From b5dfe8f92dd94e91f8391a9dc3d1fa7b0415ece2 Mon Sep 17 00:00:00 2001
From: Fraunhofer IIS FDK <audio-fdk@iis.fraunhofer.de>
Date: Mon, 6 Jul 2020 16:37:38 +0200
Subject: Fix heap buffer overflow in
 sbrDecoder_AssignQmfChannels2SbrChannels().

In the bug the SBR decoder has already set up 9 channels and tries to
allocate one more channel. The assignment of the QMF channels to SBR
channels fails since the QMF domain manages only 8+1 channels instead
of 10 channels as reqeusted by SBR.
Here we have added a check in sbrDecoder_InitElement() which will
return with a parse error in case additional SBR channels would exceed
the maximum number of SBR channels. This solves the potential heap
buffer overflow.

Bug: 158762825
Test: atest DecoderTestAacDrc DecoderTestAacFormat DecoderTestXheAac
Change-Id: I0150ac6d5a47ffce883010f531928656eebc619e
---
 libSBRdec/src/sbrdecoder.cpp | 12 ++++++------
 1 file changed, 6 insertions(+), 6 deletions(-)

(limited to 'libSBRdec/src/sbrdecoder.cpp')

diff --git a/libSBRdec/src/sbrdecoder.cpp b/libSBRdec/src/sbrdecoder.cpp
index b51461d..b101a4a 100644
--- a/libSBRdec/src/sbrdecoder.cpp
+++ b/libSBRdec/src/sbrdecoder.cpp
@@ -1,7 +1,7 @@
 /* -----------------------------------------------------------------------------
 Software License for The Fraunhofer FDK AAC Codec Library for Android
 
-© Copyright  1995 - 2019 Fraunhofer-Gesellschaft zur Förderung der angewandten
+© Copyright  1995 - 2020 Fraunhofer-Gesellschaft zur Förderung der angewandten
 Forschung e.V. All rights reserved.
 
  1.    INTRODUCTION
@@ -617,10 +617,6 @@ SBR_ERROR sbrDecoder_InitElement(
       self->numSbrChannels -= self->pSbrElement[elementIndex]->nChannels;
     }
 
-    /* Save element ID for sanity checks and to have a fallback for concealment.
-     */
-    self->pSbrElement[elementIndex]->elementID = elementID;
-
     /* Determine amount of channels for this element */
     switch (elementID) {
       case ID_NONE:
@@ -653,12 +649,16 @@ SBR_ERROR sbrDecoder_InitElement(
     }
 
     /* Sanity check to avoid memory leaks */
-    if (elChannels < self->pSbrElement[elementIndex]->nChannels) {
+    if (elChannels < self->pSbrElement[elementIndex]->nChannels ||
+        (self->numSbrChannels + elChannels) > (8) + (1)) {
       self->numSbrChannels += self->pSbrElement[elementIndex]->nChannels;
       sbrError = SBRDEC_PARSE_ERROR;
       goto bail;
     }
 
+    /* Save element ID for sanity checks and to have a fallback for concealment.
+     */
+    self->pSbrElement[elementIndex]->elementID = elementID;
     self->pSbrElement[elementIndex]->nChannels = elChannels;
 
     for (ch = 0; ch < elChannels; ch++) {
-- 
cgit v1.2.3


From a1edc32174933c375f84f202dddadd5dfb862060 Mon Sep 17 00:00:00 2001
From: Fraunhofer IIS FDK <audio-fdk@iis.fraunhofer.de>
Date: Tue, 16 Mar 2021 14:43:32 +0100
Subject: Sbr syncstate may only be set to upsampling if the sbr decoder was
 sucessfully initialized.

Bug: 186777497
Test: atest android.media.cts.DecoderTestAacFormat android.media.cts.DecoderTestXheAac android.media.cts.DecoderTestAacDrc
Change-Id: I92f7c559af961ec063bfea74353f11092dcda653
---
 libSBRdec/src/sbrdecoder.cpp | 16 +++++++++++-----
 1 file changed, 11 insertions(+), 5 deletions(-)

(limited to 'libSBRdec/src/sbrdecoder.cpp')

diff --git a/libSBRdec/src/sbrdecoder.cpp b/libSBRdec/src/sbrdecoder.cpp
index b101a4a..7718695 100644
--- a/libSBRdec/src/sbrdecoder.cpp
+++ b/libSBRdec/src/sbrdecoder.cpp
@@ -1,7 +1,7 @@
 /* -----------------------------------------------------------------------------
 Software License for The Fraunhofer FDK AAC Codec Library for Android
 
-© Copyright  1995 - 2020 Fraunhofer-Gesellschaft zur Förderung der angewandten
+© Copyright  1995 - 2021 Fraunhofer-Gesellschaft zur Förderung der angewandten
 Forschung e.V. All rights reserved.
 
  1.    INTRODUCTION
@@ -961,8 +961,10 @@ SBR_ERROR sbrDecoder_SetParam(HANDLE_SBRDECODER self, const SBRDEC_PARAM param,
 
           /* Set sync state UPSAMPLING for the corresponding slot.
              This switches off bitstream parsing until a new header arrives. */
-          hSbrHeader->syncState = UPSAMPLING;
-          hSbrHeader->status |= SBRDEC_HDR_STAT_UPDATE;
+          if (hSbrHeader->syncState != SBR_NOT_INITIALIZED) {
+            hSbrHeader->syncState = UPSAMPLING;
+            hSbrHeader->status |= SBRDEC_HDR_STAT_UPDATE;
+          }
         }
       }
     } break;
@@ -1371,7 +1373,9 @@ SBR_ERROR sbrDecoder_Parse(HANDLE_SBRDECODER self, HANDLE_FDK_BITSTREAM hBs,
       }
       if (headerStatus == HEADER_ERROR) {
         /* Corrupt SBR info data, do not decode and switch to UPSAMPLING */
-        hSbrHeader->syncState = UPSAMPLING;
+        hSbrHeader->syncState = hSbrHeader->syncState > UPSAMPLING
+                                    ? UPSAMPLING
+                                    : hSbrHeader->syncState;
         fDoDecodeSbrData = 0;
         sbrHeaderPresent = 0;
       }
@@ -1610,7 +1614,9 @@ static SBR_ERROR sbrDecoder_DecodeElement(
       /* No valid SBR payload available, hence switch to upsampling (in all
        * headers) */
       for (hdrIdx = 0; hdrIdx < ((1) + 1); hdrIdx += 1) {
-        self->sbrHeader[elementIndex][hdrIdx].syncState = UPSAMPLING;
+        if (self->sbrHeader[elementIndex][hdrIdx].syncState > UPSAMPLING) {
+          self->sbrHeader[elementIndex][hdrIdx].syncState = UPSAMPLING;
+        }
       }
     } else {
       /* Move frame pointer to the next slot which is up to be decoded/applied
-- 
cgit v1.2.3