Commit graph

8 commits

Author SHA1 Message Date
Sushanth Patil
ed03681d52 Fix for heap buffer overflow in read_bits_buf
In ixheaacd_arith_decode(), ixheaacd_read_bidireciton()
was being called even when bitbuffer was exhausted which
in turn made cnt_bits and bit_pos more and more negative
which overflowed eventually and resulted in heap buffer
overlow. We also observed the variable "cumulative"
value to be zero even after reaching the end of bitbuffer
and this in turn lead to an infinte for loop
"for (lev = esc_nb = 0;;)" in ixheaacd_arth_decoding_level2()
as "cumulative" value would not be updated after reaching
end of bitbuffer.
As a fix , we return whenever "cumulative" value remains
zero even after bitbuffer is exhausted.

And this patch adds a check for (cnt_bits < 0) in
ixheaacd_bitbuffer.c and removes bitbuffer wrap around
in ixheaacd_read_bidirection().

Added cnt_bits > 25 check in ixheaacd_read_bits_buf() &
ixheaacd_show_bits_buf() as these functions cannot handle
read of more than 25 bits at a time.

Bug:123976878
Test: poc
Change-Id: I4ec729fddb859ddd0add0045532e20fbfffd2e5c
2019-05-02 12:02:08 -07:00
Ramesh Katuri
2c9929c4a3 Fix for heap-buffer-overflow in ixheaacd_aac_showbits_32
Better feedback from a bit reading routine, allowing separate offset
adjustments into buffer.

Bug:117610057
Test: vendor+poc
Change-Id: I3031cc50a727987512e2b8979fe14cbe23778245
2019-02-22 18:28:54 -08:00
Ramesh Katuri
5017b03aeb Fix for crash in ixheaacd_ga_hdr_dec
Bug:117049088
Test: vendor
Change-Id: I2b64b5c60eaf037ab2ff23c9edef2ddd7064fb8e
2019-01-11 10:26:12 -08:00
TreeHugger Robot
c1c9021f5c Merge "Fix for heap buffer overflow in ixheaacd_aac_read_2bytes" 2019-01-07 17:49:02 +00:00
Ramesh Katuri
e988b01822 Bit buffer error handling using setjmp and longjmp
Bug: 112552816
Bug: 116774502
Bug: 117531281
Bug: 118145923
Bug: 120124041
Test: vendor
Change-Id: Ib11c82a8cf728c8a0a841b5fc0452daa1a5b37be
2019-01-02 14:08:58 -08:00
Ramesh Katuri
cb9230e387 Fix for heap buffer overflow in ixheaacd_aac_read_2bytes
Bug:116474108
Test: vendor
Change-Id: I150ac7ffc3d0b447fe09f8b95e51882c7a63f8a1
2018-10-01 16:07:01 -07:00
Ramesh Katuri
b25f096d7b Fix for heap buffer overflow in huff code reorder
For this stream, input size is very high that causes
huffman decoding to access beyond bit-buffer pointer
end limit due to no OOB access check. As a fix,added
this check in the bit read functionality.

Bug:112611181
Bug:113508101
Test: poc before/after
Change-Id: I4b7cc9624a388e8a20c7d4b11998dfed9c90d3f6
2018-09-18 13:05:13 -07:00
Ray Essick
48f5fd9660 Import xHE-AAC decoder from Ittiam
Clean copy of version XHEAAC_V1_36 as delivered 2018/4/13
Sole change is to map cr/lf line termination to unix lf.

Added appropriate LICENSE, MODULE_LICENSE_APACHE2, and NOTICE files
as part of folding into internal master.

Bug: 77287124
Test: CTS audio/media
Change-Id: I3c8d124033f967b29d6e384cce5c843ee17a7bb1
2018-05-04 11:48:02 -07:00