Test: atest DecoderTestXheAac ; atest DecoderTestAacDrc

Change-Id: Icba99bd0eeba1f94298bdd08b85f1b0cb3cf241b
---
 libMpegTPDec/src/tpdec_adts.cpp | 38 ++++++++++++++++++++++++++++++++++++--
 libMpegTPDec/src/tpdec_lib.cpp  |  5 +++++
 2 files changed, 41 insertions(+), 2 deletions(-)

(limited to 'libMpegTPDec/src/tpdec_adts.cpp')

diff --git a/libMpegTPDec/src/tpdec_adts.cpp b/libMpegTPDec/src/tpdec_adts.cpp
index 63cc44f..f936634 100644
--- a/libMpegTPDec/src/tpdec_adts.cpp
+++ b/libMpegTPDec/src/tpdec_adts.cpp
@@ -213,8 +213,8 @@ TRANSPORTDEC_ERROR adtsRead_DecodeHeader(HANDLE_ADTS pAdts,
     goto bail;
   }
 
+  FDKcrcReset(&pAdts->crcInfo);
   if (!bs.protection_absent) {
-    FDKcrcReset(&pAdts->crcInfo);
     FDKpushBack(hBs, 56); /* complete fixed and variable header! */
     crcReg = FDKcrcStartReg(&pAdts->crcInfo, hBs, 0);
     FDKpushFor(hBs, 56);
@@ -314,12 +314,46 @@ TRANSPORTDEC_ERROR adtsRead_DecodeHeader(HANDLE_ADTS pAdts,
   if (bs.channel_config == 0) {
     int pceBits = 0;
     UINT alignAnchor = FDKgetValidBits(hBs);
+    CProgramConfig tmpPce;
 
     if (FDKreadBits(hBs, 3) == ID_PCE) {
       /* Got luck! Parse the PCE */
       crcReg = adtsRead_CrcStartReg(pAdts, hBs, 0);
 
-      CProgramConfig_Read(&pAsc->m_progrConfigElement, hBs, alignAnchor);
+      CProgramConfig_Init(&tmpPce);
+      CProgramConfig_Read(&tmpPce, hBs, alignAnchor);
+
+      if (CProgramConfig_IsValid(&tmpPce)) {
+        if (CProgramConfig_IsValid(&oldPce)) {
+          /* Compare the new and the old PCE (tags ignored) */
+          switch (CProgramConfig_Compare(&tmpPce, &oldPce)) {
+            case 0: /* Nothing to do because PCE matches the old one exactly. */
+            case 1: /* Channel configuration not changed. Just new metadata. */
+              FDKmemcpy(&pAsc->m_progrConfigElement, &tmpPce,
+                        sizeof(CProgramConfig));
+              break;
+            case 2:  /* The number of channels are identical but not the config
+                      */
+            case -1: /* The channel configuration is completely different */
+            default:
+              FDKmemcpy(&pAsc->m_progrConfigElement, &oldPce,
+                        sizeof(CProgramConfig));
+              FDKpushBack(hBs, adtsHeaderLength);
+              return TRANSPORTDEC_PARSE_ERROR;
+          }
+        } else {
+          FDKmemcpy(&pAsc->m_progrConfigElement, &tmpPce,
+                    sizeof(CProgramConfig));
+        }
+      } else {
+        if (CProgramConfig_IsValid(&oldPce)) {
+          FDKmemcpy(&pAsc->m_progrConfigElement, &oldPce,
+                    sizeof(CProgramConfig));
+        } else {
+          FDKpushBack(hBs, adtsHeaderLength);
+          return TRANSPORTDEC_PARSE_ERROR;
+        }
+      }
 
       adtsRead_CrcEndReg(pAdts, hBs, crcReg);
       pceBits = (INT)alignAnchor - (INT)FDKgetValidBits(hBs);
diff --git a/libMpegTPDec/src/tpdec_lib.cpp b/libMpegTPDec/src/tpdec_lib.cpp
index 7bebbaa..ca35184 100644
--- a/libMpegTPDec/src/tpdec_lib.cpp
+++ b/libMpegTPDec/src/tpdec_lib.cpp
@@ -929,6 +929,11 @@ static TRANSPORTDEC_ERROR transportDec_readHeader(
               }
             }
           }
+          /* if an error is detected terminate config parsing to avoid that an
+           * invalid config is accepted in the second pass */
+          if (err != TRANSPORTDEC_OK) {
+            break;
+          }
         }
       } else {
         /* Reset CRC because the next bits are the beginning of a
-- 
cgit v1.2.3