From e6bb25613016ecd64ccbcb354768b4794ffd6351 Mon Sep 17 00:00:00 2001 From: Martin Storsjo Date: Mon, 20 Nov 2017 12:35:32 +0200 Subject: Reapply: Avoid reading out of bounds due to negative aaIccIndexMapped Fixes: 10325/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_LIBFDK_AAC_fuzzer-5740113355603968 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg --- libSBRdec/src/psdec.cpp | 9 ++++++--- 1 file changed, 6 insertions(+), 3 deletions(-) (limited to 'libSBRdec/src') diff --git a/libSBRdec/src/psdec.cpp b/libSBRdec/src/psdec.cpp index 13a21bf..1f8bd25 100644 --- a/libSBRdec/src/psdec.cpp +++ b/libSBRdec/src/psdec.cpp @@ -329,7 +329,7 @@ void initSlotBasedRotation( FIXP_SGL invL; FIXP_DBL ScaleL, ScaleR; - FIXP_DBL Alpha, Beta; + FIXP_DBL Alpha, Beta, AlphasValue; FIXP_DBL h11r, h12r, h21r, h22r; const FIXP_DBL *PScaleFactors; @@ -363,12 +363,15 @@ void initSlotBasedRotation( ScaleL = PScaleFactors[noIidSteps - h_ps_d->specificTo.mpeg.pCoef ->aaIidIndexMapped[env][bin]]; + AlphasValue = 0; + if (h_ps_d->specificTo.mpeg.pCoef->aaIccIndexMapped[env][bin] >= 0) + AlphasValue = Alphas[h_ps_d->specificTo.mpeg.pCoef->aaIccIndexMapped[env][bin]]; Beta = fMult( - fMult(Alphas[h_ps_d->specificTo.mpeg.pCoef->aaIccIndexMapped[env][bin]], + fMult(AlphasValue, (ScaleR - ScaleL)), FIXP_SQRT05); Alpha = - Alphas[h_ps_d->specificTo.mpeg.pCoef->aaIccIndexMapped[env][bin]] >> 1; + AlphasValue >> 1; /* Alpha and Beta are now both scaled by 2 shifts right */ -- cgit v1.2.3 From 28fdc28ec436ceafb11ceb6a354e9916c5265981 Mon Sep 17 00:00:00 2001 From: Martin Storsjo Date: Mon, 20 Nov 2017 12:35:32 +0200 Subject: Reapply: Avoid reading out of bounds due to too large aaIidIndexMapped Fixes: 10726/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_LIBFDK_AAC_fuzzer-5167035365982208 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg --- libSBRdec/src/psdec.cpp | 15 ++++++++++----- 1 file changed, 10 insertions(+), 5 deletions(-) (limited to 'libSBRdec/src') diff --git a/libSBRdec/src/psdec.cpp b/libSBRdec/src/psdec.cpp index 1f8bd25..b31b310 100644 --- a/libSBRdec/src/psdec.cpp +++ b/libSBRdec/src/psdec.cpp @@ -325,7 +325,7 @@ void initSlotBasedRotation( int env, int usb) { INT group = 0; INT bin = 0; - INT noIidSteps; + INT noIidSteps, noFactors; FIXP_SGL invL; FIXP_DBL ScaleL, ScaleR; @@ -337,9 +337,11 @@ void initSlotBasedRotation( if (h_ps_d->bsData[h_ps_d->processSlot].mpeg.bFineIidQ) { PScaleFactors = ScaleFactorsFine; /* values are shiftet right by one */ noIidSteps = NO_IID_STEPS_FINE; + noFactors = NO_IID_LEVELS_FINE; } else { PScaleFactors = ScaleFactors; /* values are shiftet right by one */ noIidSteps = NO_IID_STEPS; + noFactors = NO_IID_LEVELS; } /* dequantize and decode */ @@ -358,10 +360,13 @@ void initSlotBasedRotation( /* ScaleR and ScaleL are scaled by 1 shift right */ - ScaleR = PScaleFactors[noIidSteps + h_ps_d->specificTo.mpeg.pCoef - ->aaIidIndexMapped[env][bin]]; - ScaleL = PScaleFactors[noIidSteps - h_ps_d->specificTo.mpeg.pCoef - ->aaIidIndexMapped[env][bin]]; + ScaleL = ScaleR = 0; + if (noIidSteps + h_ps_d->specificTo.mpeg.pCoef->aaIidIndexMapped[env][bin] >= 0 && noIidSteps + h_ps_d->specificTo.mpeg.pCoef->aaIidIndexMapped[env][bin] < noFactors) + ScaleR = PScaleFactors[noIidSteps + h_ps_d->specificTo.mpeg.pCoef + ->aaIidIndexMapped[env][bin]]; + if (noIidSteps - h_ps_d->specificTo.mpeg.pCoef->aaIidIndexMapped[env][bin] >= 0 && noIidSteps - h_ps_d->specificTo.mpeg.pCoef->aaIidIndexMapped[env][bin] < noFactors) + ScaleL = PScaleFactors[noIidSteps - h_ps_d->specificTo.mpeg.pCoef + ->aaIidIndexMapped[env][bin]]; AlphasValue = 0; if (h_ps_d->specificTo.mpeg.pCoef->aaIccIndexMapped[env][bin] >= 0) -- cgit v1.2.3 From 5e5701952535e22ad38d6735bbf4f1f92ce99ceb Mon Sep 17 00:00:00 2001 From: Fraunhofer IIS FDK Date: Mon, 10 Sep 2018 16:39:30 +0200 Subject: Prevent out of bounds accesses in lppTransposer() and lppTransposerHBE() Bug: 112160868 Test: see poc in bug Change-Id: I6a2161865d9cb9b51dc37c09d6e3a4a8e5d11f86 (cherry picked from commit 4dad829df00932b89858b9833cf5dcded8d97c37) --- Android.bp | 3 ++ libSBRdec/src/lpp_tran.cpp | 74 +++++++++++++++++++++++++++++----------------- 2 files changed, 50 insertions(+), 27 deletions(-) (limited to 'libSBRdec/src') diff --git a/Android.bp b/Android.bp index 50cc092..c89a95c 100644 --- a/Android.bp +++ b/Android.bp @@ -27,6 +27,9 @@ cc_library_static { misc_undefined:["unsigned-integer-overflow", "signed-integer-overflow"], cfi: true, }, + shared_libs: [ + "liblog", + ], export_include_dirs: [ "libAACdec/include", "libAACenc/include", diff --git a/libSBRdec/src/lpp_tran.cpp b/libSBRdec/src/lpp_tran.cpp index aa1fd5d..2ef07eb 100644 --- a/libSBRdec/src/lpp_tran.cpp +++ b/libSBRdec/src/lpp_tran.cpp @@ -118,6 +118,10 @@ amm-info@iis.fraunhofer.de \sa lppTransposer(), main_audio.cpp, sbr_scale.h, \ref documentationOverview */ +#ifdef __ANDROID__ +#include "log/log.h" +#endif + #include "lpp_tran.h" #include "sbr_ram.h" @@ -295,7 +299,6 @@ void lppTransposer( int ovLowBandShift; int lowBandShift; /* int ovHighBandShift;*/ - int targetStopBand; alphai[0] = FL2FXCONST_SGL(0.0f); alphai[1] = FL2FXCONST_SGL(0.0f); @@ -311,25 +314,34 @@ void lppTransposer( autoCorrLength = pSettings->nCols + pSettings->overlap; - /* Set upper subbands to zero: - This is required in case that the patches do not cover the complete - highband (because the last patch would be too short). Possible - optimization: Clearing bands up to usb would be sufficient here. */ - targetStopBand = patchParam[pSettings->noOfPatches - 1].targetStartBand + - patchParam[pSettings->noOfPatches - 1].numBandsInPatch; + if (pSettings->noOfPatches > 0) { + /* Set upper subbands to zero: + This is required in case that the patches do not cover the complete + highband (because the last patch would be too short). Possible + optimization: Clearing bands up to usb would be sufficient here. */ + int targetStopBand = + patchParam[pSettings->noOfPatches - 1].targetStartBand + + patchParam[pSettings->noOfPatches - 1].numBandsInPatch; - int memSize = ((64) - targetStopBand) * sizeof(FIXP_DBL); + int memSize = ((64) - targetStopBand) * sizeof(FIXP_DBL); - if (!useLP) { - for (i = startSample; i < stopSampleClear; i++) { - FDKmemclear(&qmfBufferReal[i][targetStopBand], memSize); - FDKmemclear(&qmfBufferImag[i][targetStopBand], memSize); - } - } else { - for (i = startSample; i < stopSampleClear; i++) { - FDKmemclear(&qmfBufferReal[i][targetStopBand], memSize); + if (!useLP) { + for (i = startSample; i < stopSampleClear; i++) { + FDKmemclear(&qmfBufferReal[i][targetStopBand], memSize); + FDKmemclear(&qmfBufferImag[i][targetStopBand], memSize); + } + } else { + for (i = startSample; i < stopSampleClear; i++) { + FDKmemclear(&qmfBufferReal[i][targetStopBand], memSize); + } } } +#ifdef __ANDROID__ + else { + // Safetynet logging + android_errorWriteLog(0x534e4554, "112160868"); + } +#endif /* init bwIndex for each patch */ FDKmemclear(bwIndex, sizeof(bwIndex)); @@ -874,7 +886,6 @@ void lppTransposerHBE( int ovLowBandShift; int lowBandShift; /* int ovHighBandShift;*/ - int targetStopBand; alphai[0] = FL2FXCONST_SGL(0.0f); alphai[1] = FL2FXCONST_SGL(0.0f); @@ -889,19 +900,28 @@ void lppTransposerHBE( autoCorrLength = pSettings->nCols + pSettings->overlap; - /* Set upper subbands to zero: - This is required in case that the patches do not cover the complete - highband (because the last patch would be too short). Possible - optimization: Clearing bands up to usb would be sufficient here. */ - targetStopBand = patchParam[pSettings->noOfPatches - 1].targetStartBand + - patchParam[pSettings->noOfPatches - 1].numBandsInPatch; + if (pSettings->noOfPatches > 0) { + /* Set upper subbands to zero: + This is required in case that the patches do not cover the complete + highband (because the last patch would be too short). Possible + optimization: Clearing bands up to usb would be sufficient here. */ + int targetStopBand = + patchParam[pSettings->noOfPatches - 1].targetStartBand + + patchParam[pSettings->noOfPatches - 1].numBandsInPatch; - int memSize = ((64) - targetStopBand) * sizeof(FIXP_DBL); + int memSize = ((64) - targetStopBand) * sizeof(FIXP_DBL); - for (i = startSample; i < stopSampleClear; i++) { - FDKmemclear(&qmfBufferReal[i][targetStopBand], memSize); - FDKmemclear(&qmfBufferImag[i][targetStopBand], memSize); + for (i = startSample; i < stopSampleClear; i++) { + FDKmemclear(&qmfBufferReal[i][targetStopBand], memSize); + FDKmemclear(&qmfBufferImag[i][targetStopBand], memSize); + } + } +#ifdef __ANDROID__ + else { + // Safetynet logging + android_errorWriteLog(0x534e4554, "112160868"); } +#endif /* Calc common low band scale factor -- cgit v1.2.3 From e93cd75ea41e0b374ffc519400a202714c819a59 Mon Sep 17 00:00:00 2001 From: Fraunhofer IIS FDK Date: Wed, 15 Aug 2018 14:36:49 +0200 Subject: Limit too large scale_change exponent used in adjustTimeSlot Bug: 112892953 Test: atest DecoderTestXheAac ; atest DecoderTestAacDrc Change-Id: I4fe66defb40a36612850582cb0f1da7fb07a8bed --- libSBRdec/src/env_calc.cpp | 16 +++++++++------- 1 file changed, 9 insertions(+), 7 deletions(-) (limited to 'libSBRdec/src') diff --git a/libSBRdec/src/env_calc.cpp b/libSBRdec/src/env_calc.cpp index d7a8bb5..10c73ec 100644 --- a/libSBRdec/src/env_calc.cpp +++ b/libSBRdec/src/env_calc.cpp @@ -1561,13 +1561,14 @@ void calculateSbrEnvelope( adjustTimeSlotHQ_GainAndNoise( &analysBufferReal[j][lowSubband], &analysBufferImag[j][lowSubband], h_sbr_cal_env, pNrgs, - lowSubband, noSubbands, scale_change, smooth_ratio, noNoiseFlag, - filtBufferNoiseShift); + lowSubband, noSubbands, fMin(scale_change, DFRACT_BITS - 1), + smooth_ratio, noNoiseFlag, filtBufferNoiseShift); } else { adjustTimeSlotHQ(&analysBufferReal[j][lowSubband], &analysBufferImag[j][lowSubband], h_sbr_cal_env, - pNrgs, lowSubband, noSubbands, scale_change, - smooth_ratio, noNoiseFlag, filtBufferNoiseShift); + pNrgs, lowSubband, noSubbands, + fMin(scale_change, DFRACT_BITS - 1), smooth_ratio, + noNoiseFlag, filtBufferNoiseShift); } } else { FDK_ASSERT(!iTES_enable); /* not supported */ @@ -1575,13 +1576,14 @@ void calculateSbrEnvelope( /* FDKmemset(analysBufferReal[j], 0, 64 * sizeof(FIXP_DBL)); */ adjustTimeSlot_EldGrid(&analysBufferReal[j][lowSubband], pNrgs, &h_sbr_cal_env->harmIndex, lowSubband, - noSubbands, scale_change, noNoiseFlag, - &h_sbr_cal_env->phaseIndex, + noSubbands, + fMin(scale_change, DFRACT_BITS - 1), + noNoiseFlag, &h_sbr_cal_env->phaseIndex, EXP2SCALE(adj_e) - sbrScaleFactor->lb_scale); } else { adjustTimeSlotLC(&analysBufferReal[j][lowSubband], pNrgs, &h_sbr_cal_env->harmIndex, lowSubband, noSubbands, - scale_change, noNoiseFlag, + fMin(scale_change, DFRACT_BITS - 1), noNoiseFlag, &h_sbr_cal_env->phaseIndex); } } -- cgit v1.2.3 From 29b81acd78887b24c2995f89c7c34e1861afad69 Mon Sep 17 00:00:00 2001 From: Fraunhofer IIS FDK Date: Wed, 15 Aug 2018 14:40:03 +0200 Subject: Limit too large shift exponent in apply_inter_tes() Bug: 112892200 Test: atest DecoderTestXheAac ; atest DecoderTestAacDrc Change-Id: I74e349ecb796343b475b825ac7d97497560a1e7a --- libSBRdec/src/env_calc.cpp | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) (limited to 'libSBRdec/src') diff --git a/libSBRdec/src/env_calc.cpp b/libSBRdec/src/env_calc.cpp index d7a8bb5..da01bed 100644 --- a/libSBRdec/src/env_calc.cpp +++ b/libSBRdec/src/env_calc.cpp @@ -626,7 +626,8 @@ static void apply_inter_tes(FIXP_DBL **qmfReal, FIXP_DBL **qmfImag, total_power_low >>= diff; total_power_low_sf = new_summand_sf; } else if (new_summand_sf < total_power_low_sf) { - new_summand >>= total_power_low_sf - new_summand_sf; + new_summand >>= + fMin(DFRACT_BITS - 1, total_power_low_sf - new_summand_sf); } total_power_low += (new_summand >> preShift2); @@ -638,7 +639,8 @@ static void apply_inter_tes(FIXP_DBL **qmfReal, FIXP_DBL **qmfImag, fMin(DFRACT_BITS - 1, new_summand_sf - total_power_high_sf); total_power_high_sf = new_summand_sf; } else if (new_summand_sf < total_power_high_sf) { - new_summand >>= total_power_high_sf - new_summand_sf; + new_summand >>= + fMin(DFRACT_BITS - 1, total_power_high_sf - new_summand_sf); } total_power_high += (new_summand >> preShift2); -- cgit v1.2.3 From 804f41ac64168ea32bdf822aba930b1cfa4e1646 Mon Sep 17 00:00:00 2001 From: Fraunhofer IIS FDK Date: Fri, 19 Oct 2018 16:39:04 +0200 Subject: Add error path to generateFixFixOnly() Test: atest DecoderTestXheAac ; atest DecoderTestAacDrc Change-Id: I1f1767403068a9eafd7b20edb96669b71b0110fc --- libSBRdec/src/env_extr.cpp | 17 ++++++++++------- 1 file changed, 10 insertions(+), 7 deletions(-) (limited to 'libSBRdec/src') diff --git a/libSBRdec/src/env_extr.cpp b/libSBRdec/src/env_extr.cpp index e6ae6dc..c72a7b6 100644 --- a/libSBRdec/src/env_extr.cpp +++ b/libSBRdec/src/env_extr.cpp @@ -1145,10 +1145,10 @@ static int sbrGetEnvelope( \brief Generates frame info for FIXFIXonly frame class used for low delay version - \return nothing + \return zero for error, one for correct. ****************************************************************************/ -static void generateFixFixOnly(FRAME_INFO *hSbrFrameInfo, int tranPosInternal, - int numberTimeSlots, const UINT flags) { +static int generateFixFixOnly(FRAME_INFO *hSbrFrameInfo, int tranPosInternal, + int numberTimeSlots, const UINT flags) { int nEnv, i, tranIdx; const int *pTable; @@ -1159,12 +1159,11 @@ static void generateFixFixOnly(FRAME_INFO *hSbrFrameInfo, int tranPosInternal, case 15: pTable = FDK_sbrDecoder_envelopeTable_15[tranPosInternal]; break; - default: - FDK_ASSERT(0); - /* fall through */ case 16: pTable = FDK_sbrDecoder_envelopeTable_16[tranPosInternal]; break; + default: + return 0; } /* look number of envelopes in table */ @@ -1187,6 +1186,8 @@ static void generateFixFixOnly(FRAME_INFO *hSbrFrameInfo, int tranPosInternal, /* nEnv is always > 1, so nNoiseEnvelopes is always 2 (IEC 14496-3 4.6.19.3.2) */ hSbrFrameInfo->nNoiseEnvelopes = 2; + + return 1; } /*! @@ -1230,7 +1231,9 @@ static int extractLowDelayGrid( } /* calculate borders according to the transient position */ - generateFixFixOnly(pFrameInfo, temp, numberTimeSlots, flags); + if (!generateFixFixOnly(pFrameInfo, temp, numberTimeSlots, flags)) { + return 0; + } /* decode freq res: */ for (k = 0; k < pFrameInfo->nEnvelopes; k++) { -- cgit v1.2.3 From 0271d6a6f3111be142456bf185e834aa5bc10309 Mon Sep 17 00:00:00 2001 From: Fraunhofer IIS FDK Date: Fri, 19 Oct 2018 16:41:01 +0200 Subject: Call QMF transposer initialization only with successful SBR processing Test: atest DecoderTestXheAac ; atest DecoderTestAacDrc Change-Id: I8a8626a83e1bd87b2c14fad7c90174e4172c01b6 --- libSBRdec/src/hbe.cpp | 4 ++++ libSBRdec/src/sbr_dec.cpp | 2 +- libSBRdec/src/sbrdecoder.cpp | 7 ++++++- 3 files changed, 11 insertions(+), 2 deletions(-) (limited to 'libSBRdec/src') diff --git a/libSBRdec/src/hbe.cpp b/libSBRdec/src/hbe.cpp index 53b21c9..1141e9c 100644 --- a/libSBRdec/src/hbe.cpp +++ b/libSBRdec/src/hbe.cpp @@ -1056,6 +1056,10 @@ SBR_ERROR QmfTransposerReInit(HANDLE_HBE_TRANSPOSER hQmfTransposer, const FIXP_QTW* tmp_t_sin; hQmfTransposer->startBand = FreqBandTable[0][0]; + FDK_ASSERT((!hQmfTransposer->bSbr41 && hQmfTransposer->startBand <= 32) || + (hQmfTransposer->bSbr41 && + hQmfTransposer->startBand <= + 16)); /* is checked by resetFreqBandTables() */ hQmfTransposer->stopBand = FreqBandTable[0][NSfb[0]]; hQmfTransposer->synthSize = diff --git a/libSBRdec/src/sbr_dec.cpp b/libSBRdec/src/sbr_dec.cpp index 2e18e6c..30611e7 100644 --- a/libSBRdec/src/sbr_dec.cpp +++ b/libSBRdec/src/sbr_dec.cpp @@ -1248,7 +1248,7 @@ resetSbrDec(HANDLE_SBR_DEC hSbrDec, HANDLE_SBR_HEADER_DATA hHeaderData, hSbrDec->savedStates = 0; - if (flags & SBRDEC_USAC_HARMONICSBR) { + if ((flags & SBRDEC_USAC_HARMONICSBR) && applySbrProc) { sbrError = QmfTransposerReInit(hSbrDec->hHBE, hHeaderData->freqBandData.freqBandTable, hHeaderData->freqBandData.nSfb); diff --git a/libSBRdec/src/sbrdecoder.cpp b/libSBRdec/src/sbrdecoder.cpp index e2455da..f40639b 100644 --- a/libSBRdec/src/sbrdecoder.cpp +++ b/libSBRdec/src/sbrdecoder.cpp @@ -1677,6 +1677,9 @@ static SBR_ERROR sbrDecoder_DecodeElement( /* reset */ if (hSbrHeader->status & SBRDEC_HDR_STAT_RESET) { int ch; + int applySbrProc = (hSbrHeader->syncState == SBR_ACTIVE || + (hSbrHeader->frameErrorFlag == 0 && + hSbrHeader->syncState == SBR_HEADER)); for (ch = 0; ch < numElementChannels; ch++) { SBR_ERROR errorStatusTmp = SBRDEC_OK; @@ -1688,7 +1691,9 @@ static SBR_ERROR sbrDecoder_DecodeElement( hSbrHeader->syncState = UPSAMPLING; } } - hSbrHeader->status &= ~SBRDEC_HDR_STAT_RESET; + if (applySbrProc) { + hSbrHeader->status &= ~SBRDEC_HDR_STAT_RESET; + } } /* decoding */ -- cgit v1.2.3 From 0cebd077b61cc0946ea4062bf816defdffaef72b Mon Sep 17 00:00:00 2001 From: Fraunhofer IIS FDK Date: Fri, 19 Oct 2018 16:41:27 +0200 Subject: Apply sbrDecoder_Parse() function for all explict SBR elements Test: atest DecoderTestXheAac ; atest DecoderTestAacDrc Change-Id: I97471c4db309307a21100f1d5d88d3c4e24d2670 --- libAACdec/src/aacdecoder.cpp | 20 ++++++++++++-------- libSBRdec/src/sbrdecoder.cpp | 5 +++++ 2 files changed, 17 insertions(+), 8 deletions(-) (limited to 'libSBRdec/src') diff --git a/libAACdec/src/aacdecoder.cpp b/libAACdec/src/aacdecoder.cpp index c2ddc48..a529389 100644 --- a/libAACdec/src/aacdecoder.cpp +++ b/libAACdec/src/aacdecoder.cpp @@ -1111,12 +1111,13 @@ static AAC_DECODER_ERROR aacDecoder_ParseExplicitMpsAndSbr( /* get the remaining bits of this frame */ bitCnt = transportDec_GetAuBitsRemaining(self->hInput, 0); - if ((bitCnt > 0) && (self->flags[0] & AC_SBR_PRESENT) && + if ((self->flags[0] & AC_SBR_PRESENT) && (self->flags[0] & (AC_USAC | AC_RSVD50 | AC_ELD | AC_DRM))) { SBR_ERROR err = SBRDEC_OK; int chElIdx, numChElements = el_cnt[ID_SCE] + el_cnt[ID_CPE] + el_cnt[ID_LFE] + el_cnt[ID_USAC_SCE] + el_cnt[ID_USAC_CPE] + el_cnt[ID_USAC_LFE]; + INT bitCntTmp = bitCnt; if (self->flags[0] & AC_USAC) { chElIdx = numChElements - 1; @@ -1126,6 +1127,7 @@ static AAC_DECODER_ERROR aacDecoder_ParseExplicitMpsAndSbr( for (; chElIdx < numChElements; chElIdx += 1) { MP4_ELEMENT_ID sbrType; + SBR_ERROR errTmp; if (self->flags[0] & (AC_USAC)) { FDK_ASSERT((self->elements[element_index] == ID_USAC_SCE) || (self->elements[element_index] == ID_USAC_CPE)); @@ -1135,19 +1137,21 @@ static AAC_DECODER_ERROR aacDecoder_ParseExplicitMpsAndSbr( : ID_SCE; } else sbrType = self->elements[chElIdx]; - err = sbrDecoder_Parse(self->hSbrDecoder, bs, self->pDrmBsBuffer, - self->drmBsBufferSize, &bitCnt, -1, - self->flags[0] & AC_SBRCRC, sbrType, chElIdx, - self->flags[0], self->elFlags); - if (err != SBRDEC_OK) { - break; + errTmp = sbrDecoder_Parse(self->hSbrDecoder, bs, self->pDrmBsBuffer, + self->drmBsBufferSize, &bitCnt, -1, + self->flags[0] & AC_SBRCRC, sbrType, chElIdx, + self->flags[0], self->elFlags); + if (errTmp != SBRDEC_OK) { + err = errTmp; + bitCntTmp = bitCnt; + bitCnt = 0; } } switch (err) { case SBRDEC_PARSE_ERROR: /* Can not go on parsing because we do not know the length of the SBR extension data. */ - FDKpushFor(bs, bitCnt); + FDKpushFor(bs, bitCntTmp); bitCnt = 0; break; case SBRDEC_OK: diff --git a/libSBRdec/src/sbrdecoder.cpp b/libSBRdec/src/sbrdecoder.cpp index f40639b..4bc6f69 100644 --- a/libSBRdec/src/sbrdecoder.cpp +++ b/libSBRdec/src/sbrdecoder.cpp @@ -1150,6 +1150,11 @@ SBR_ERROR sbrDecoder_Parse(HANDLE_SBRDECODER self, HANDLE_FDK_BITSTREAM hBs, int lastSlot, lastHdrSlot = 0, thisHdrSlot = 0; + if (*count <= 0) { + setFrameErrorFlag(self->pSbrElement[elementIndex], FRAME_ERROR); + return SBRDEC_OK; + } + /* SBR sanity checks */ if (self == NULL) { errorStatus = SBRDEC_NOT_INITIALIZED; -- cgit v1.2.3 From 5cb1030d72e37faa9216d7d7b30f1a7d4f851f79 Mon Sep 17 00:00:00 2001 From: Fraunhofer IIS FDK Date: Fri, 19 Oct 2018 16:41:58 +0200 Subject: Reset all noisefloor levels in leanSbrConcealment() Test: atest DecoderTestXheAac ; atest DecoderTestAacDrc Change-Id: I6d25e8c8844bdf8e15d1aab695cb5d19d6b232e2 --- libSBRdec/src/env_dec.cpp | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) (limited to 'libSBRdec/src') diff --git a/libSBRdec/src/env_dec.cpp b/libSBRdec/src/env_dec.cpp index 88c92cd..05accd1 100644 --- a/libSBRdec/src/env_dec.cpp +++ b/libSBRdec/src/env_dec.cpp @@ -435,8 +435,8 @@ static void leanSbrConcealment( /* Noisefloor levels are always cleared ... */ h_sbr_data->domain_vec_noise[0] = 1; - for (i = 0; i < hHeaderData->freqBandData.nNfb; i++) - h_sbr_data->sbrNoiseFloorLevel[i] = FL2FXCONST_SGL(0.0f); + FDKmemclear(h_sbr_data->sbrNoiseFloorLevel, + sizeof(h_sbr_data->sbrNoiseFloorLevel)); /* ... and so are the sines */ FDKmemclear(h_sbr_data->addHarmonics, -- cgit v1.2.3 From 82383e3212cb5ec84dd403a44ee4c01193961c8f Mon Sep 17 00:00:00 2001 From: Fraunhofer IIS FDK Date: Fri, 19 Oct 2018 16:42:30 +0200 Subject: Fix potential invalid memory access for concealment in decodeEnvelope() Test: atest DecoderTestXheAac ; atest DecoderTestAacDrc Change-Id: I916a24c000ef792aa3d5befa02a6b6f673161844 --- libSBRdec/src/env_dec.cpp | 13 +++++++++---- 1 file changed, 9 insertions(+), 4 deletions(-) (limited to 'libSBRdec/src') diff --git a/libSBRdec/src/env_dec.cpp b/libSBRdec/src/env_dec.cpp index 05accd1..95807c9 100644 --- a/libSBRdec/src/env_dec.cpp +++ b/libSBRdec/src/env_dec.cpp @@ -506,15 +506,20 @@ static void decodeEnvelope( */ for (i = 0; i < hHeaderData->freqBandData.nSfb[1]; i++) { /* Former Level-Channel will be used for both channels */ - if (h_prev_data->coupling == COUPLING_BAL) - h_prev_data->sfb_nrg_prev[i] = otherChannel->sfb_nrg_prev[i]; + if (h_prev_data->coupling == COUPLING_BAL) { + h_prev_data->sfb_nrg_prev[i] = + (otherChannel != NULL) ? otherChannel->sfb_nrg_prev[i] + : (FIXP_SGL)SBR_ENERGY_PAN_OFFSET; + } /* Former L/R will be combined as the new Level-Channel */ - else if (h_sbr_data->coupling == COUPLING_LEVEL) + else if (h_sbr_data->coupling == COUPLING_LEVEL && + otherChannel != NULL) { h_prev_data->sfb_nrg_prev[i] = (h_prev_data->sfb_nrg_prev[i] + otherChannel->sfb_nrg_prev[i]) >> 1; - else if (h_sbr_data->coupling == COUPLING_BAL) + } else if (h_sbr_data->coupling == COUPLING_BAL) { h_prev_data->sfb_nrg_prev[i] = (FIXP_SGL)SBR_ENERGY_PAN_OFFSET; + } } } } -- cgit v1.2.3 From 55d2c9582ad0698deb885440e0e5db48bdc1ed24 Mon Sep 17 00:00:00 2001 From: Fraunhofer IIS FDK Date: Fri, 19 Oct 2018 16:42:53 +0200 Subject: Extend PS concealment/error treatment Test: atest DecoderTestXheAac ; atest DecoderTestAacDrc Change-Id: I19b87d33b1d0ed8b43b4ea57992f1c6df500d9f4 --- libSBRdec/src/psbitdec.cpp | 8 ++++++++ libSBRdec/src/psdec.h | 6 +++++- 2 files changed, 13 insertions(+), 1 deletion(-) (limited to 'libSBRdec/src') diff --git a/libSBRdec/src/psbitdec.cpp b/libSBRdec/src/psbitdec.cpp index f40a156..82bb65b 100644 --- a/libSBRdec/src/psbitdec.cpp +++ b/libSBRdec/src/psbitdec.cpp @@ -312,6 +312,7 @@ int DecodePs(struct PS_DEC *h_ps_d, /*!< PS handle */ if (pBsData->bEnableIid) { pBsData->bFineIidQ = h_ps_d->specificTo.mpeg.bPrevFrameFineIidQ; + pBsData->freqResIid = h_ps_d->specificTo.mpeg.prevFreqResIid; for (gr = 0; gr < NO_HI_RES_IID_BINS; gr++) { pBsData->aaIidIndex[pBsData->noEnv - 1][gr] = h_ps_d->specificTo.mpeg.aIidPrevFrameIndex[gr]; @@ -323,6 +324,7 @@ int DecodePs(struct PS_DEC *h_ps_d, /*!< PS handle */ } if (pBsData->bEnableIcc) { + pBsData->freqResIcc = h_ps_d->specificTo.mpeg.prevFreqResIcc; for (gr = 0; gr < NO_HI_RES_ICC_BINS; gr++) { pBsData->aaIccIndex[pBsData->noEnv - 1][gr] = h_ps_d->specificTo.mpeg.aIccPrevFrameIndex[gr]; @@ -337,6 +339,12 @@ int DecodePs(struct PS_DEC *h_ps_d, /*!< PS handle */ /* Update previous frame Iid quantization */ h_ps_d->specificTo.mpeg.bPrevFrameFineIidQ = pBsData->bFineIidQ; + /* Update previous frequency resolution for IID */ + h_ps_d->specificTo.mpeg.prevFreqResIid = pBsData->freqResIid; + + /* Update previous frequency resolution for ICC */ + h_ps_d->specificTo.mpeg.prevFreqResIcc = pBsData->freqResIcc; + /* Update previous frame index buffers */ for (gr = 0; gr < NO_HI_RES_IID_BINS; gr++) { h_ps_d->specificTo.mpeg.aIidPrevFrameIndex[gr] = diff --git a/libSBRdec/src/psdec.h b/libSBRdec/src/psdec.h index 6ae1473..029eac4 100644 --- a/libSBRdec/src/psdec.h +++ b/libSBRdec/src/psdec.h @@ -275,7 +275,11 @@ struct PS_DEC { SCHAR aIccPrevFrameIndex[NO_HI_RES_ICC_BINS]; /*!< The ICC index for previous frame */ UCHAR - bPrevFrameFineIidQ; /*!< The IID quantization of the previous frame */ + bPrevFrameFineIidQ; /*!< The IID quantization of the previous frame */ + UCHAR prevFreqResIid; /*!< Frequency resolution for IID of the previous + frame */ + UCHAR prevFreqResIcc; /*!< Frequency resolution for ICC of the previous + frame */ UCHAR lastUsb; /*!< uppermost WMF delay band of last frame */ FIXP_DBL pHybridAnaStatesLFdmx -- cgit v1.2.3