From ecb2ad9a7b72b9fe96720c59289e5ccd9bf0f433 Mon Sep 17 00:00:00 2001 From: Martin Storsjo Date: Thu, 3 Aug 2017 12:51:43 +0300 Subject: Check that all channel mapping entries used are valid If channel numbers are changed on the fly (in invalid bitstreams), we can end up with a channel mapping with fewer channels mapped than we actually try to output. Ideally, this condition should probably be checked somewhere closer to where it enters such a state, not when using the channel mapping though. Fixes: 2808/clusterfuzz-testcase-minimized-4694952892170240 Fixes: 2275/clusterfuzz-testcase-minimized-6205444085252096 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg --- libSBRdec/src/sbrdecoder.cpp | 3 +++ 1 file changed, 3 insertions(+) (limited to 'libSBRdec') diff --git a/libSBRdec/src/sbrdecoder.cpp b/libSBRdec/src/sbrdecoder.cpp index f9ded54..766d7e9 100644 --- a/libSBRdec/src/sbrdecoder.cpp +++ b/libSBRdec/src/sbrdecoder.cpp @@ -1444,6 +1444,9 @@ sbrDecoder_DecodeElement ( self->flags |= (applyPs) ? SBRDEC_PS_DECODED : 0; } + if (channelMapping[0] == 255 || channelMapping[1] == 255) + return SBRDEC_UNSUPPORTED_CONFIG; + /* Set strides for reading and writing */ if (interleaved) { strideIn = numInChannels; -- cgit v1.2.3 From 393a86c0dbffdf741e44b84e6a88eb1c2138073d Mon Sep 17 00:00:00 2001 From: Martin Storsjo Date: Tue, 15 Aug 2017 14:57:37 +0300 Subject: Check that pSettings is initialized Fixes: 2872/clusterfuzz-testcminimized-4529959869612032 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg --- libSBRdec/src/sbrdecoder.cpp | 4 ++++ 1 file changed, 4 insertions(+) (limited to 'libSBRdec') diff --git a/libSBRdec/src/sbrdecoder.cpp b/libSBRdec/src/sbrdecoder.cpp index 766d7e9..7d9468c 100644 --- a/libSBRdec/src/sbrdecoder.cpp +++ b/libSBRdec/src/sbrdecoder.cpp @@ -1446,6 +1446,10 @@ sbrDecoder_DecodeElement ( if (channelMapping[0] == 255 || channelMapping[1] == 255) return SBRDEC_UNSUPPORTED_CONFIG; + if (!pSbrChannel[0]->SbrDec.LppTrans.pSettings) + return SBRDEC_UNSUPPORTED_CONFIG; + if (stereo && !pSbrChannel[1]->SbrDec.LppTrans.pSettings) + return SBRDEC_UNSUPPORTED_CONFIG; /* Set strides for reading and writing */ if (interleaved) { -- cgit v1.2.3 From cf697df5ad1495f167181dec0976ee228bec6378 Mon Sep 17 00:00:00 2001 From: Martin Storsjo Date: Fri, 20 Oct 2017 16:05:02 +0300 Subject: Avoid reading out of bounds due to negative aaIccIndexMapped Fixes: 3452/clusterfuzz-testcase-4898065225875456 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg --- libSBRdec/src/psdec.cpp | 9 ++++++--- 1 file changed, 6 insertions(+), 3 deletions(-) (limited to 'libSBRdec') diff --git a/libSBRdec/src/psdec.cpp b/libSBRdec/src/psdec.cpp index 965917a..88a79a4 100644 --- a/libSBRdec/src/psdec.cpp +++ b/libSBRdec/src/psdec.cpp @@ -944,7 +944,7 @@ void initSlotBasedRotation( HANDLE_PS_DEC h_ps_d, /*!< pointer to the module sta FIXP_SGL invL; FIXP_DBL ScaleL, ScaleR; - FIXP_DBL Alpha, Beta; + FIXP_DBL Alpha, Beta, AlphasValue; FIXP_DBL h11r, h12r, h21r, h22r; const FIXP_DBL *PScaleFactors; @@ -1015,8 +1015,11 @@ void initSlotBasedRotation( HANDLE_PS_DEC h_ps_d, /*!< pointer to the module sta ScaleR = PScaleFactors[noIidSteps + h_ps_d->specificTo.mpeg.coef.aaIidIndexMapped[env][bin]]; ScaleL = PScaleFactors[noIidSteps - h_ps_d->specificTo.mpeg.coef.aaIidIndexMapped[env][bin]]; - Beta = fMult (fMult( Alphas[h_ps_d->specificTo.mpeg.coef.aaIccIndexMapped[env][bin]], ( ScaleR - ScaleL )), FIXP_SQRT05); - Alpha = Alphas[h_ps_d->specificTo.mpeg.coef.aaIccIndexMapped[env][bin]]>>1; + AlphasValue = 0; + if (h_ps_d->specificTo.mpeg.coef.aaIccIndexMapped[env][bin] >= 0) + AlphasValue = Alphas[h_ps_d->specificTo.mpeg.coef.aaIccIndexMapped[env][bin]]; + Beta = fMult (fMult( AlphasValue, ( ScaleR - ScaleL )), FIXP_SQRT05); + Alpha = AlphasValue>>1; /* Alpha and Beta are now both scaled by 2 shifts right */ -- cgit v1.2.3 From 56c717e223a161b11f523de97dae51c5cccd6b52 Mon Sep 17 00:00:00 2001 From: Martin Storsjo Date: Mon, 20 Nov 2017 12:35:32 +0200 Subject: Avoid reading out of bounds due to too large aaIidIndexMapped Fixes: 4151/clusterfuzz-testcase-4854089193095168 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg --- libSBRdec/src/psdec.cpp | 11 ++++++++--- 1 file changed, 8 insertions(+), 3 deletions(-) (limited to 'libSBRdec') diff --git a/libSBRdec/src/psdec.cpp b/libSBRdec/src/psdec.cpp index 88a79a4..1729f90 100644 --- a/libSBRdec/src/psdec.cpp +++ b/libSBRdec/src/psdec.cpp @@ -938,7 +938,7 @@ void initSlotBasedRotation( HANDLE_PS_DEC h_ps_d, /*!< pointer to the module sta INT group = 0; INT bin = 0; - INT noIidSteps; + INT noIidSteps, noFactors; /* const UCHAR *pQuantizedIIDs;*/ @@ -984,6 +984,7 @@ void initSlotBasedRotation( HANDLE_PS_DEC h_ps_d, /*!< pointer to the module sta { PScaleFactors = ScaleFactorsFine; /* values are shiftet right by one */ noIidSteps = NO_IID_STEPS_FINE; + noFactors = NO_IID_LEVELS_FINE; /*pQuantizedIIDs = quantizedIIDsFine;*/ } @@ -991,6 +992,7 @@ void initSlotBasedRotation( HANDLE_PS_DEC h_ps_d, /*!< pointer to the module sta { PScaleFactors = ScaleFactors; /* values are shiftet right by one */ noIidSteps = NO_IID_STEPS; + noFactors = NO_IID_LEVELS; /*pQuantizedIIDs = quantizedIIDs;*/ } @@ -1012,8 +1014,11 @@ void initSlotBasedRotation( HANDLE_PS_DEC h_ps_d, /*!< pointer to the module sta /* ScaleR and ScaleL are scaled by 1 shift right */ - ScaleR = PScaleFactors[noIidSteps + h_ps_d->specificTo.mpeg.coef.aaIidIndexMapped[env][bin]]; - ScaleL = PScaleFactors[noIidSteps - h_ps_d->specificTo.mpeg.coef.aaIidIndexMapped[env][bin]]; + ScaleL = ScaleR = 0; + if (noIidSteps + h_ps_d->specificTo.mpeg.coef.aaIidIndexMapped[env][bin] >= 0 && noIidSteps + h_ps_d->specificTo.mpeg.coef.aaIidIndexMapped[env][bin] < noFactors) + ScaleR = PScaleFactors[noIidSteps + h_ps_d->specificTo.mpeg.coef.aaIidIndexMapped[env][bin]]; + if (noIidSteps - h_ps_d->specificTo.mpeg.coef.aaIidIndexMapped[env][bin] >= 0 && noIidSteps - h_ps_d->specificTo.mpeg.coef.aaIidIndexMapped[env][bin] < noFactors) + ScaleL = PScaleFactors[noIidSteps - h_ps_d->specificTo.mpeg.coef.aaIidIndexMapped[env][bin]]; AlphasValue = 0; if (h_ps_d->specificTo.mpeg.coef.aaIccIndexMapped[env][bin] >= 0) -- cgit v1.2.3 From 89aeea5f292306c429550e4c9fe55d865c903600 Mon Sep 17 00:00:00 2001 From: ezicomezigo Date: Wed, 20 Dec 2017 18:25:56 +0900 Subject: Fix SBR multichannel noise for 5.1 ch, the channel elements are as follows: SCE - CPE - CPE - LFE and the channel-mapping table for 5.1 ch is : { 2, 0, 1, 4, 5, 3,255,255}, /* 5.1ch */ For the last LFE channel, sbr decoder returns error, SBRDEC_UNSUPPORTED_CONFIG; --- libSBRdec/src/sbrdecoder.cpp | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'libSBRdec') diff --git a/libSBRdec/src/sbrdecoder.cpp b/libSBRdec/src/sbrdecoder.cpp index 7d9468c..a341746 100644 --- a/libSBRdec/src/sbrdecoder.cpp +++ b/libSBRdec/src/sbrdecoder.cpp @@ -1444,7 +1444,7 @@ sbrDecoder_DecodeElement ( self->flags |= (applyPs) ? SBRDEC_PS_DECODED : 0; } - if (channelMapping[0] == 255 || channelMapping[1] == 255) + if (channelMapping[0] == 255 || ((*numOutChannels == 2) && channelMapping[1] == 255)) return SBRDEC_UNSUPPORTED_CONFIG; if (!pSbrChannel[0]->SbrDec.LppTrans.pSettings) return SBRDEC_UNSUPPORTED_CONFIG; -- cgit v1.2.3