From a4d1f0ad52e2cf6f168d2193216602f52033fc27 Mon Sep 17 00:00:00 2001 From: Fraunhofer IIS FDK Date: Wed, 23 May 2018 18:26:27 +0200 Subject: FDKv2 ubsan patches Bug: 80053205 Test: see bug for repro with FB "wow" atest DecoderTestAacDrc Fix signed integer overflows in CLpc_SynthesisLattice() Change-Id: Icbddfcc8c5fc73382ae5bf8c2a7703802c688e06 Fix signed integer overflows in imlt Change-Id: I687834fca2f1aab6210ed9862576b4f38fcdeb24 Fix overflow in addLowbandEnergies() Change-Id: Iaa9fdf9deb49c33ec6ca7ed3081c4ddaa920e9aa Concealment fix for audio frames containing acelp components Change-Id: Ibe5e83a6efa75a48f729984a161a76b826878f4e Fix out-of-bounds access in PS concealment Change-Id: I08809a03a40d1feaf00e41278db314d67e1efe88 Fix potential memory leak in setup of qmf domain Change-Id: Id9fc2448354dc7f1b439469128407305efa3def2 Reject channel config 13 Change-Id: Idf5236f6cd054df994e69c9c972c97f6768cf9e5 Fix unsigned integer overflow in configExtension() Change-Id: I8a1668810b85e6237c3892891444ff08f04b019b Fix unsigned integer overflow in CAacDecoder_DecodeFrame() Change-Id: I79678c571690178e6c37680f70a9b94dd3cbc439 Fix unsigned integer overflow in aacDecoder_UpdateBitStreamCounters() Change-Id: I3bff959da9f53fabb18cd0ae6c260e6256194526 Fix unsigned integer overflow in transportDec_readStream() Change-Id: I6a6f9f4acaa32fae0b5de9641f8787bbc7f8286b --- libSBRenc/src/tran_det.cpp | 18 ++++++++++++++---- 1 file changed, 14 insertions(+), 4 deletions(-) (limited to 'libSBRenc/src') diff --git a/libSBRenc/src/tran_det.cpp b/libSBRenc/src/tran_det.cpp index b6f1b9f..3b6765a 100644 --- a/libSBRenc/src/tran_det.cpp +++ b/libSBRenc/src/tran_det.cpp @@ -269,23 +269,33 @@ static FIXP_DBL addLowbandEnergies(FIXP_DBL **Energies, int *scaleEnergies, FIXP_DBL accu1 = FL2FXCONST_DBL(0.0f); FIXP_DBL accu2 = FL2FXCONST_DBL(0.0f); int tran_offdiv2 = tran_off >> nrgSzShift; + const int sc1 = + DFRACT_BITS - + fNormz((FIXP_DBL)fMax( + 1, (freqBandTable[0] * (YBufferWriteOffset - tran_offdiv2) - 1))); + const int sc2 = + DFRACT_BITS - + fNormz((FIXP_DBL)fMax( + 1, (freqBandTable[0] * + (tran_offdiv2 + (slots >> nrgSzShift) - YBufferWriteOffset) - + 1))); int ts, k; /* Sum up lowband energy from one frame at offset tran_off */ /* freqBandTable[LORES] has MAX_FREQ_COEFFS/2 +1 coeefs max. */ for (ts = tran_offdiv2; ts < YBufferWriteOffset; ts++) { for (k = 0; k < freqBandTable[0]; k++) { - accu1 += Energies[ts][k] >> 6; + accu1 += Energies[ts][k] >> sc1; } } for (; ts < tran_offdiv2 + (slots >> nrgSzShift); ts++) { for (k = 0; k < freqBandTable[0]; k++) { - accu2 += Energies[ts][k] >> 9; + accu2 += Energies[ts][k] >> sc2; } } - nrgTotal_m = fAddNorm(accu1, 1 - scaleEnergies[0], accu2, - 4 - scaleEnergies[1], &nrgTotal_e); + nrgTotal_m = fAddNorm(accu1, (sc1 - 5) - scaleEnergies[0], accu2, + (sc2 - 5) - scaleEnergies[1], &nrgTotal_e); nrgTotal_m = scaleValueSaturate(nrgTotal_m, nrgTotal_e); return (nrgTotal_m); -- cgit v1.2.3