From cc825aecf5ff8c2c7027f7424d7933cd80d6f3bb Mon Sep 17 00:00:00 2001
From: Fraunhofer IIS FDK <audio-fdk@iis.fraunhofer.de>
Date: Fri, 9 Aug 2019 17:05:33 +0200
Subject: Restrict sampling rates parsed from bitstream to maximum of 96kHz.

Bug: 131430997
Test: atest DecoderTestXheAac ; atest DecoderTestAacDrc
Change-Id: I2511a7cfcdf1bae57d17c02c93867ccc4f1ea693
---
 libMpegTPDec/src/tpdec_asc.cpp | 15 ++++++++++++---
 1 file changed, 12 insertions(+), 3 deletions(-)

(limited to 'libMpegTPDec/src')

diff --git a/libMpegTPDec/src/tpdec_asc.cpp b/libMpegTPDec/src/tpdec_asc.cpp
index 28bc22d..a86c2cb 100644
--- a/libMpegTPDec/src/tpdec_asc.cpp
+++ b/libMpegTPDec/src/tpdec_asc.cpp
@@ -1,7 +1,7 @@
 /* -----------------------------------------------------------------------------
 Software License for The Fraunhofer FDK AAC Codec Library for Android
 
-© Copyright  1995 - 2018 Fraunhofer-Gesellschaft zur Förderung der angewandten
+© Copyright  1995 - 2019 Fraunhofer-Gesellschaft zur Förderung der angewandten
 Forschung e.V. All rights reserved.
 
  1.    INTRODUCTION
@@ -1440,7 +1440,8 @@ static TRANSPORTDEC_ERROR EldSpecificConfig_Parse(CSAudioSpecificConfig *asc,
         UCHAR tmpDownscaleFreqIdx;
         esc->m_downscaledSamplingFrequency =
             getSampleRate(hBs, &tmpDownscaleFreqIdx, 4);
-        if (esc->m_downscaledSamplingFrequency == 0) {
+        if (esc->m_downscaledSamplingFrequency == 0 ||
+            esc->m_downscaledSamplingFrequency > 96000) {
           return TRANSPORTDEC_PARSE_ERROR;
         }
         downscale_fill_nibble = FDKreadBits(hBs, 4);
@@ -1948,6 +1949,9 @@ static TRANSPORTDEC_ERROR UsacConfig_Parse(CSAudioSpecificConfig *asc,
   INT nbits = (INT)FDKgetValidBits(hBs);
 
   usacSamplingFrequency = getSampleRate(hBs, &asc->m_samplingFrequencyIndex, 5);
+  if (usacSamplingFrequency == 0 || usacSamplingFrequency > 96000) {
+    return TRANSPORTDEC_PARSE_ERROR;
+  }
   asc->m_samplingFrequency = (UINT)usacSamplingFrequency;
 
   coreSbrFrameLengthIndex = FDKreadBits(hBs, 3);
@@ -2027,7 +2031,8 @@ static TRANSPORTDEC_ERROR AudioSpecificConfig_ExtensionParse(
               self->m_extensionSamplingFrequency = getSampleRate(
                   bs, &self->m_extensionSamplingFrequencyIndex, 4);
 
-              if ((INT)self->m_extensionSamplingFrequency <= 0) {
+              if (self->m_extensionSamplingFrequency == 0 ||
+                  self->m_extensionSamplingFrequency > 96000) {
                 return TRANSPORTDEC_PARSE_ERROR;
               }
             }
@@ -2153,6 +2158,10 @@ TRANSPORTDEC_ERROR AudioSpecificConfig_Parse(
 
       self->m_extensionSamplingFrequency =
           getSampleRate(bs, &self->m_extensionSamplingFrequencyIndex, 4);
+      if (self->m_extensionSamplingFrequency == 0 ||
+          self->m_extensionSamplingFrequency > 96000) {
+        return TRANSPORTDEC_PARSE_ERROR;
+      }
       self->m_aot = getAOT(bs);
 
       switch (self->m_aot) {
-- 
cgit v1.2.3


From dbfa1cd71bbc5c0af382f47c222a72739bc101de Mon Sep 17 00:00:00 2001
From: Fraunhofer IIS FDK <audio-fdk@iis.fraunhofer.de>
Date: Fri, 9 Aug 2019 17:06:06 +0200
Subject: Fix assert in synchronization() for loas streams with multiple sub
 frames.

Bug: 131430997
Test: atest DecoderTestXheAac ; atest DecoderTestAacDrc
Change-Id: Icb7d4b0b00a17367c8ec762b112fbb25268d9f67
---
 libMpegTPDec/src/tpdec_lib.cpp | 21 +++++++++++++++------
 1 file changed, 15 insertions(+), 6 deletions(-)

(limited to 'libMpegTPDec/src')

diff --git a/libMpegTPDec/src/tpdec_lib.cpp b/libMpegTPDec/src/tpdec_lib.cpp
index 506aed3..ede64c9 100644
--- a/libMpegTPDec/src/tpdec_lib.cpp
+++ b/libMpegTPDec/src/tpdec_lib.cpp
@@ -1,7 +1,7 @@
 /* -----------------------------------------------------------------------------
 Software License for The Fraunhofer FDK AAC Codec Library for Android
 
-© Copyright  1995 - 2018 Fraunhofer-Gesellschaft zur Förderung der angewandten
+© Copyright  1995 - 2019 Fraunhofer-Gesellschaft zur Förderung der angewandten
 Forschung e.V. All rights reserved.
 
  1.    INTRODUCTION
@@ -663,10 +663,14 @@ TRANSPORTDEC_ERROR transportDec_FillData(const HANDLE_TRANSPORTDEC hTp,
     if (*pBytesValid == 0) {
       /* nothing to do */
       return TRANSPORTDEC_OK;
-    }
-
-    if (hTp->numberOfRawDataBlocks <= 0) {
+    } else {
+      const int bytesValid = *pBytesValid;
       FDKfeedBuffer(hBs, pBuffer, bufferSize, pBytesValid);
+
+      if (hTp->numberOfRawDataBlocks > 0) {
+        hTp->globalFramePos += (bytesValid - *pBytesValid) * 8;
+        hTp->accessUnitAnchor[layer] = FDKgetValidBits(hBs);
+      }
     }
   }
 
@@ -1151,6 +1155,11 @@ static TRANSPORTDEC_ERROR synchronization(HANDLE_TRANSPORTDEC hTp,
                                     &rawDataBlockLength, &fTraverseMoreFrames,
                                     &syncLayerFrameBits, &fConfigFound,
                                     &headerBits);
+      if (headerBits > bitsAvail) {
+        err = (headerBits < (INT)hBs->hBitBuf.bufBits)
+                  ? TRANSPORTDEC_NOT_ENOUGH_BITS
+                  : TRANSPORTDEC_SYNC_ERROR;
+      }
       if (TPDEC_IS_FATAL_ERROR(err)) {
         /* Rewind - TPDEC_SYNCSKIP, in order to look for a synch one bit ahead
          * next time. Ensure that the bit amount lands at a multiple of
@@ -1181,8 +1190,6 @@ static TRANSPORTDEC_ERROR synchronization(HANDLE_TRANSPORTDEC hTp,
     }
 
     if (err == TRANSPORTDEC_NOT_ENOUGH_BITS) {
-      /* Enforce reading of new data */
-      hTp->numberOfRawDataBlocks = 0;
       break;
     }
 
@@ -1273,7 +1280,9 @@ static TRANSPORTDEC_ERROR synchronization(HANDLE_TRANSPORTDEC hTp,
   /* Rewind for retry because of not enough bits */
   if (err == TRANSPORTDEC_NOT_ENOUGH_BITS) {
     FDKpushBack(hBs, headerBits);
+    hTp->numberOfRawDataBlocks = numRawDataBlocksPrevious;
     headerBits = 0;
+    rawDataBlockLength = rawDataBlockLengthPrevious;
   } else {
     /* reset hold off frame counter */
     hTp->holdOffFrames = 0;
-- 
cgit v1.2.3


From 572f59359a5e71f59a09e2dbc75aa45e7eaaa360 Mon Sep 17 00:00:00 2001
From: Fraunhofer IIS FDK <audio-fdk@iis.fraunhofer.de>
Date: Fri, 9 Aug 2019 17:07:39 +0200
Subject: Reject unsupported channel configuration / audio object type
 combinations.

Bug: 131430997
Test: atest DecoderTestXheAac ; atest DecoderTestAacDrc
Change-Id: I84bd355df0f690636c109695d8df64fa7bdcf63c
---
 libMpegTPDec/src/tpdec_asc.cpp | 18 ++++++++++++++++++
 1 file changed, 18 insertions(+)

(limited to 'libMpegTPDec/src')

diff --git a/libMpegTPDec/src/tpdec_asc.cpp b/libMpegTPDec/src/tpdec_asc.cpp
index a86c2cb..ad13378 100644
--- a/libMpegTPDec/src/tpdec_asc.cpp
+++ b/libMpegTPDec/src/tpdec_asc.cpp
@@ -2144,6 +2144,24 @@ TRANSPORTDEC_ERROR AudioSpecificConfig_Parse(
 
     self->m_channelConfiguration = FDKreadBits(bs, 4);
 
+    /* MPEG-04 standard ISO/IEC 14496-3: channelConfiguration == 0 is reserved
+       in er_raw_data_block (table 4.19) and er_raw_data_block_eld (table 4.75)
+       MPEG-04 conformance ISO/IEC 14496-4: channelConfiguration == 0 is not
+       permitted for AOT_ER_AAC_LC, AOT_ER_AAC_LTP, AOT_ER_AAC_LD,
+       AOT_ER_AAC_SCAL (chapter 6.6.4.1.2.1.1) */
+    if ((self->m_channelConfiguration == 0) &&
+        ((self->m_aot == AOT_ER_AAC_LC) || (self->m_aot == AOT_ER_AAC_LTP) ||
+         (self->m_aot == AOT_ER_AAC_LD) || (self->m_aot == AOT_ER_AAC_SCAL) ||
+         (self->m_aot == AOT_ER_AAC_ELD))) {
+      return TRANSPORTDEC_UNSUPPORTED_FORMAT;
+    }
+    /* MPEG-04 conformance ISO/IEC 14496-4: channelConfiguration > 2 is not
+     * permitted for AOT_AAC_SCAL and AOT_ER_AAC_SCAL (chapter 6.6.4.1.2.1.1) */
+    if ((self->m_channelConfiguration > 2) &&
+        ((self->m_aot == AOT_AAC_SCAL) || (self->m_aot == AOT_ER_AAC_SCAL))) {
+      return TRANSPORTDEC_UNSUPPORTED_FORMAT;
+    }
+
     /* SBR extension ( explicit non-backwards compatible mode ) */
     self->m_sbrPresentFlag = 0;
     self->m_psPresentFlag = 0;
-- 
cgit v1.2.3


From f0e1e3f8c7f835a0faf259ef21a51b55e2cec1f3 Mon Sep 17 00:00:00 2001
From: Fraunhofer IIS FDK <audio-fdk@iis.fraunhofer.de>
Date: Fri, 20 Sep 2019 13:55:57 +0200
Subject: Validate correct ascLen in CLatmDemux_ReadStreamMuxConfig() to
 overcome integer overflow in FDK_get32().

Bug: 131430997
Test: atest DecoderTestXheAac ; atest DecoderTestAacDrc
Change-Id: I87b53661df7a435ddf3572a0ff8b6ef84972db60
---
 libMpegTPDec/src/tpdec_latm.cpp | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

(limited to 'libMpegTPDec/src')

diff --git a/libMpegTPDec/src/tpdec_latm.cpp b/libMpegTPDec/src/tpdec_latm.cpp
index 2edf055..3b71db8 100644
--- a/libMpegTPDec/src/tpdec_latm.cpp
+++ b/libMpegTPDec/src/tpdec_latm.cpp
@@ -1,7 +1,7 @@
 /* -----------------------------------------------------------------------------
 Software License for The Fraunhofer FDK AAC Codec Library for Android
 
-© Copyright  1995 - 2018 Fraunhofer-Gesellschaft zur Förderung der angewandten
+© Copyright  1995 - 2019 Fraunhofer-Gesellschaft zur Förderung der angewandten
 Forschung e.V. All rights reserved.
 
  1.    INTRODUCTION
@@ -367,10 +367,10 @@ TRANSPORTDEC_ERROR CLatmDemux_ReadStreamMuxConfig(
           }
           if (pLatmDemux->m_AudioMuxVersion == 1) {
             FDK_BITSTREAM tmpBs;
-            UINT ascLen = 0;
+            INT ascLen = 0;
             ascLen = CLatmDemux_GetValue(bs);
             /* The ascLen could be wrong, so check if validBits<=bufBits*/
-            if (ascLen > FDKgetValidBits(bs)) {
+            if (ascLen < 0 || ascLen > (INT)FDKgetValidBits(bs)) {
               ErrorStatus = TRANSPORTDEC_PARSE_ERROR;
               goto bail;
             }
-- 
cgit v1.2.3


From 24171ed080e447c3ed01643833ba711dcae91293 Mon Sep 17 00:00:00 2001
From: Fraunhofer IIS FDK <audio-fdk@iis.fraunhofer.de>
Date: Tue, 29 Oct 2019 13:06:56 +0100
Subject: Add loop abort criterion to prevent timeout in
 EldSpecificConfig_Parse().

Bug: 145668344
Test: atest DecoderTestXheAac ; atest DecoderTestAacDrc
Change-Id: Iea6457e8545438c7ad4d05a682ffa656ec35ead9
---
 libMpegTPDec/src/tpdec_asc.cpp | 12 +++++++-----
 1 file changed, 7 insertions(+), 5 deletions(-)

(limited to 'libMpegTPDec/src')

diff --git a/libMpegTPDec/src/tpdec_asc.cpp b/libMpegTPDec/src/tpdec_asc.cpp
index ad13378..82f840e 100644
--- a/libMpegTPDec/src/tpdec_asc.cpp
+++ b/libMpegTPDec/src/tpdec_asc.cpp
@@ -1325,9 +1325,9 @@ static TRANSPORTDEC_ERROR EldSpecificConfig_Parse(CSAudioSpecificConfig *asc,
                                                   CSTpCallBacks *cb) {
   TRANSPORTDEC_ERROR ErrorStatus = TRANSPORTDEC_OK;
   CSEldSpecificConfig *esc = &asc->m_sc.m_eldSpecificConfig;
-  ASC_ELD_EXT_TYPE eldExtType;
+  UINT eldExtType;
   int eldExtLen, len, cnt, ldSbrLen = 0, eldExtLenSum, numSbrHeader = 0,
-                           sbrIndex;
+                           sbrIndex, eldExtCnt = 0;
 
   unsigned char downscale_fill_nibble;
 
@@ -1394,9 +1394,8 @@ static TRANSPORTDEC_ERROR EldSpecificConfig_Parse(CSAudioSpecificConfig *asc,
   eldExtLenSum = FDKgetValidBits(hBs);
   esc->m_downscaledSamplingFrequency = asc->m_samplingFrequency;
   /* parse ExtTypeConfigData */
-  while (
-      ((eldExtType = (ASC_ELD_EXT_TYPE)FDKreadBits(hBs, 4)) != ELDEXT_TERM) &&
-      ((INT)FDKgetValidBits(hBs) >= 0)) {
+  while (((eldExtType = FDKreadBits(hBs, 4)) != ELDEXT_TERM) &&
+         ((INT)FDKgetValidBits(hBs) >= 0) && (eldExtCnt++ < 15)) {
     eldExtLen = len = FDKreadBits(hBs, 4);
     if (len == 0xf) {
       len = FDKreadBits(hBs, 8);
@@ -1455,6 +1454,9 @@ static TRANSPORTDEC_ERROR EldSpecificConfig_Parse(CSAudioSpecificConfig *asc,
         break;
     }
   }
+  if (eldExtType != ELDEXT_TERM) {
+    return TRANSPORTDEC_PARSE_ERROR;
+  }
 
   if ((INT)FDKgetValidBits(hBs) < 0) {
     return TRANSPORTDEC_PARSE_ERROR;
-- 
cgit v1.2.3


From 8caa63f329c26fcf8dda71ed0a928a7c39c0f839 Mon Sep 17 00:00:00 2001
From: Fraunhofer IIS FDK <audio-fdk@iis.fraunhofer.de>
Date: Wed, 13 Nov 2019 16:07:13 +0100
Subject: Avoid unsigned integer overflow in transportDec_InBandConfig() and
 transportDec_ReadAccessUnit().

Bug: 146937857
Test: atest DecoderTestXheAac ; atest DecoderTestAacDrc
Change-Id: If2320f3a1ddf6a36c07338100481801a996e455d
---
 libMpegTPDec/src/tpdec_lib.cpp | 5 +++--
 1 file changed, 3 insertions(+), 2 deletions(-)

(limited to 'libMpegTPDec/src')

diff --git a/libMpegTPDec/src/tpdec_lib.cpp b/libMpegTPDec/src/tpdec_lib.cpp
index ede64c9..617f9a1 100644
--- a/libMpegTPDec/src/tpdec_lib.cpp
+++ b/libMpegTPDec/src/tpdec_lib.cpp
@@ -482,7 +482,8 @@ TRANSPORTDEC_ERROR transportDec_InBandConfig(HANDLE_TRANSPORTDEC hTp,
 
         for (int i = 0; i < 2; i++) {
           if (i > 0) {
-            FDKpushBack(hBs, newConfigLength * 8 - FDKgetValidBits(hBs));
+            FDKpushBack(hBs,
+                        (INT)newConfigLength * 8 - (INT)FDKgetValidBits(hBs));
             configMode = AC_CM_ALLOC_MEM;
           }
           /* config transport decoder */
@@ -1469,7 +1470,7 @@ TRANSPORTDEC_ERROR transportDec_ReadAccessUnit(const HANDLE_TRANSPORTDEC hTp,
 
         for (i = 0; i < 2; i++) {
           if (i > 0) {
-            FDKpushBack(hBs, bsStart - FDKgetValidBits(hBs));
+            FDKpushBack(hBs, bsStart - (INT)FDKgetValidBits(hBs));
             configMode = AC_CM_ALLOC_MEM;
           }
 
-- 
cgit v1.2.3


From 8fee7605df2d8759a63faa3d0b1aac7d95dfc1af Mon Sep 17 00:00:00 2001
From: Fraunhofer IIS FDK <audio-fdk@iis.fraunhofer.de>
Date: Wed, 13 Nov 2019 16:07:33 +0100
Subject: Prevent undefined syncLayerFrameBits in synchronization().

Bug: 146937540
Test: atest DecoderTestXheAac ; atest DecoderTestAacDrc
Change-Id: Idaaa11d95c13220a9f96e6d73d4813492a740954
---
 libMpegTPDec/src/tpdec_lib.cpp | 8 ++++++--
 1 file changed, 6 insertions(+), 2 deletions(-)

(limited to 'libMpegTPDec/src')

diff --git a/libMpegTPDec/src/tpdec_lib.cpp b/libMpegTPDec/src/tpdec_lib.cpp
index 617f9a1..7bebbaa 100644
--- a/libMpegTPDec/src/tpdec_lib.cpp
+++ b/libMpegTPDec/src/tpdec_lib.cpp
@@ -981,6 +981,9 @@ static TRANSPORTDEC_ERROR transportDec_readHeader(
               CLatmDemux_GetNrOfSubFrames(&hTp->parser.latm);
           if (hTp->transportFmt == TT_MP4_LOAS) {
             syncLayerFrameBits -= startPos - (INT)FDKgetValidBits(hBs) - (13);
+            if (syncLayerFrameBits <= 0) {
+              err = TRANSPORTDEC_SYNC_ERROR;
+            }
           }
         }
       } else {
@@ -1271,8 +1274,9 @@ static TRANSPORTDEC_ERROR synchronization(HANDLE_TRANSPORTDEC hTp,
   if (!(hTp->flags & (TPDEC_LOST_FRAMES_PENDING | TPDEC_IGNORE_BUFFERFULLNESS |
                       TPDEC_SYNCOK)) &&
       err == TRANSPORTDEC_OK) {
-    err = additionalHoldOffNeeded(hTp, transportDec_GetBufferFullness(hTp),
-                                  FDKgetValidBits(hBs) - syncLayerFrameBits);
+    err =
+        additionalHoldOffNeeded(hTp, transportDec_GetBufferFullness(hTp),
+                                (INT)FDKgetValidBits(hBs) - syncLayerFrameBits);
     if (err == TRANSPORTDEC_NOT_ENOUGH_BITS) {
       hTp->holdOffFrames++;
     }
-- 
cgit v1.2.3


From 262c9f28ec50e2ebbd2cdd64bd82831d957cf420 Mon Sep 17 00:00:00 2001
From: Fraunhofer IIS FDK <audio-fdk@iis.fraunhofer.de>
Date: Wed, 13 Nov 2019 16:07:47 +0100
Subject: Avoid negative valid bits in adtsRead_DecodeHeader()

Avoid negative valid bits in adtsRead_DecodeHeader()
and prevent unsigned integer overflow.

Bug: 146937602
Test: atest DecoderTestXheAac ; atest DecoderTestAacDrc
Change-Id: I264ff99e0461352ae5c2b2031393b67a7fa44571
---
 libMpegTPDec/src/tpdec_adts.cpp | 10 ++++++++--
 1 file changed, 8 insertions(+), 2 deletions(-)

(limited to 'libMpegTPDec/src')

diff --git a/libMpegTPDec/src/tpdec_adts.cpp b/libMpegTPDec/src/tpdec_adts.cpp
index 1a4e3fd..63cc44f 100644
--- a/libMpegTPDec/src/tpdec_adts.cpp
+++ b/libMpegTPDec/src/tpdec_adts.cpp
@@ -1,7 +1,7 @@
 /* -----------------------------------------------------------------------------
 Software License for The Fraunhofer FDK AAC Codec Library for Android
 
-© Copyright  1995 - 2018 Fraunhofer-Gesellschaft zur Förderung der angewandten
+© Copyright  1995 - 2020 Fraunhofer-Gesellschaft zur Förderung der angewandten
 Forschung e.V. All rights reserved.
 
  1.    INTRODUCTION
@@ -322,7 +322,13 @@ TRANSPORTDEC_ERROR adtsRead_DecodeHeader(HANDLE_ADTS pAdts,
       CProgramConfig_Read(&pAsc->m_progrConfigElement, hBs, alignAnchor);
 
       adtsRead_CrcEndReg(pAdts, hBs, crcReg);
-      pceBits = alignAnchor - FDKgetValidBits(hBs);
+      pceBits = (INT)alignAnchor - (INT)FDKgetValidBits(hBs);
+      adtsHeaderLength += pceBits;
+
+      if (pceBits > (INT)alignAnchor) {
+        goto bail;
+      }
+
       /* store the number of PCE bits */
       bs.num_pce_bits = pceBits;
     } else {
-- 
cgit v1.2.3


From f04a8a855cf8ddb5996c8e191fd3fa15b3808657 Mon Sep 17 00:00:00 2001
From: Fraunhofer IIS FDK <audio-fdk@iis.fraunhofer.de>
Date: Wed, 13 Nov 2019 16:10:38 +0100
Subject: Do not allow channel configuration change within PCE for ADTS. Fixes
 assert.

Bug: 146938557
Test: atest DecoderTestXheAac ; atest DecoderTestAacDrc

Change-Id: Icba99bd0eeba1f94298bdd08b85f1b0cb3cf241b
---
 libMpegTPDec/src/tpdec_adts.cpp | 38 ++++++++++++++++++++++++++++++++++++--
 libMpegTPDec/src/tpdec_lib.cpp  |  5 +++++
 2 files changed, 41 insertions(+), 2 deletions(-)

(limited to 'libMpegTPDec/src')

diff --git a/libMpegTPDec/src/tpdec_adts.cpp b/libMpegTPDec/src/tpdec_adts.cpp
index 63cc44f..f936634 100644
--- a/libMpegTPDec/src/tpdec_adts.cpp
+++ b/libMpegTPDec/src/tpdec_adts.cpp
@@ -213,8 +213,8 @@ TRANSPORTDEC_ERROR adtsRead_DecodeHeader(HANDLE_ADTS pAdts,
     goto bail;
   }
 
+  FDKcrcReset(&pAdts->crcInfo);
   if (!bs.protection_absent) {
-    FDKcrcReset(&pAdts->crcInfo);
     FDKpushBack(hBs, 56); /* complete fixed and variable header! */
     crcReg = FDKcrcStartReg(&pAdts->crcInfo, hBs, 0);
     FDKpushFor(hBs, 56);
@@ -314,12 +314,46 @@ TRANSPORTDEC_ERROR adtsRead_DecodeHeader(HANDLE_ADTS pAdts,
   if (bs.channel_config == 0) {
     int pceBits = 0;
     UINT alignAnchor = FDKgetValidBits(hBs);
+    CProgramConfig tmpPce;
 
     if (FDKreadBits(hBs, 3) == ID_PCE) {
       /* Got luck! Parse the PCE */
       crcReg = adtsRead_CrcStartReg(pAdts, hBs, 0);
 
-      CProgramConfig_Read(&pAsc->m_progrConfigElement, hBs, alignAnchor);
+      CProgramConfig_Init(&tmpPce);
+      CProgramConfig_Read(&tmpPce, hBs, alignAnchor);
+
+      if (CProgramConfig_IsValid(&tmpPce)) {
+        if (CProgramConfig_IsValid(&oldPce)) {
+          /* Compare the new and the old PCE (tags ignored) */
+          switch (CProgramConfig_Compare(&tmpPce, &oldPce)) {
+            case 0: /* Nothing to do because PCE matches the old one exactly. */
+            case 1: /* Channel configuration not changed. Just new metadata. */
+              FDKmemcpy(&pAsc->m_progrConfigElement, &tmpPce,
+                        sizeof(CProgramConfig));
+              break;
+            case 2:  /* The number of channels are identical but not the config
+                      */
+            case -1: /* The channel configuration is completely different */
+            default:
+              FDKmemcpy(&pAsc->m_progrConfigElement, &oldPce,
+                        sizeof(CProgramConfig));
+              FDKpushBack(hBs, adtsHeaderLength);
+              return TRANSPORTDEC_PARSE_ERROR;
+          }
+        } else {
+          FDKmemcpy(&pAsc->m_progrConfigElement, &tmpPce,
+                    sizeof(CProgramConfig));
+        }
+      } else {
+        if (CProgramConfig_IsValid(&oldPce)) {
+          FDKmemcpy(&pAsc->m_progrConfigElement, &oldPce,
+                    sizeof(CProgramConfig));
+        } else {
+          FDKpushBack(hBs, adtsHeaderLength);
+          return TRANSPORTDEC_PARSE_ERROR;
+        }
+      }
 
       adtsRead_CrcEndReg(pAdts, hBs, crcReg);
       pceBits = (INT)alignAnchor - (INT)FDKgetValidBits(hBs);
diff --git a/libMpegTPDec/src/tpdec_lib.cpp b/libMpegTPDec/src/tpdec_lib.cpp
index 7bebbaa..ca35184 100644
--- a/libMpegTPDec/src/tpdec_lib.cpp
+++ b/libMpegTPDec/src/tpdec_lib.cpp
@@ -929,6 +929,11 @@ static TRANSPORTDEC_ERROR transportDec_readHeader(
               }
             }
           }
+          /* if an error is detected terminate config parsing to avoid that an
+           * invalid config is accepted in the second pass */
+          if (err != TRANSPORTDEC_OK) {
+            break;
+          }
         }
       } else {
         /* Reset CRC because the next bits are the beginning of a
-- 
cgit v1.2.3


From 7f7bbce892d9e8ed45e4ee2ee7dcefc1cd87a763 Mon Sep 17 00:00:00 2001
From: Anuj Joshi <anuj.joshi@ittiam.com>
Date: Fri, 27 Mar 2020 10:43:08 +0530
Subject: Stop using __DATE__/__TIME__ on all builds

Test: mmma external/libaac
Bug: 151595970

Change-Id: Icd937cad3e4e2f70a5486cca424544eb410be26f
---
 Android.bp                       | 1 +
 libAACdec/src/aacdecoder_lib.cpp | 2 +-
 libAACenc/src/aacenc_lib.cpp     | 2 +-
 libDRCdec/src/FDK_drcDecLib.cpp  | 2 +-
 libFDK/src/FDK_core.cpp          | 2 +-
 libMpegTPDec/src/tpdec_lib.cpp   | 2 +-
 libMpegTPEnc/src/tpenc_lib.cpp   | 2 +-
 libPCMutils/src/version.h        | 2 +-
 libSACdec/src/sac_dec_lib.cpp    | 2 +-
 libSACenc/src/sacenc_lib.cpp     | 2 +-
 libSBRdec/src/sbrdecoder.cpp     | 2 +-
 libSBRenc/src/sbr_encoder.cpp    | 2 +-
 12 files changed, 12 insertions(+), 11 deletions(-)

(limited to 'libMpegTPDec/src')

diff --git a/Android.bp b/Android.bp
index 80a0347..4d52b71 100644
--- a/Android.bp
+++ b/Android.bp
@@ -23,6 +23,7 @@ cc_library_static {
         "-Wuninitialized",
         "-Wno-self-assign",
         "-Wno-implicit-fallthrough",
+        "-DSUPPRESS_BUILD_DATE_INFO",
     ],
     sanitize: {
         misc_undefined:[
diff --git a/libAACdec/src/aacdecoder_lib.cpp b/libAACdec/src/aacdecoder_lib.cpp
index 86ec899..3a1fc48 100644
--- a/libAACdec/src/aacdecoder_lib.cpp
+++ b/libAACdec/src/aacdecoder_lib.cpp
@@ -122,7 +122,7 @@ amm-info@iis.fraunhofer.de
 #define AACDECODER_LIB_VL1 1
 #define AACDECODER_LIB_VL2 2
 #define AACDECODER_LIB_TITLE "AAC Decoder Lib"
-#ifdef __ANDROID__
+#ifdef SUPPRESS_BUILD_DATE_INFO
 #define AACDECODER_LIB_BUILD_DATE ""
 #define AACDECODER_LIB_BUILD_TIME ""
 #else
diff --git a/libAACenc/src/aacenc_lib.cpp b/libAACenc/src/aacenc_lib.cpp
index 0f0094f..a152c0d 100644
--- a/libAACenc/src/aacenc_lib.cpp
+++ b/libAACenc/src/aacenc_lib.cpp
@@ -112,7 +112,7 @@ amm-info@iis.fraunhofer.de
 #define AACENCODER_LIB_VL1 0
 #define AACENCODER_LIB_VL2 0
 #define AACENCODER_LIB_TITLE "AAC Encoder"
-#ifdef __ANDROID__
+#ifdef SUPPRESS_BUILD_DATE_INFO
 #define AACENCODER_LIB_BUILD_DATE ""
 #define AACENCODER_LIB_BUILD_TIME ""
 #else
diff --git a/libDRCdec/src/FDK_drcDecLib.cpp b/libDRCdec/src/FDK_drcDecLib.cpp
index 4f8ebc7..98a73ca 100644
--- a/libDRCdec/src/FDK_drcDecLib.cpp
+++ b/libDRCdec/src/FDK_drcDecLib.cpp
@@ -112,7 +112,7 @@ amm-info@iis.fraunhofer.de
 #define DRCDEC_LIB_VL1 1
 #define DRCDEC_LIB_VL2 0
 #define DRCDEC_LIB_TITLE "MPEG-D DRC Decoder Lib"
-#ifdef __ANDROID__
+#ifdef SUPPRESS_BUILD_DATE_INFO
 #define DRCDEC_LIB_BUILD_DATE ""
 #define DRCDEC_LIB_BUILD_TIME ""
 #else
diff --git a/libFDK/src/FDK_core.cpp b/libFDK/src/FDK_core.cpp
index 75ea8a2..52f8915 100644
--- a/libFDK/src/FDK_core.cpp
+++ b/libFDK/src/FDK_core.cpp
@@ -107,7 +107,7 @@ amm-info@iis.fraunhofer.de
 #define FDK_TOOLS_LIB_VL1 0
 #define FDK_TOOLS_LIB_VL2 0
 #define FDK_TOOLS_LIB_TITLE "FDK Tools"
-#ifdef __ANDROID__
+#ifdef SUPPRESS_BUILD_DATE_INFO
 #define FDK_TOOLS_LIB_BUILD_DATE ""
 #define FDK_TOOLS_LIB_BUILD_TIME ""
 #else
diff --git a/libMpegTPDec/src/tpdec_lib.cpp b/libMpegTPDec/src/tpdec_lib.cpp
index 506aed3..0b8ff24 100644
--- a/libMpegTPDec/src/tpdec_lib.cpp
+++ b/libMpegTPDec/src/tpdec_lib.cpp
@@ -1750,7 +1750,7 @@ TRANSPORTDEC_ERROR transportDec_GetLibInfo(LIB_INFO *info) {
   info += i;
 
   info->module_id = FDK_TPDEC;
-#ifdef __ANDROID__
+#ifdef SUPPRESS_BUILD_DATE_INFO
   info->build_date = "";
   info->build_time = "";
 #else
diff --git a/libMpegTPEnc/src/tpenc_lib.cpp b/libMpegTPEnc/src/tpenc_lib.cpp
index 14ea5fe..77c19b5 100644
--- a/libMpegTPEnc/src/tpenc_lib.cpp
+++ b/libMpegTPEnc/src/tpenc_lib.cpp
@@ -647,7 +647,7 @@ TRANSPORTENC_ERROR transportEnc_GetLibInfo(LIB_INFO *info) {
   info->module_id = FDK_TPENC;
   info->version = LIB_VERSION(TP_LIB_VL0, TP_LIB_VL1, TP_LIB_VL2);
   LIB_VERSION_STRING(info);
-#ifdef __ANDROID__
+#ifdef SUPPRESS_BUILD_DATE_INFO
   info->build_date = "";
   info->build_time = "";
 #else
diff --git a/libPCMutils/src/version.h b/libPCMutils/src/version.h
index fa31af1..8e537ee 100644
--- a/libPCMutils/src/version.h
+++ b/libPCMutils/src/version.h
@@ -108,7 +108,7 @@ amm-info@iis.fraunhofer.de
 #define PCMUTIL_LIB_VL1 0
 #define PCMUTIL_LIB_VL2 0
 #define PCMUTIL_LIB_TITLE "PCM Utility Lib"
-#ifdef __ANDROID__
+#ifdef SUPPRESS_BUILD_DATE_INFO
 #define PCMUTIL_LIB_BUILD_DATE ""
 #define PCMUTIL_LIB_BUILD_TIME ""
 #else
diff --git a/libSACdec/src/sac_dec_lib.cpp b/libSACdec/src/sac_dec_lib.cpp
index bf6dedf..a07e1c9 100644
--- a/libSACdec/src/sac_dec_lib.cpp
+++ b/libSACdec/src/sac_dec_lib.cpp
@@ -1800,7 +1800,7 @@ int mpegSurroundDecoder_GetLibInfo(LIB_INFO *info) {
   info += i;
 
   info->module_id = FDK_MPSDEC;
-#ifdef __ANDROID__
+#ifdef SUPPRESS_BUILD_DATE_INFO
   info->build_date = "";
   info->build_time = "";
 #else
diff --git a/libSACenc/src/sacenc_lib.cpp b/libSACenc/src/sacenc_lib.cpp
index d6a1658..fcfe39b 100644
--- a/libSACenc/src/sacenc_lib.cpp
+++ b/libSACenc/src/sacenc_lib.cpp
@@ -130,7 +130,7 @@ Description of file contents
 #define SACENC_LIB_VL1 0
 #define SACENC_LIB_VL2 0
 #define SACENC_LIB_TITLE "MPEG Surround Encoder"
-#ifdef __ANDROID__
+#ifdef SUPPRESS_BUILD_DATE_INFO
 #define SACENC_LIB_BUILD_DATE ""
 #define SACENC_LIB_BUILD_TIME ""
 #else
diff --git a/libSBRdec/src/sbrdecoder.cpp b/libSBRdec/src/sbrdecoder.cpp
index c827ced..89a2338 100644
--- a/libSBRdec/src/sbrdecoder.cpp
+++ b/libSBRdec/src/sbrdecoder.cpp
@@ -160,7 +160,7 @@ amm-info@iis.fraunhofer.de
 #define SBRDECODER_LIB_VL1 0
 #define SBRDECODER_LIB_VL2 0
 #define SBRDECODER_LIB_TITLE "SBR Decoder"
-#ifdef __ANDROID__
+#ifdef SUPPRESS_BUILD_DATE_INFO
 #define SBRDECODER_LIB_BUILD_DATE ""
 #define SBRDECODER_LIB_BUILD_TIME ""
 #else
diff --git a/libSBRenc/src/sbr_encoder.cpp b/libSBRenc/src/sbr_encoder.cpp
index df9e996..c1e083f 100644
--- a/libSBRenc/src/sbr_encoder.cpp
+++ b/libSBRenc/src/sbr_encoder.cpp
@@ -2560,7 +2560,7 @@ INT sbrEncoder_GetLibInfo(LIB_INFO *info) {
   info->version =
       LIB_VERSION(SBRENCODER_LIB_VL0, SBRENCODER_LIB_VL1, SBRENCODER_LIB_VL2);
   LIB_VERSION_STRING(info);
-#ifdef __ANDROID__
+#ifdef SUPPRESS_BUILD_DATE_INFO
   info->build_date = "";
   info->build_time = "";
 #else
-- 
cgit v1.2.3


From 60a11ea3efcf939f2432e739817b610e671e202f Mon Sep 17 00:00:00 2001
From: Martin Storsjo <martin@martin.st>
Date: Tue, 17 Nov 2020 12:53:48 +0200
Subject: Revert "Don't use an enum for a value read directly from the
 bitstream"

This reverts commit 8439b745f65bce3fd55ffc9f9edcc04f5f447c55.

This local fix doesn't seem to be needed any more after the latest
upstream update.
---
 libMpegTPDec/src/tpdec_asc.cpp | 5 +++--
 1 file changed, 3 insertions(+), 2 deletions(-)

(limited to 'libMpegTPDec/src')

diff --git a/libMpegTPDec/src/tpdec_asc.cpp b/libMpegTPDec/src/tpdec_asc.cpp
index 56de494..156f325 100644
--- a/libMpegTPDec/src/tpdec_asc.cpp
+++ b/libMpegTPDec/src/tpdec_asc.cpp
@@ -1549,7 +1549,8 @@ static TRANSPORTDEC_ERROR extElementConfig(CSUsacExtElementConfig *extElement,
                                            const AUDIO_OBJECT_TYPE aot) {
   TRANSPORTDEC_ERROR ErrorStatus = TRANSPORTDEC_OK;
 
-  int usacExtElementType = escapedValue(hBs, 4, 8, 16);
+  USAC_EXT_ELEMENT_TYPE usacExtElementType =
+      (USAC_EXT_ELEMENT_TYPE)escapedValue(hBs, 4, 8, 16);
 
   /* recurve extension elements which are invalid for USAC */
   if (aot == AOT_USAC) {
@@ -1566,7 +1567,7 @@ static TRANSPORTDEC_ERROR extElementConfig(CSUsacExtElementConfig *extElement,
     }
   }
 
-  extElement->usacExtElementType = (USAC_EXT_ELEMENT_TYPE) usacExtElementType;
+  extElement->usacExtElementType = usacExtElementType;
   int usacExtElementConfigLength = escapedValue(hBs, 4, 8, 16);
   extElement->usacExtElementConfigLength = (USHORT)usacExtElementConfigLength;
   INT bsAnchor;
-- 
cgit v1.2.3


From d9a9f3b79301fea59ce3c3ee1bc36f43f47224f2 Mon Sep 17 00:00:00 2001
From: Martin Storsjo <martin@martin.st>
Date: Tue, 17 Nov 2020 12:54:26 +0200
Subject: Revert "Don't use an enum for a value read directly from the
 bitstream"

This reverts commit e7d8591ff208803eee35dc289e89a0d69b707585.

This local fix doesn't seem to be needed any more after the latest
upstream update.
---
 libMpegTPDec/src/tpdec_asc.cpp | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

(limited to 'libMpegTPDec/src')

diff --git a/libMpegTPDec/src/tpdec_asc.cpp b/libMpegTPDec/src/tpdec_asc.cpp
index 156f325..82f840e 100644
--- a/libMpegTPDec/src/tpdec_asc.cpp
+++ b/libMpegTPDec/src/tpdec_asc.cpp
@@ -1631,14 +1631,14 @@ static TRANSPORTDEC_ERROR configExtension(CSUsacConfig *usc,
   TRANSPORTDEC_ERROR ErrorStatus = TRANSPORTDEC_OK;
 
   int numConfigExtensions;
-  int usacConfigExtType;
+  CONFIG_EXT_ID usacConfigExtType;
   int usacConfigExtLength;
 
   numConfigExtensions = (int)escapedValue(hBs, 2, 4, 8) + 1;
   for (int confExtIdx = 0; confExtIdx < numConfigExtensions; confExtIdx++) {
     INT nbits;
     int loudnessInfoSetConfigExtensionPosition = FDKgetValidBits(hBs);
-    usacConfigExtType = escapedValue(hBs, 4, 8, 16);
+    usacConfigExtType = (CONFIG_EXT_ID)escapedValue(hBs, 4, 8, 16);
     usacConfigExtLength = (int)escapedValue(hBs, 4, 8, 16);
 
     /* Start bit position of config extension */
-- 
cgit v1.2.3


From d75500444a76f6aef8a8ff35620118de84cce65f Mon Sep 17 00:00:00 2001
From: Martin Storsjo <martin@martin.st>
Date: Thu, 14 Jan 2021 15:36:03 +0200
Subject: Don't use enums for values read directly from the bitstream

The enums don't cover all possible values read from the bitstream.

This fixes undefined behaviour sanitizer errors.

Fixes: 27647/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_LIBFDK_AAC_fuzzer-5654559200116736
Fixes: 28193/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_LIBFDK_AAC_fuzzer-4901213455515648

Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
---
 libMpegTPDec/src/tpdec_asc.cpp | 9 ++++-----
 1 file changed, 4 insertions(+), 5 deletions(-)

(limited to 'libMpegTPDec/src')

diff --git a/libMpegTPDec/src/tpdec_asc.cpp b/libMpegTPDec/src/tpdec_asc.cpp
index 82f840e..bb4094b 100644
--- a/libMpegTPDec/src/tpdec_asc.cpp
+++ b/libMpegTPDec/src/tpdec_asc.cpp
@@ -1549,8 +1549,7 @@ static TRANSPORTDEC_ERROR extElementConfig(CSUsacExtElementConfig *extElement,
                                            const AUDIO_OBJECT_TYPE aot) {
   TRANSPORTDEC_ERROR ErrorStatus = TRANSPORTDEC_OK;
 
-  USAC_EXT_ELEMENT_TYPE usacExtElementType =
-      (USAC_EXT_ELEMENT_TYPE)escapedValue(hBs, 4, 8, 16);
+  int usacExtElementType = escapedValue(hBs, 4, 8, 16);
 
   /* recurve extension elements which are invalid for USAC */
   if (aot == AOT_USAC) {
@@ -1567,7 +1566,7 @@ static TRANSPORTDEC_ERROR extElementConfig(CSUsacExtElementConfig *extElement,
     }
   }
 
-  extElement->usacExtElementType = usacExtElementType;
+  extElement->usacExtElementType = (USAC_EXT_ELEMENT_TYPE)usacExtElementType;
   int usacExtElementConfigLength = escapedValue(hBs, 4, 8, 16);
   extElement->usacExtElementConfigLength = (USHORT)usacExtElementConfigLength;
   INT bsAnchor;
@@ -1631,14 +1630,14 @@ static TRANSPORTDEC_ERROR configExtension(CSUsacConfig *usc,
   TRANSPORTDEC_ERROR ErrorStatus = TRANSPORTDEC_OK;
 
   int numConfigExtensions;
-  CONFIG_EXT_ID usacConfigExtType;
+  int usacConfigExtType;
   int usacConfigExtLength;
 
   numConfigExtensions = (int)escapedValue(hBs, 2, 4, 8) + 1;
   for (int confExtIdx = 0; confExtIdx < numConfigExtensions; confExtIdx++) {
     INT nbits;
     int loudnessInfoSetConfigExtensionPosition = FDKgetValidBits(hBs);
-    usacConfigExtType = (CONFIG_EXT_ID)escapedValue(hBs, 4, 8, 16);
+    usacConfigExtType = escapedValue(hBs, 4, 8, 16);
     usacConfigExtLength = (int)escapedValue(hBs, 4, 8, 16);
 
     /* Start bit position of config extension */
-- 
cgit v1.2.3