wrapper/libxaac-mirror
1
0
Fork 0
mirror of https://github.com/ittiam-systems/libxaac.git synced 2026-06-01 18:00:11 +07:00
Code Issues Projects Releases Packages Wiki Activity Actions

Fix for integer-overflow in ixheaacd_apply_m2

Browse source 
Significance:
============
This change addresses a corner case arithmetic operations involving addition and subtraction.

Bug: ossFuzz: 471525114
Test: poc in bug
This commit is contained in:
Shashank Pathmudi 2026-01-07 17:41:01 +05:30 committed by Divya B M
parent 5998374757
commit ad3739b5be
1 changed files with 18 additions and 18 deletions
Download patch file Download diff file Expand all files Collapse all files

36
decoder/ixheaacd_mps_apply_m2.c
View file

@ -147,13 +147,13 @@ VOID ixheaacd_apply_m2(ia_heaac_mps_state_struct *pstr_mps_state) {
for (qs = 0; qs < hybrid_bands; qs++) {
temp_1 = ixheaacd_mps_mult32_shr_15(*w_dry_real, *rout_kernel_ptr);
w_dry_real++;
*hyb_output_real_dry = *hyb_output_real_dry + temp_1;
*hyb_output_real_dry = ixheaac_add32_sat(*hyb_output_real_dry, temp_1);
hyb_output_real_dry++;
temp_1 = ixheaacd_mps_mult32_shr_15(*w_dry_imag, *rout_kernel_ptr);
w_dry_imag++;
rout_kernel_ptr++;
*hyb_output_imag_dry = *hyb_output_imag_dry + temp_1;
*hyb_output_imag_dry = ixheaac_add32_sat(*hyb_output_imag_dry, temp_1);
hyb_output_imag_dry++;
}
p_buffer_re += MAX_HYBRID_BANDS;
@ -194,13 +194,13 @@ VOID ixheaacd_apply_m2(ia_heaac_mps_state_struct *pstr_mps_state) {
for (qs = 0; qs < index; qs++) {
temp_1 = ixheaacd_mps_mult32_shr_15(*w_dry_real, *rout_kernel_ptr);
w_dry_real++;
*hyb_output_real_dry = *hyb_output_real_dry + temp_1;
*hyb_output_real_dry = ixheaac_add32_sat(*hyb_output_real_dry, temp_1);
hyb_output_real_dry++;
temp_1 = ixheaacd_mps_mult32_shr_15(*w_dry_imag, *rout_kernel_ptr);
w_dry_imag++;
rout_kernel_ptr++;
*hyb_output_imag_dry = *hyb_output_imag_dry + temp_1;
*hyb_output_imag_dry = ixheaac_add32_sat(*hyb_output_imag_dry, temp_1);
hyb_output_imag_dry++;
}
rout_kernel_ptr += hybrid_bands - index;
@ -257,26 +257,26 @@ VOID ixheaacd_apply_m2(ia_heaac_mps_state_struct *pstr_mps_state) {
for (qs = 0; qs < 2; qs++) {
temp_1 = ixheaacd_mps_mult32_shr_15(*w_dry_imag, *rout_kernel_ptr);
w_dry_imag++;
*hyb_output_real_dry = *hyb_output_real_dry + temp_1;
*hyb_output_real_dry = ixheaac_add32_sat(*hyb_output_real_dry, temp_1);
hyb_output_real_dry++;
temp_1 = ixheaacd_mps_mult32_shr_15(*w_dry_real, *rout_kernel_ptr);
w_dry_real++;
rout_kernel_ptr++;
*hyb_output_imag_dry = *hyb_output_imag_dry - temp_1;
*hyb_output_imag_dry = ixheaac_sub32_sat(*hyb_output_imag_dry, temp_1);
hyb_output_imag_dry++;
}
for (; qs < hybrid_bands; qs++) {
temp_1 = ixheaacd_mps_mult32_shr_15(*w_dry_imag, *rout_kernel_ptr);
w_dry_imag++;
*hyb_output_real_dry = *hyb_output_real_dry - temp_1;
*hyb_output_real_dry = ixheaac_sub32_sat(*hyb_output_real_dry, temp_1);
hyb_output_real_dry++;
temp_1 = ixheaacd_mps_mult32_shr_15(*w_dry_real, *rout_kernel_ptr);
w_dry_real++;
rout_kernel_ptr++;
*hyb_output_imag_dry = *hyb_output_imag_dry + temp_1;
*hyb_output_imag_dry = ixheaac_add32_sat(*hyb_output_imag_dry, temp_1);
hyb_output_imag_dry++;
}
p_buffer_re += MAX_HYBRID_BANDS;
@ -316,26 +316,26 @@ VOID ixheaacd_apply_m2(ia_heaac_mps_state_struct *pstr_mps_state) {
for (qs = 0; qs < 2; qs++) {
temp_1 = ixheaacd_mps_mult32_shr_15(*w_dry_imag, *rout_kernel_ptr);
w_dry_imag++;
*hyb_output_real_dry = *hyb_output_real_dry + temp_1;
*hyb_output_real_dry = ixheaac_add32_sat(*hyb_output_real_dry, temp_1);
hyb_output_real_dry++;
temp_1 = ixheaacd_mps_mult32_shr_15(*w_dry_real, *rout_kernel_ptr);
w_dry_real++;
rout_kernel_ptr++;
*hyb_output_imag_dry = *hyb_output_imag_dry - temp_1;
*hyb_output_imag_dry = ixheaac_sub32_sat(*hyb_output_imag_dry, temp_1);
hyb_output_imag_dry++;
}
for (; qs < index; qs++) {
temp_1 = ixheaacd_mps_mult32_shr_15(*w_dry_imag, *rout_kernel_ptr);
w_dry_imag++;
*hyb_output_real_dry = *hyb_output_real_dry - temp_1;
*hyb_output_real_dry = ixheaac_sub32_sat(*hyb_output_real_dry, temp_1);
hyb_output_real_dry++;
temp_1 = ixheaacd_mps_mult32_shr_15(*w_dry_real, *rout_kernel_ptr);
w_dry_real++;
rout_kernel_ptr++;
*hyb_output_imag_dry = *hyb_output_imag_dry + temp_1;
*hyb_output_imag_dry = ixheaac_add32_sat(*hyb_output_imag_dry, temp_1);
hyb_output_imag_dry++;
}
rout_kernel_ptr += hybrid_bands - index;
@ -400,13 +400,13 @@ VOID ixheaacd_apply_m2(ia_heaac_mps_state_struct *pstr_mps_state) {
for (qs = 0; qs < hybrid_bands; qs++) {
temp_1 = ixheaacd_mps_mult32_shr_15(*w_wet_real, *rout_kernel_ptr);
w_wet_real++;
*hyb_output_real_wet = *hyb_output_real_wet + temp_1;
*hyb_output_real_wet = ixheaac_add32_sat(*hyb_output_real_wet, temp_1);
hyb_output_real_wet++;
temp_1 = ixheaacd_mps_mult32_shr_15(*w_wet_imag, *rout_kernel_ptr);
w_wet_imag++;
rout_kernel_ptr++;
*hyb_output_imag_wet = *hyb_output_imag_wet + temp_1;
*hyb_output_imag_wet = ixheaac_add32_sat(*hyb_output_imag_wet, temp_1);
hyb_output_imag_wet++;
}
p_buffer_re += MAX_HYBRID_BANDS;
@ -456,26 +456,26 @@ VOID ixheaacd_apply_m2(ia_heaac_mps_state_struct *pstr_mps_state) {
for (qs = 0; qs < 2; qs++) {
temp_1 = ixheaacd_mps_mult32_shr_15(*w_wet_imag, *rout_kernel_ptr);
w_wet_imag++;
*hyb_output_real_wet = *hyb_output_real_wet + temp_1;
*hyb_output_real_wet = ixheaac_add32_sat(*hyb_output_real_wet, temp_1);
hyb_output_real_wet++;
temp_1 = ixheaacd_mps_mult32_shr_15(*w_wet_real, *rout_kernel_ptr);
w_wet_real++;
rout_kernel_ptr++;
*hyb_output_imag_wet = *hyb_output_imag_wet - temp_1;
*hyb_output_imag_wet = ixheaac_sub32_sat(*hyb_output_imag_wet, temp_1);
hyb_output_imag_wet++;
}
for (; qs < hybrid_bands; qs++) {
temp_1 = ixheaacd_mps_mult32_shr_15(*w_wet_imag, *rout_kernel_ptr);
w_wet_imag++;
*hyb_output_real_wet = *hyb_output_real_wet - temp_1;
*hyb_output_real_wet = ixheaac_sub32_sat(*hyb_output_real_wet, temp_1);
hyb_output_real_wet++;
temp_1 = ixheaacd_mps_mult32_shr_15(*w_wet_real, *rout_kernel_ptr);
w_wet_real++;
rout_kernel_ptr++;
*hyb_output_imag_wet = *hyb_output_imag_wet + temp_1;
*hyb_output_imag_wet = ixheaac_add32_sat(*hyb_output_imag_wet, temp_1);
hyb_output_imag_wet++;
}
p_buffer_re += MAX_HYBRID_BANDS;