From dbfa1cd71bbc5c0af382f47c222a72739bc101de Mon Sep 17 00:00:00 2001
From: Fraunhofer IIS FDK <audio-fdk@iis.fraunhofer.de>
Date: Fri, 9 Aug 2019 17:06:06 +0200
Subject: Fix assert in synchronization() for loas streams with multiple sub
 frames.

Bug: 131430997
Test: atest DecoderTestXheAac ; atest DecoderTestAacDrc
Change-Id: Icb7d4b0b00a17367c8ec762b112fbb25268d9f67
---
 libMpegTPDec/src/tpdec_lib.cpp | 21 +++++++++++++++------
 1 file changed, 15 insertions(+), 6 deletions(-)

(limited to 'libMpegTPDec/src/tpdec_lib.cpp')

diff --git a/libMpegTPDec/src/tpdec_lib.cpp b/libMpegTPDec/src/tpdec_lib.cpp
index 506aed3..ede64c9 100644
--- a/libMpegTPDec/src/tpdec_lib.cpp
+++ b/libMpegTPDec/src/tpdec_lib.cpp
@@ -1,7 +1,7 @@
 /* -----------------------------------------------------------------------------
 Software License for The Fraunhofer FDK AAC Codec Library for Android
 
-© Copyright  1995 - 2018 Fraunhofer-Gesellschaft zur Förderung der angewandten
+© Copyright  1995 - 2019 Fraunhofer-Gesellschaft zur Förderung der angewandten
 Forschung e.V. All rights reserved.
 
  1.    INTRODUCTION
@@ -663,10 +663,14 @@ TRANSPORTDEC_ERROR transportDec_FillData(const HANDLE_TRANSPORTDEC hTp,
     if (*pBytesValid == 0) {
       /* nothing to do */
       return TRANSPORTDEC_OK;
-    }
-
-    if (hTp->numberOfRawDataBlocks <= 0) {
+    } else {
+      const int bytesValid = *pBytesValid;
       FDKfeedBuffer(hBs, pBuffer, bufferSize, pBytesValid);
+
+      if (hTp->numberOfRawDataBlocks > 0) {
+        hTp->globalFramePos += (bytesValid - *pBytesValid) * 8;
+        hTp->accessUnitAnchor[layer] = FDKgetValidBits(hBs);
+      }
     }
   }
 
@@ -1151,6 +1155,11 @@ static TRANSPORTDEC_ERROR synchronization(HANDLE_TRANSPORTDEC hTp,
                                     &rawDataBlockLength, &fTraverseMoreFrames,
                                     &syncLayerFrameBits, &fConfigFound,
                                     &headerBits);
+      if (headerBits > bitsAvail) {
+        err = (headerBits < (INT)hBs->hBitBuf.bufBits)
+                  ? TRANSPORTDEC_NOT_ENOUGH_BITS
+                  : TRANSPORTDEC_SYNC_ERROR;
+      }
       if (TPDEC_IS_FATAL_ERROR(err)) {
         /* Rewind - TPDEC_SYNCSKIP, in order to look for a synch one bit ahead
          * next time. Ensure that the bit amount lands at a multiple of
@@ -1181,8 +1190,6 @@ static TRANSPORTDEC_ERROR synchronization(HANDLE_TRANSPORTDEC hTp,
     }
 
     if (err == TRANSPORTDEC_NOT_ENOUGH_BITS) {
-      /* Enforce reading of new data */
-      hTp->numberOfRawDataBlocks = 0;
       break;
     }
 
@@ -1273,7 +1280,9 @@ static TRANSPORTDEC_ERROR synchronization(HANDLE_TRANSPORTDEC hTp,
   /* Rewind for retry because of not enough bits */
   if (err == TRANSPORTDEC_NOT_ENOUGH_BITS) {
     FDKpushBack(hBs, headerBits);
+    hTp->numberOfRawDataBlocks = numRawDataBlocksPrevious;
     headerBits = 0;
+    rawDataBlockLength = rawDataBlockLengthPrevious;
   } else {
     /* reset hold off frame counter */
     hTp->holdOffFrames = 0;
-- 
cgit v1.2.3


From 8caa63f329c26fcf8dda71ed0a928a7c39c0f839 Mon Sep 17 00:00:00 2001
From: Fraunhofer IIS FDK <audio-fdk@iis.fraunhofer.de>
Date: Wed, 13 Nov 2019 16:07:13 +0100
Subject: Avoid unsigned integer overflow in transportDec_InBandConfig() and
 transportDec_ReadAccessUnit().

Bug: 146937857
Test: atest DecoderTestXheAac ; atest DecoderTestAacDrc
Change-Id: If2320f3a1ddf6a36c07338100481801a996e455d
---
 libMpegTPDec/src/tpdec_lib.cpp | 5 +++--
 1 file changed, 3 insertions(+), 2 deletions(-)

(limited to 'libMpegTPDec/src/tpdec_lib.cpp')

diff --git a/libMpegTPDec/src/tpdec_lib.cpp b/libMpegTPDec/src/tpdec_lib.cpp
index ede64c9..617f9a1 100644
--- a/libMpegTPDec/src/tpdec_lib.cpp
+++ b/libMpegTPDec/src/tpdec_lib.cpp
@@ -482,7 +482,8 @@ TRANSPORTDEC_ERROR transportDec_InBandConfig(HANDLE_TRANSPORTDEC hTp,
 
         for (int i = 0; i < 2; i++) {
           if (i > 0) {
-            FDKpushBack(hBs, newConfigLength * 8 - FDKgetValidBits(hBs));
+            FDKpushBack(hBs,
+                        (INT)newConfigLength * 8 - (INT)FDKgetValidBits(hBs));
             configMode = AC_CM_ALLOC_MEM;
           }
           /* config transport decoder */
@@ -1469,7 +1470,7 @@ TRANSPORTDEC_ERROR transportDec_ReadAccessUnit(const HANDLE_TRANSPORTDEC hTp,
 
         for (i = 0; i < 2; i++) {
           if (i > 0) {
-            FDKpushBack(hBs, bsStart - FDKgetValidBits(hBs));
+            FDKpushBack(hBs, bsStart - (INT)FDKgetValidBits(hBs));
             configMode = AC_CM_ALLOC_MEM;
           }
 
-- 
cgit v1.2.3


From 8fee7605df2d8759a63faa3d0b1aac7d95dfc1af Mon Sep 17 00:00:00 2001
From: Fraunhofer IIS FDK <audio-fdk@iis.fraunhofer.de>
Date: Wed, 13 Nov 2019 16:07:33 +0100
Subject: Prevent undefined syncLayerFrameBits in synchronization().

Bug: 146937540
Test: atest DecoderTestXheAac ; atest DecoderTestAacDrc
Change-Id: Idaaa11d95c13220a9f96e6d73d4813492a740954
---
 libMpegTPDec/src/tpdec_lib.cpp | 8 ++++++--
 1 file changed, 6 insertions(+), 2 deletions(-)

(limited to 'libMpegTPDec/src/tpdec_lib.cpp')

diff --git a/libMpegTPDec/src/tpdec_lib.cpp b/libMpegTPDec/src/tpdec_lib.cpp
index 617f9a1..7bebbaa 100644
--- a/libMpegTPDec/src/tpdec_lib.cpp
+++ b/libMpegTPDec/src/tpdec_lib.cpp
@@ -981,6 +981,9 @@ static TRANSPORTDEC_ERROR transportDec_readHeader(
               CLatmDemux_GetNrOfSubFrames(&hTp->parser.latm);
           if (hTp->transportFmt == TT_MP4_LOAS) {
             syncLayerFrameBits -= startPos - (INT)FDKgetValidBits(hBs) - (13);
+            if (syncLayerFrameBits <= 0) {
+              err = TRANSPORTDEC_SYNC_ERROR;
+            }
           }
         }
       } else {
@@ -1271,8 +1274,9 @@ static TRANSPORTDEC_ERROR synchronization(HANDLE_TRANSPORTDEC hTp,
   if (!(hTp->flags & (TPDEC_LOST_FRAMES_PENDING | TPDEC_IGNORE_BUFFERFULLNESS |
                       TPDEC_SYNCOK)) &&
       err == TRANSPORTDEC_OK) {
-    err = additionalHoldOffNeeded(hTp, transportDec_GetBufferFullness(hTp),
-                                  FDKgetValidBits(hBs) - syncLayerFrameBits);
+    err =
+        additionalHoldOffNeeded(hTp, transportDec_GetBufferFullness(hTp),
+                                (INT)FDKgetValidBits(hBs) - syncLayerFrameBits);
     if (err == TRANSPORTDEC_NOT_ENOUGH_BITS) {
       hTp->holdOffFrames++;
     }
-- 
cgit v1.2.3


From f04a8a855cf8ddb5996c8e191fd3fa15b3808657 Mon Sep 17 00:00:00 2001
From: Fraunhofer IIS FDK <audio-fdk@iis.fraunhofer.de>
Date: Wed, 13 Nov 2019 16:10:38 +0100
Subject: Do not allow channel configuration change within PCE for ADTS. Fixes
 assert.

Bug: 146938557
Test: atest DecoderTestXheAac ; atest DecoderTestAacDrc

Change-Id: Icba99bd0eeba1f94298bdd08b85f1b0cb3cf241b
---
 libMpegTPDec/src/tpdec_adts.cpp | 38 ++++++++++++++++++++++++++++++++++++--
 libMpegTPDec/src/tpdec_lib.cpp  |  5 +++++
 2 files changed, 41 insertions(+), 2 deletions(-)

(limited to 'libMpegTPDec/src/tpdec_lib.cpp')

diff --git a/libMpegTPDec/src/tpdec_adts.cpp b/libMpegTPDec/src/tpdec_adts.cpp
index 63cc44f..f936634 100644
--- a/libMpegTPDec/src/tpdec_adts.cpp
+++ b/libMpegTPDec/src/tpdec_adts.cpp
@@ -213,8 +213,8 @@ TRANSPORTDEC_ERROR adtsRead_DecodeHeader(HANDLE_ADTS pAdts,
     goto bail;
   }
 
+  FDKcrcReset(&pAdts->crcInfo);
   if (!bs.protection_absent) {
-    FDKcrcReset(&pAdts->crcInfo);
     FDKpushBack(hBs, 56); /* complete fixed and variable header! */
     crcReg = FDKcrcStartReg(&pAdts->crcInfo, hBs, 0);
     FDKpushFor(hBs, 56);
@@ -314,12 +314,46 @@ TRANSPORTDEC_ERROR adtsRead_DecodeHeader(HANDLE_ADTS pAdts,
   if (bs.channel_config == 0) {
     int pceBits = 0;
     UINT alignAnchor = FDKgetValidBits(hBs);
+    CProgramConfig tmpPce;
 
     if (FDKreadBits(hBs, 3) == ID_PCE) {
       /* Got luck! Parse the PCE */
       crcReg = adtsRead_CrcStartReg(pAdts, hBs, 0);
 
-      CProgramConfig_Read(&pAsc->m_progrConfigElement, hBs, alignAnchor);
+      CProgramConfig_Init(&tmpPce);
+      CProgramConfig_Read(&tmpPce, hBs, alignAnchor);
+
+      if (CProgramConfig_IsValid(&tmpPce)) {
+        if (CProgramConfig_IsValid(&oldPce)) {
+          /* Compare the new and the old PCE (tags ignored) */
+          switch (CProgramConfig_Compare(&tmpPce, &oldPce)) {
+            case 0: /* Nothing to do because PCE matches the old one exactly. */
+            case 1: /* Channel configuration not changed. Just new metadata. */
+              FDKmemcpy(&pAsc->m_progrConfigElement, &tmpPce,
+                        sizeof(CProgramConfig));
+              break;
+            case 2:  /* The number of channels are identical but not the config
+                      */
+            case -1: /* The channel configuration is completely different */
+            default:
+              FDKmemcpy(&pAsc->m_progrConfigElement, &oldPce,
+                        sizeof(CProgramConfig));
+              FDKpushBack(hBs, adtsHeaderLength);
+              return TRANSPORTDEC_PARSE_ERROR;
+          }
+        } else {
+          FDKmemcpy(&pAsc->m_progrConfigElement, &tmpPce,
+                    sizeof(CProgramConfig));
+        }
+      } else {
+        if (CProgramConfig_IsValid(&oldPce)) {
+          FDKmemcpy(&pAsc->m_progrConfigElement, &oldPce,
+                    sizeof(CProgramConfig));
+        } else {
+          FDKpushBack(hBs, adtsHeaderLength);
+          return TRANSPORTDEC_PARSE_ERROR;
+        }
+      }
 
       adtsRead_CrcEndReg(pAdts, hBs, crcReg);
       pceBits = (INT)alignAnchor - (INT)FDKgetValidBits(hBs);
diff --git a/libMpegTPDec/src/tpdec_lib.cpp b/libMpegTPDec/src/tpdec_lib.cpp
index 7bebbaa..ca35184 100644
--- a/libMpegTPDec/src/tpdec_lib.cpp
+++ b/libMpegTPDec/src/tpdec_lib.cpp
@@ -929,6 +929,11 @@ static TRANSPORTDEC_ERROR transportDec_readHeader(
               }
             }
           }
+          /* if an error is detected terminate config parsing to avoid that an
+           * invalid config is accepted in the second pass */
+          if (err != TRANSPORTDEC_OK) {
+            break;
+          }
         }
       } else {
         /* Reset CRC because the next bits are the beginning of a
-- 
cgit v1.2.3