From 2491a0748426913802d1240d907cb77c9ccb0091 Mon Sep 17 00:00:00 2001 From: Ramesh Katuri Date: Thu, 23 Aug 2018 12:24:35 +0530 Subject: [PATCH 01/35] Fix for out of bound write memory access in xheaac The maximum number of channels supported for usac profile in libxaac decoder is two only.Input streams of the below reported issues contain multi channel,because of multi channel the write offset is incremented by greater 2, which causes out of bound memory access while writing. Bug:112858010 Bug:112859113 Test: re-run POC Change-Id: Ide57cb8ee39d77d0f386298e899683d460a3c18b --- decoder/ixheaacd_cnst.h | 1 + decoder/ixheaacd_process.c | 2 +- 2 files changed, 2 insertions(+), 1 deletion(-) diff --git a/decoder/ixheaacd_cnst.h b/decoder/ixheaacd_cnst.h index b96422b..cee0a58 100644 --- a/decoder/ixheaacd_cnst.h +++ b/decoder/ixheaacd_cnst.h @@ -108,6 +108,7 @@ #define MAX_SHORT_WINDOWS 8 #define MAX_NUM_CHANNELS 6 +#define MAX_NUM_CHANNELS_USAC_LVL2 2 #define SFB_NUM_MAX ((NSFB_SHORT + 1) * MAX_SHORT_IN_LONG_BLOCK) diff --git a/decoder/ixheaacd_process.c b/decoder/ixheaacd_process.c index b87b61a..2347834 100644 --- a/decoder/ixheaacd_process.c +++ b/decoder/ixheaacd_process.c @@ -316,7 +316,7 @@ WORD32 ixheaacd_usac_process(ia_dec_data_struct *pstr_dec_data, nr_core_coder_channels = 1; core_data_extracting: - if (ch_offset >= MAX_NUM_CHANNELS) return -1; + if (ch_offset >= MAX_NUM_CHANNELS_USAC_LVL2) return -1; err = ixheaacd_core_coder_data(ele_id, pstr_usac_data, elem_idx, &ch_offset, it_bit_buff, nr_core_coder_channels); From 28a1411d7235c5ed0a8289f0e276a31ec669ae70 Mon Sep 17 00:00:00 2001 From: Ramesh Katuri Date: Thu, 23 Aug 2018 11:25:24 +0530 Subject: [PATCH 02/35] DO NOT MERGE Fix for stack-buffer-overflow in mps module While parsing the input stream in mps_pre_matrix function, there was an error.This error was not handled properly, because of which further values which are read from bit stream are getting wrong values. We use these value in iteration in ixheaacd_mps_getstridemap() which is causing stack-buffer-overflow Bug:112857941 Test: poc+ASAN Change-Id: I9549b06e0e4e362f517869aef75d579e3e4140a6 --- decoder/ixheaacd_mps_dec.c | 6 +++-- decoder/ixheaacd_mps_dec.h | 6 ++--- decoder/ixheaacd_mps_pre_mix.c | 45 +++++++++++++++++++++------------- 3 files changed, 35 insertions(+), 22 deletions(-) diff --git a/decoder/ixheaacd_mps_dec.c b/decoder/ixheaacd_mps_dec.c index 890ce15..3075c1b 100644 --- a/decoder/ixheaacd_mps_dec.c +++ b/decoder/ixheaacd_mps_dec.c @@ -308,11 +308,13 @@ WORD32 ixheaacd_mps_apply(ia_mps_dec_state_struct* self, ixheaacd_mps_pre_matrix_mix_matrix_smoothing(self); - ixheaacd_mps_apply_pre_matrix(self); + err = ixheaacd_mps_apply_pre_matrix(self); + if (err < 0) return err; ixheaacd_mps_create_w(self); - ixheaacd_mps_apply_mix_matrix(self); + err = ixheaacd_mps_apply_mix_matrix(self); + if (err < 0) return err; if (self->config->bs_temp_shape_config == 2) { ixheaacd_mps_time_env_shaping(self); diff --git a/decoder/ixheaacd_mps_dec.h b/decoder/ixheaacd_mps_dec.h index 3a13d65..9aaa64f 100644 --- a/decoder/ixheaacd_mps_dec.h +++ b/decoder/ixheaacd_mps_dec.h @@ -339,8 +339,8 @@ typedef struct ia_mps_dec_state_struct { VOID ixheaacd_mps_init_pre_and_post_matrix(ia_mps_dec_state_struct *self); VOID ixheaacd_pre_and_mix_matrix_calculation(ia_mps_dec_state_struct *self); -VOID ixheaacd_mps_apply_pre_matrix(ia_mps_dec_state_struct *self); -VOID ixheaacd_mps_apply_mix_matrix(ia_mps_dec_state_struct *self); +WORD32 ixheaacd_mps_apply_pre_matrix(ia_mps_dec_state_struct *self); +WORD32 ixheaacd_mps_apply_mix_matrix(ia_mps_dec_state_struct *self); VOID ixheaacd_mps_config(ia_mps_dec_state_struct *self, WORD32 frame_len, WORD32 residual_coding, @@ -371,7 +371,7 @@ VOID ixheaacd_mps_par2umx_pred(ia_mps_dec_state_struct *self, WORD32 *h_real, WORD32 param_set_idx, WORD32 res_bands); -VOID ixheaacd_mps_upmix_interp( +WORD32 ixheaacd_mps_upmix_interp( WORD32 m_matrix[MAX_PARAMETER_SETS_MPS][MAX_PARAMETER_BANDS][MAX_M_OUTPUT] [MAX_M_INPUT], WORD32 r_matrix[MAX_TIME_SLOTS][MAX_PARAMETER_BANDS][MAX_M_OUTPUT] diff --git a/decoder/ixheaacd_mps_pre_mix.c b/decoder/ixheaacd_mps_pre_mix.c index 3c31a0b..5ea8910 100644 --- a/decoder/ixheaacd_mps_pre_mix.c +++ b/decoder/ixheaacd_mps_pre_mix.c @@ -348,15 +348,17 @@ VOID ixheaacd_mps_par2umx_pred(ia_mps_dec_state_struct *self, } } -VOID ixheaacd_mps_apply_pre_matrix(ia_mps_dec_state_struct *self) { +WORD32 ixheaacd_mps_apply_pre_matrix(ia_mps_dec_state_struct *self) { WORD32 ts, qs, row, col = 0; - - ixheaacd_mps_upmix_interp( + WORD32 err = 0; + err = ixheaacd_mps_upmix_interp( self->m1_param_re, self->r_out_re_scratch_m1, self->m1_param_re_prev, (self->dir_sig_count + self->decor_sig_count), 1, self); - ixheaacd_mps_upmix_interp( + if (err < 0) return err; + err = ixheaacd_mps_upmix_interp( self->m1_param_im, self->r_out_im_scratch_m1, self->m1_param_im_prev, (self->dir_sig_count + self->decor_sig_count), 1, self); + if (err < 0) return err; ixheaacd_fix_to_float_int( (WORD32 *)(self->r_out_re_scratch_m1), (FLOAT32 *)(self->r_out_re_in_m1), @@ -417,19 +419,22 @@ VOID ixheaacd_mps_apply_pre_matrix(ia_mps_dec_state_struct *self) { } } } + return 0; } -VOID ixheaacd_mps_apply_mix_matrix(ia_mps_dec_state_struct *self) { +WORD32 ixheaacd_mps_apply_mix_matrix(ia_mps_dec_state_struct *self) { WORD32 ts, qs, row, col; WORD32 complex_m2 = ((self->config->bs_phase_coding != 0)); WORD32 phase_interpolation = (self->config->bs_phase_coding == 1); - - ixheaacd_mps_upmix_interp( + WORD32 err = 0; + err = ixheaacd_mps_upmix_interp( self->m2_decor_re, self->r_diff_out_re_fix_in_m2, self->m2_decor_re_prev, self->out_ch_count, (self->dir_sig_count + self->decor_sig_count), self); - ixheaacd_mps_upmix_interp( + if (err < 0) return err; + err = ixheaacd_mps_upmix_interp( self->m2_resid_re, self->r_out_re_fix_in_m2, self->m2_resid_re_prev, self->out_ch_count, (self->dir_sig_count + self->decor_sig_count), self); + if (err < 0) return err; ixheaacd_fix_to_float_int( (WORD32 *)self->r_out_re_fix_in_m2, (FLOAT32 *)self->r_out_re_in_m2, MAX_TIME_SLOTS * MAX_PARAMETER_BANDS * MAX_M_OUTPUT * MAX_M_INPUT, @@ -441,14 +446,16 @@ VOID ixheaacd_mps_apply_mix_matrix(ia_mps_dec_state_struct *self) { 268435456); if (complex_m2 && !phase_interpolation) { - ixheaacd_mps_upmix_interp(self->m2_decor_im, self->r_diff_out_im_fix_in_m2, - self->m2_decor_im_prev, self->out_ch_count, - (self->dir_sig_count + self->decor_sig_count), - self); - ixheaacd_mps_upmix_interp(self->m2_resid_im, self->r_out_im_fix_in_m2, - self->m2_resid_im_prev, self->out_ch_count, - (self->dir_sig_count + self->decor_sig_count), - self); + err = ixheaacd_mps_upmix_interp( + self->m2_decor_im, self->r_diff_out_im_fix_in_m2, + self->m2_decor_im_prev, self->out_ch_count, + (self->dir_sig_count + self->decor_sig_count), self); + if (err < 0) return err; + err = ixheaacd_mps_upmix_interp( + self->m2_resid_im, self->r_out_im_fix_in_m2, self->m2_resid_im_prev, + self->out_ch_count, (self->dir_sig_count + self->decor_sig_count), + self); + if (err < 0) return err; ixheaacd_fix_to_float_int( (WORD32 *)self->r_diff_out_im_fix_in_m2, (FLOAT32 *)self->r_out_diff_im_in_m2, @@ -569,6 +576,7 @@ VOID ixheaacd_mps_apply_mix_matrix(ia_mps_dec_state_struct *self) { } } } + return 0; } static PLATFORM_INLINE WORD32 ixheaacd_mult32_shl2(WORD32 a, WORD32 b) { @@ -581,7 +589,7 @@ static PLATFORM_INLINE WORD32 ixheaacd_mult32_shl2(WORD32 a, WORD32 b) { return (result); } -VOID ixheaacd_mps_upmix_interp( +WORD32 ixheaacd_mps_upmix_interp( WORD32 m_matrix[MAX_PARAMETER_SETS_MPS][MAX_PARAMETER_BANDS][MAX_M_OUTPUT] [MAX_M_INPUT], WORD32 r_matrix[MAX_TIME_SLOTS][MAX_PARAMETER_BANDS][MAX_M_OUTPUT] @@ -595,6 +603,7 @@ VOID ixheaacd_mps_upmix_interp( for (col = 0; col < num_cols; col++) { ps = 0; ts = 0; + if (MAX_TIME_SLOTS < (self->param_slot_diff[0])) return -1; for (i = 1; i <= (WORD32)self->param_slot_diff[0]; i++) { WORD32 alpha = i * self->inv_param_slot_diff_Q30[ps]; WORD32 one_minus_alpha = 1073741824 - alpha; @@ -606,6 +615,7 @@ VOID ixheaacd_mps_upmix_interp( } for (ps = 1; ps < self->num_parameter_sets; ps++) { + if (MAX_TIME_SLOTS < (ts + self->param_slot_diff[ps])) return -1; for (i = 1; i <= (WORD32)self->param_slot_diff[ps]; i++) { WORD32 alpha = i * self->inv_param_slot_diff_Q30[ps]; WORD32 one_minus_alpha = 1073741824 - alpha; @@ -619,6 +629,7 @@ VOID ixheaacd_mps_upmix_interp( } } } + return 0; } static FLOAT32 ixheaacd_mps_angle_interpolation(FLOAT32 angle1, FLOAT32 angle2, From 4878ef09c7db2b2d96505c285b5ca96920b8f312 Mon Sep 17 00:00:00 2001 From: Ramesh Katuri Date: Thu, 30 Aug 2018 14:58:47 +0530 Subject: [PATCH 03/35] Fix for heap buffer overflow in xaac decoder init Number of elements allowed in usac profile are 16. Erroneous input stream in this use case has 63336 elements.We have an error check for this max number of elements while parsing the decoder configuration.This returned error code was not handled properly. Maximum 16 config elements can be used while codec creation,because of number of elements values is coming as 63336, during creation time OOB read is happening. Bug:112766520 Bug:112857468 Bug:112913145 Bug:112918261 Test: re-ran poc Change-Id: If9413546371f72a6896f5c7e7d22a314e484cf76 --- decoder/ixheaacd_headerdecode.c | 2 +- decoder/ixheaacd_init_config.c | 4 +++- 2 files changed, 4 insertions(+), 2 deletions(-) diff --git a/decoder/ixheaacd_headerdecode.c b/decoder/ixheaacd_headerdecode.c index f68ce5f..c28833e 100644 --- a/decoder/ixheaacd_headerdecode.c +++ b/decoder/ixheaacd_headerdecode.c @@ -606,7 +606,7 @@ WORD32 ixheaacd_ga_hdr_dec(ia_aac_dec_state_struct *aac_state_struct, err = ixheaacd_config(it_bit_buff, &(pstr_audio_specific_config->str_usac_config), &(pstr_audio_specific_config->channel_configuration)); - if (err != 0) return -1; + if (err != 0) return err; if (pstr_audio_specific_config->audio_object_type == AOT_USAC) { pstr_audio_specific_config->sbr_present_flag = 1; diff --git a/decoder/ixheaacd_init_config.c b/decoder/ixheaacd_init_config.c index 0fe2fa7..d7650fc 100644 --- a/decoder/ixheaacd_init_config.c +++ b/decoder/ixheaacd_init_config.c @@ -63,6 +63,8 @@ #include "ixheaacd_struct.h" #include "ixheaacd_constants.h" +#include "ixheaacd_error_codes.h" + UWORD32 ixheaacd_sbr_ratio(UWORD32 core_sbr_framelength_idx) { UWORD32 sbr_ratio_index = 0x0FF; @@ -517,7 +519,7 @@ WORD32 ixheaacd_config(ia_bit_buf_struct *it_bit_buff, (UWORD32 *)(&(pstr_usac_conf->num_out_channels)), 5, 8, 16); if (BS_MAX_NUM_OUT_CHANNELS < pstr_usac_conf->num_out_channels) { - return -1; + return IA_ENHAACPLUS_DEC_INIT_FATAL_STREAM_CHAN_GT_MAX; } for (i = 0; i < pstr_usac_conf->num_out_channels; i++) pstr_usac_conf->output_channel_pos[i] = From b5597cea85fa41525c99ac68017d94226a2c897f Mon Sep 17 00:00:00 2001 From: Ramesh Katuri Date: Thu, 23 Aug 2018 16:04:03 +0530 Subject: [PATCH 04/35] Fix for NPD in case of single coupling channel element. Reason for crash: For the below reported issues input stream has only one coupling channel element. As per the specification coupling channel element should be associated with at least one main channel element. We have different output buffers for main channel and coupling channel. In this error case the coupling channel output buffer is not getting updated because there is no main channel, so main decode is called with output buffer pointing to NULL. This is the reason for all the issues listed below. Bug:112551721 Bug:112704700 Bug:112706520 Bug:112710190 Bug:112712274 Bug:112717301 Test: re-run poc Change-Id: Ife593ca4ae21f05555b6a89092ff76b974e28a67 --- decoder/ixheaacd_api.c | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/decoder/ixheaacd_api.c b/decoder/ixheaacd_api.c index afc4510..d77627f 100644 --- a/decoder/ixheaacd_api.c +++ b/decoder/ixheaacd_api.c @@ -2424,7 +2424,11 @@ IA_ERRORCODE ixheaacd_dec_execute( (WORD8 *)p_state_enhaacplus_dec->aac_scratch_mem_v + (8 * 1024) + pers_used; } - actual_out_buffer = p_state_enhaacplus_dec->coup_ch_output; + if (p_obj_exhaacplus_dec->aac_config.element_type[1] < 3 && + p_obj_exhaacplus_dec->aac_config.element_type[1] > 0 && + p_obj_exhaacplus_dec->aac_config.ui_max_channels > 2) { + actual_out_buffer = p_state_enhaacplus_dec->coup_ch_output; + } ch_fac = 1; slot_ele = 0; } From 61a09f1063237a23127874bf27d5a72f1d03d3fe Mon Sep 17 00:00:00 2001 From: Ramesh Katuri Date: Thu, 30 Aug 2018 18:53:58 +0530 Subject: [PATCH 05/35] Fix for global buffer overflow in scale factor processing Number of envelopes is equal to 2^n, where n obtained by reading 2 bits from bit stream,so maximum value for number of envelopes is 8. Time slot array table is accessed using number of envelopes. The Minimum and Maximum values are 0 and 6,based on these values the table is modified. Bug:112765917 Test: re-run poc Change-Id: I42a44fc2376536d5119a8290a14726c9c5badd19 --- decoder/ixheaacd_env_extr.c | 8 +------- decoder/ixheaacd_sbr_const.h | 2 +- 2 files changed, 2 insertions(+), 8 deletions(-) diff --git a/decoder/ixheaacd_env_extr.c b/decoder/ixheaacd_env_extr.c index 67f3499..4224d9f 100644 --- a/decoder/ixheaacd_env_extr.c +++ b/decoder/ixheaacd_env_extr.c @@ -1328,8 +1328,7 @@ int ixheaacd_extract_frame_info_ld( WORD16 time_border[MAX_ENVELOPES + 1]; WORD16 time_border_noise[2 + 1]; WORD16 f[MAX_ENVELOPES + 1]; - int rel_bord_lead[3]; - int rel_bord_trail[3] = {0}; + int rel_bord_lead[7] ={0}; ia_frame_info_struct *v_frame_info = &h_frame_data->str_frame_info_details; @@ -1382,11 +1381,6 @@ int ixheaacd_extract_frame_info_ld( time_border[env] = abs_bord_lead; for (k = 0; k <= env - 1; k++) time_border[env] += rel_bord_lead[k]; } - for (env = num_rel_lead + 1; env < bs_num_env; env++) { - time_border[env] = abs_bord_trail; - for (k = 0; k <= bs_num_env - env - 1; k++) - time_border[env] -= rel_bord_trail[k]; - } break; case LD_TRAN: diff --git a/decoder/ixheaacd_sbr_const.h b/decoder/ixheaacd_sbr_const.h index 10b0959..c75fa0c 100644 --- a/decoder/ixheaacd_sbr_const.h +++ b/decoder/ixheaacd_sbr_const.h @@ -223,7 +223,7 @@ static const int ixheaacd_ld_env_table_480[15][4] = { {2, 12, -1, 1}, {2, 13, -1, 1}, {2, 14, -1, 1}, }; -static const int ixheaacd_ld_env_table_time_slot[4] = {8, 5, 0, 0}; +static const int ixheaacd_ld_env_table_time_slot[7] = {8, 5, 0, 0, 0, 0, 0}; #define SBR_CLA_BITS 2 #define SBR_ABS_BITS 2 From b0768b05646cbdb34d0c62ab9657d43ed148eb4b Mon Sep 17 00:00:00 2001 From: Ramesh Katuri Date: Fri, 31 Aug 2018 16:35:41 +0530 Subject: [PATCH 06/35] Fix for crc related issues Maximum crc registers allowed is 7. Crc registers are accessed and updated inside the function ixheaacd_adts_crc_start_reg(). Check has been added before the function call so that if the register value is less than 7 then only the function gets called. Bug:112551726 Bug:112551874 Bug:112609715 Bug:112713720 Bug:112715795 Bug:113261928 Test: poc Change-Id: I3935546b8fb3dc5c82bee16639df771349e6d2b6 (cherry picked from commit 55c1da8c375fb236f669a20c17ac9faf8e14fb07) --- decoder/ixheaacd_aacdecoder.c | 9 ++++++--- decoder/ixheaacd_channel.c | 3 ++- 2 files changed, 8 insertions(+), 4 deletions(-) diff --git a/decoder/ixheaacd_aacdecoder.c b/decoder/ixheaacd_aacdecoder.c index 8af03ee..d47c244 100644 --- a/decoder/ixheaacd_aacdecoder.c +++ b/decoder/ixheaacd_aacdecoder.c @@ -347,7 +347,8 @@ WORD32 ixheaacd_aacdec_decodeframe( prev_data_ele_present = 1; - if (ptr_adts_crc_info->crc_active == 1) { + if (ptr_adts_crc_info->crc_active == 1 && + ptr_adts_crc_info->no_reg < 7) { crc_reg = ixheaacd_adts_crc_start_reg( ptr_adts_crc_info, it_bit_buff, CRC_ADTS_RAW_DATA_BLK_LEN); } @@ -485,7 +486,8 @@ WORD32 ixheaacd_aacdec_decodeframe( { WORD32 flag = 1; - if ((ele_type != ID_FIL) && (ptr_adts_crc_info->crc_active == 1)) { + if ((ele_type != ID_FIL) && (ptr_adts_crc_info->crc_active == 1) && + (ptr_adts_crc_info->no_reg < 7)) { crc_reg = ixheaacd_adts_crc_start_reg(ptr_adts_crc_info, it_bit_buff, 0); } @@ -586,7 +588,8 @@ WORD32 ixheaacd_aacdec_decodeframe( prev_data_ele_present = 1; - if (ptr_adts_crc_info->crc_active == 1) { + if ((ptr_adts_crc_info->crc_active == 1) && + (ptr_adts_crc_info->no_reg < 7)) { crc_reg = ixheaacd_adts_crc_start_reg( ptr_adts_crc_info, it_bit_buff, CRC_ADTS_RAW_DATA_BLK_LEN); } diff --git a/decoder/ixheaacd_channel.c b/decoder/ixheaacd_channel.c index efe1cf7..83803de 100644 --- a/decoder/ixheaacd_channel.c +++ b/decoder/ixheaacd_channel.c @@ -460,7 +460,8 @@ WORD16 ixheaacd_individual_ch_stream( ia_ics_info_struct *ptr_ics_info = &ptr_aac_dec_ch_info->str_ics_info; if (ch == 1) { - if (it_bit_buff->pstr_adts_crc_info->crc_active == 1) { + if (it_bit_buff->pstr_adts_crc_info->crc_active == 1 && + (it_bit_buff->pstr_adts_crc_info->no_reg < 7)) { crc_reg = ixheaacd_adts_crc_start_reg(it_bit_buff->pstr_adts_crc_info, it_bit_buff, CRC_ADTS_RAW_IIND_ICS); From 90b76d9431668877a2831c659f25e4b96a450031 Mon Sep 17 00:00:00 2001 From: Ramesh Katuri Date: Thu, 27 Sep 2018 17:07:15 +0530 Subject: [PATCH 07/35] Fix for OOB write in gain set param's parsing Check extracted size against array sizing before proceeding. Bug: 116715937 Test: poc Change-Id: Ic26b85683342fa5f508b66f4ad71badb06540f17 --- decoder/drc_src/impd_drc_static_payload.c | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/decoder/drc_src/impd_drc_static_payload.c b/decoder/drc_src/impd_drc_static_payload.c index 3f73f09..1bf677c 100644 --- a/decoder/drc_src/impd_drc_static_payload.c +++ b/decoder/drc_src/impd_drc_static_payload.c @@ -548,6 +548,10 @@ static WORD32 impd_parametic_drc_parse_coeff( str_drc_coeff_param_drc->reset_parametric_drc = (temp >> 6) & 1; str_drc_coeff_param_drc->parametric_drc_gain_set_count = temp & 0x3f; + if (str_drc_coeff_param_drc->parametric_drc_gain_set_count > + SEQUENCE_COUNT_MAX) + return (UNEXPECTED_ERROR); + for (i = 0; i < str_drc_coeff_param_drc->parametric_drc_gain_set_count; i++) { err = impd_parametric_drc_parse_gain_set_params( it_bit_buff, drc_config, @@ -2376,4 +2380,4 @@ impd_parse_loudness_info(ia_bit_buf_struct* it_bit_buff, WORD32 version, } return (0); -} \ No newline at end of file +} From d735e2e329ee61aeed9519f743bce45b20051f81 Mon Sep 17 00:00:00 2001 From: Ramesh Katuri Date: Thu, 27 Sep 2018 16:56:09 +0530 Subject: [PATCH 08/35] Fix for OOB write in parametric drc instruction parsing Bug: 116715245 Test: vendor Change-Id: I24c7ce7cd8c928d53a9914d116de4c6b408cfb09 --- decoder/drc_src/impd_drc_static_payload.c | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/decoder/drc_src/impd_drc_static_payload.c b/decoder/drc_src/impd_drc_static_payload.c index 1bf677c..fc0a9c9 100644 --- a/decoder/drc_src/impd_drc_static_payload.c +++ b/decoder/drc_src/impd_drc_static_payload.c @@ -914,6 +914,10 @@ impd_parse_drc_config_ext(ia_bit_buf_struct* it_bit_buff, str_drc_config_ext->parametric_drc_instructions_count = impd_read_bits_buf(it_bit_buff, 4); if (it_bit_buff->error) return it_bit_buff->error; + if (str_drc_config_ext->parametric_drc_instructions_count > + PARAM_DRC_INSTRUCTIONS_COUNT_MAX) + return (UNEXPECTED_ERROR); + for (i = 0; i < str_drc_config_ext->parametric_drc_instructions_count; i++) { err = impd_parse_parametric_drc_instructions( From df1030d8b9b3f9dd71a29fdfc6c23fffdaf3cdbc Mon Sep 17 00:00:00 2001 From: Ramesh Katuri Date: Thu, 27 Sep 2018 16:44:15 +0530 Subject: [PATCH 09/35] Fix of OOB write in drc downmix instruction count parsing Check bounds of parsed value. Bug: 116619387 Test: vendor Change-Id: Iada4937f7d99744594a1d457ae1bddefe961ba4f --- decoder/drc_src/impd_drc_static_payload.c | 3 +++ 1 file changed, 3 insertions(+) diff --git a/decoder/drc_src/impd_drc_static_payload.c b/decoder/drc_src/impd_drc_static_payload.c index 1bf677c..ea9e885 100644 --- a/decoder/drc_src/impd_drc_static_payload.c +++ b/decoder/drc_src/impd_drc_static_payload.c @@ -1124,6 +1124,9 @@ impd_parse_drc_config(ia_bit_buf_struct* it_bit_buff, if (it_bit_buff->error) return it_bit_buff->error; drc_config->dwnmix_instructions_count = (temp >> 1) & 0x7f; + if (drc_config->dwnmix_instructions_count > DOWNMIX_INSTRUCTION_COUNT_MAX) + return (UNEXPECTED_ERROR); + drc_config->drc_description_basic_present = temp & 1; if (drc_config->drc_description_basic_present == 1) { From 599ca4428a8a357f0b47116a710f474c5ec51356 Mon Sep 17 00:00:00 2001 From: Ramesh Katuri Date: Thu, 27 Sep 2018 16:23:14 +0530 Subject: [PATCH 10/35] Fix for OOB write in split drc characteristic parsing added bounds check on values parsed from input stream. Bug: 116619337 Test: vendor Change-Id: Ia938ce45cb0503c1ddcbeaa5d036c0f57521a38f --- decoder/drc_src/impd_drc_static_payload.c | 9 +++++++++ 1 file changed, 9 insertions(+) diff --git a/decoder/drc_src/impd_drc_static_payload.c b/decoder/drc_src/impd_drc_static_payload.c index 1bf677c..d62db45 100644 --- a/decoder/drc_src/impd_drc_static_payload.c +++ b/decoder/drc_src/impd_drc_static_payload.c @@ -1696,6 +1696,11 @@ impd_drc_parse_coeff( str_p_loc_drc_coefficients_uni_drc->characteristic_left_count = impd_read_bits_buf(it_bit_buff, 4); if (it_bit_buff->error) return it_bit_buff->error; + + if (str_p_loc_drc_coefficients_uni_drc->characteristic_left_count > + SPLIT_CHARACTERISTIC_COUNT_MAX) + return (UNEXPECTED_ERROR); + for (i = 1; i <= str_p_loc_drc_coefficients_uni_drc->characteristic_left_count; i++) { @@ -1713,6 +1718,10 @@ impd_drc_parse_coeff( str_p_loc_drc_coefficients_uni_drc->characteristic_right_count = impd_read_bits_buf(it_bit_buff, 4); if (it_bit_buff->error) return it_bit_buff->error; + + if (str_p_loc_drc_coefficients_uni_drc->characteristic_right_count > + SPLIT_CHARACTERISTIC_COUNT_MAX) + return (UNEXPECTED_ERROR); for (i = 1; i <= str_p_loc_drc_coefficients_uni_drc->characteristic_right_count; i++) { From cd74db5553ba8c967309aa63830fdfed73236a83 Mon Sep 17 00:00:00 2001 From: Ramesh Katuri Date: Fri, 21 Sep 2018 17:58:03 +0530 Subject: [PATCH 11/35] Fix for OOB loudness eq instruction parsing Bounds checking on value parsed from input stream. Bug: 116020594 Test: vendor Change-Id: I915f36ca27b982c8f1b11a533969e40fbff3b765 --- decoder/drc_src/impd_drc_dynamic_payload.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/decoder/drc_src/impd_drc_dynamic_payload.c b/decoder/drc_src/impd_drc_dynamic_payload.c index 70fa829..6e6d6a4 100644 --- a/decoder/drc_src/impd_drc_dynamic_payload.c +++ b/decoder/drc_src/impd_drc_dynamic_payload.c @@ -1276,7 +1276,8 @@ WORD32 impd_parse_loud_eq_instructions( if (additional_eq_set_id_present) { additional_eq_set_id_cnt = impd_read_bits_buf(it_bit_buff, 6); if (it_bit_buff->error) return it_bit_buff->error; - + if (additional_eq_set_id_cnt >= EQ_SET_ID_COUNT_MAX) + return UNEXPECTED_ERROR; for (i = 0; i < additional_eq_set_id_cnt; i++) { loud_eq_instructions->eq_set_id[i + 1] = impd_read_bits_buf(it_bit_buff, 6); From 69a69acbc99226338f7c7cabce08bde9b2742bd7 Mon Sep 17 00:00:00 2001 From: Ramesh Katuri Date: Thu, 27 Sep 2018 15:46:40 +0530 Subject: [PATCH 12/35] Fix for OOB write in filter block parsing in drc Bug: 116467350 Bug: 116469592 Test: vendor Change-Id: I2f7bff1cec3d0d60e9d43217290392bf4e23d207 --- decoder/drc_src/impd_drc_dynamic_payload.c | 7 ++++++- 1 file changed, 6 insertions(+), 1 deletion(-) diff --git a/decoder/drc_src/impd_drc_dynamic_payload.c b/decoder/drc_src/impd_drc_dynamic_payload.c index 70fa829..e8284e9 100644 --- a/decoder/drc_src/impd_drc_dynamic_payload.c +++ b/decoder/drc_src/impd_drc_dynamic_payload.c @@ -625,7 +625,8 @@ WORD32 impd_parse_filt_block(ia_bit_buf_struct* it_bit_buff, for (j = 0; j < block_count; j++) { str_filter_block->filter_element_count = impd_read_bits_buf(it_bit_buff, 6); if (it_bit_buff->error) return it_bit_buff->error; - + if (str_filter_block->filter_element_count > FILTER_ELEMENT_COUNT_MAX) + return UNEXPECTED_ERROR; str_filter_element = &str_filter_block->str_filter_element[0]; for (k = 0; k < str_filter_block->filter_element_count; k++) { temp = impd_read_bits_buf(it_bit_buff, 7); @@ -923,6 +924,10 @@ WORD32 impd_parse_eq_coefficients(ia_bit_buf_struct* it_bit_buff, str_eq_coeff->unique_filter_block_count = impd_read_bits_buf(it_bit_buff, 6); if (it_bit_buff->error) return it_bit_buff->error; + if (str_eq_coeff->unique_filter_block_count > FILTER_BLOCK_COUNT_MAX) { + return (UNEXPECTED_ERROR); + } + err = impd_parse_filt_block(it_bit_buff, &(str_eq_coeff->str_filter_block[0]), str_eq_coeff->unique_filter_block_count); if (err) return (err); From c90eeb6e6181e80e753692690176cf5ee2dbb38e Mon Sep 17 00:00:00 2001 From: Ramesh Katuri Date: Thu, 20 Sep 2018 19:12:27 +0530 Subject: [PATCH 13/35] Fix for heap buffer over flow in drc bit stream parsing Bound values that we parse from the input stream. Bug: 115375616 Test: vendor Change-Id: I357d8e19e377fbe5156e5a639ed9ab99cbfeed52 --- decoder/drc_src/impd_drc_dynamic_payload.c | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/decoder/drc_src/impd_drc_dynamic_payload.c b/decoder/drc_src/impd_drc_dynamic_payload.c index 70fa829..e3846ff 100644 --- a/decoder/drc_src/impd_drc_dynamic_payload.c +++ b/decoder/drc_src/impd_drc_dynamic_payload.c @@ -587,6 +587,10 @@ WORD32 impd_parse_drc_ext_v1(ia_bit_buf_struct* it_bit_buff, if (str_drc_config_ext->loud_eq_instructions_flag == 1) { str_drc_config_ext->loud_eq_instructions_count = impd_read_bits_buf(it_bit_buff, 4); + if (str_drc_config_ext->loud_eq_instructions_count > + LOUD_EQ_INSTRUCTIONS_COUNT_MAX) + return UNEXPECTED_ERROR; + if (it_bit_buff->error) return it_bit_buff->error; for (i = 0; i < str_drc_config_ext->loud_eq_instructions_count; i++) { err = impd_parse_loud_eq_instructions( @@ -605,6 +609,8 @@ WORD32 impd_parse_drc_ext_v1(ia_bit_buf_struct* it_bit_buff, if (err) return (err); str_drc_config_ext->eq_instructions_count = impd_read_bits_buf(it_bit_buff, 4); + if (str_drc_config_ext->eq_instructions_count > EQ_INSTRUCTIONS_COUNT_MAX) + return UNEXPECTED_ERROR; if (it_bit_buff->error) return it_bit_buff->error; for (i = 0; i < str_drc_config_ext->eq_instructions_count; i++) { err = impd_parse_eq_instructions( From 17825d4a751010965140e3f2c9d478a223d5441f Mon Sep 17 00:00:00 2001 From: Ramesh Katuri Date: Fri, 21 Sep 2018 11:48:54 +0530 Subject: [PATCH 14/35] Fix for OOB write in parsing drc ext Validate drc coefficient counts as we parse them from the stream. Bug: 116224432 Test: vendor Change-Id: I5a78521b8acfcdc7af96b91e5687d4f02ce49e54 --- decoder/drc_src/impd_drc_dynamic_payload.c | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/decoder/drc_src/impd_drc_dynamic_payload.c b/decoder/drc_src/impd_drc_dynamic_payload.c index 70fa829..5fcf04f 100644 --- a/decoder/drc_src/impd_drc_dynamic_payload.c +++ b/decoder/drc_src/impd_drc_dynamic_payload.c @@ -558,6 +558,10 @@ WORD32 impd_parse_drc_ext_v1(ia_bit_buf_struct* it_bit_buff, if (it_bit_buff->error) return it_bit_buff->error; if (drc_coeffs_and_instructions_uni_drc_v1_flag == 1) { drc_coefficients_uni_drc_v1_count = impd_read_bits_buf(it_bit_buff, 3); + if ((drc_coefficients_uni_drc_v1_count + + drc_config->drc_coefficients_drc_count) > DRC_COEFF_COUNT_MAX) { + return (UNEXPECTED_ERROR); + } if (it_bit_buff->error) return it_bit_buff->error; for (i = 0; i < drc_coefficients_uni_drc_v1_count; i++) { err = impd_drc_parse_coeff( From 988f5bd17c64c2efcb6e0a36c633065488ca2b79 Mon Sep 17 00:00:00 2001 From: Ramesh Katuri Date: Tue, 18 Sep 2018 12:04:31 +0530 Subject: [PATCH 15/35] Fix for crash due to un-initailized variables in drc module Nested loop used wrong subscript in inner loop, leading to bad iteration count and haphazard clearing of data structure. Bug: 113885537 Test: vendor Change-Id: Ia9cb53205f4e91ee99268202114fc2001eae2de3 --- decoder/drc_src/impd_drc_gain_decoder.c | 12 ++++++------ 1 file changed, 6 insertions(+), 6 deletions(-) diff --git a/decoder/drc_src/impd_drc_gain_decoder.c b/decoder/drc_src/impd_drc_gain_decoder.c index 43ae7b2..4b48f54 100644 --- a/decoder/drc_src/impd_drc_gain_decoder.c +++ b/decoder/drc_src/impd_drc_gain_decoder.c @@ -148,25 +148,25 @@ IA_ERRORCODE impd_init_drc_decode_post_config( p_drc_gain_dec_structs->drc_gain_buffers.pstr_gain_buf[k] .buf_interpolation_count = drc_instruction_str->gain_element_count; for (i = 0; - i < p_drc_gain_dec_structs->drc_gain_buffers.pstr_gain_buf[i] + i < p_drc_gain_dec_structs->drc_gain_buffers.pstr_gain_buf[k] .buf_interpolation_count; i++) { - p_drc_gain_dec_structs->drc_gain_buffers.pstr_gain_buf[i] + p_drc_gain_dec_structs->drc_gain_buffers.pstr_gain_buf[k] .buf_interpolation[i] .str_node.time = 0; - p_drc_gain_dec_structs->drc_gain_buffers.pstr_gain_buf[i] + p_drc_gain_dec_structs->drc_gain_buffers.pstr_gain_buf[k] .buf_interpolation[i] .prev_node.time = -1; - p_drc_gain_dec_structs->drc_gain_buffers.pstr_gain_buf[i] + p_drc_gain_dec_structs->drc_gain_buffers.pstr_gain_buf[k] .buf_interpolation[i] .str_node.loc_db_gain = 0.0f; - p_drc_gain_dec_structs->drc_gain_buffers.pstr_gain_buf[i] + p_drc_gain_dec_structs->drc_gain_buffers.pstr_gain_buf[k] .buf_interpolation[i] .str_node.slope = 0.0f; for (j = 0; j < 2 * AUDIO_CODEC_FRAME_SIZE_MAX + MAX_SIGNAL_DELAY; j++) { - p_drc_gain_dec_structs->drc_gain_buffers.pstr_gain_buf[i] + p_drc_gain_dec_structs->drc_gain_buffers.pstr_gain_buf[k] .buf_interpolation[i] .lpcm_gains[j] = 1.f; } From 6952af9a09bd3c814727b8b5d246915144dbabed Mon Sep 17 00:00:00 2001 From: Ramesh Katuri Date: Wed, 5 Sep 2018 11:13:51 +0530 Subject: [PATCH 16/35] Fix for heap buffer overflow in tns block In tns, filtering is applied on spectral data.Based on filter direction filtering is applied either from start of spectral data or from end of spectral data. In this error case filter order is coming more than spectral length,because of which filter input(spectrum) is accessed more than what is allocated. Bug:112609715 Bug:112610994 Bug:113108416 Bug:113164693 Bug:113261927 Bug:113262855 Test: vendor Change-Id: I8b5faf53bdf3e145f442fe2a029b0fffc5189a94 --- decoder/ixheaacd_pns_js_thumb.c | 7 ++++--- 1 file changed, 4 insertions(+), 3 deletions(-) diff --git a/decoder/ixheaacd_pns_js_thumb.c b/decoder/ixheaacd_pns_js_thumb.c index 15db806..534ec5b 100644 --- a/decoder/ixheaacd_pns_js_thumb.c +++ b/decoder/ixheaacd_pns_js_thumb.c @@ -354,11 +354,12 @@ VOID ixheaacd_aac_tns_process( scale_spec = (*ixheaacd_calc_max_spectral_line)(ptr_tmp, size); } - if (filter->direction != -1) { - position = start; - } else { + if (filter->direction == -1) { position = stop - 1; if (((win << 7) + position) < filter->order) continue; + } else { + position = start; + if ((((win << 7) + position) + filter->order) > MAX_BINS_LONG) continue; } if ((num_ch <= 2) && From e5f65556cc592d9faa6a225223cf7697b2880b7b Mon Sep 17 00:00:00 2001 From: Ray Essick Date: Tue, 16 Oct 2018 11:23:07 -0700 Subject: [PATCH 17/35] Mark xaac codec experimental Bug: 117786798 Test: presence in source tree Change-Id: I89475f9b8b09b22d6924ae8e97275206c2d85be8 --- README.experimental | 5 +++++ 1 file changed, 5 insertions(+) create mode 100644 README.experimental diff --git a/README.experimental b/README.experimental new file mode 100644 index 0000000..27fd798 --- /dev/null +++ b/README.experimental @@ -0,0 +1,5 @@ +This xaac codec (external/xaac) is experimental; it is not yet intended +to be used on production devices. + +This codec should not be configured into any production Android Pie +(Android 9) device that will be shipped. From c26e43d759f7d5db03ebc530cc69ff809faa7be2 Mon Sep 17 00:00:00 2001 From: Ramesh Katuri Date: Thu, 20 Sep 2018 19:02:29 +0530 Subject: [PATCH 18/35] Fix for stack overflow in eq selection in drc module Bug:114735603 Test: vendor Change-Id: I83be3dfe1111caa1acd244b0a9ba2a8944c92981 --- decoder/drc_src/impd_drc_common.h | 2 ++ decoder/drc_src/impd_drc_selection_process.c | 1 + 2 files changed, 3 insertions(+) diff --git a/decoder/drc_src/impd_drc_common.h b/decoder/drc_src/impd_drc_common.h index dd0e621..62f54c3 100644 --- a/decoder/drc_src/impd_drc_common.h +++ b/decoder/drc_src/impd_drc_common.h @@ -86,6 +86,8 @@ extern "C" { #define SELECTION_CANDIDATE_COUNT_MAX 32 +#define MAX_NUM_COMPRESSION_EQ (16) + #define PROC_COMPLETE 1 #define UNEXPECTED_ERROR 2 #define PARAM_ERROR 3 diff --git a/decoder/drc_src/impd_drc_selection_process.c b/decoder/drc_src/impd_drc_selection_process.c index b5b1b7f..53f76b0 100644 --- a/decoder/drc_src/impd_drc_selection_process.c +++ b/decoder/drc_src/impd_drc_selection_process.c @@ -640,6 +640,7 @@ WORD32 impd_find_eq_set_no_compression(ia_drc_config* pstr_drc_config, for (c = 0; c < str_eq_instructions->drc_set_id_count; c++) { if ((str_eq_instructions->drc_set_id[c] == ID_FOR_ANY_DRC) || (str_eq_instructions->drc_set_id[c] == 0)) { + if (k >= MAX_NUM_COMPRESSION_EQ) return UNEXPECTED_ERROR; num_compression_eq_id[k] = str_eq_instructions->eq_set_id; k++; } From 0c81453dd378baf33d333f79e60f158d2425b286 Mon Sep 17 00:00:00 2001 From: Ramesh Katuri Date: Fri, 21 Sep 2018 19:13:36 +0530 Subject: [PATCH 19/35] Fix for stack over flow write in drc set pre selection Bug:114745929 Test: vendor Change-Id: I3bbb434d61ce1784db60c47fe7154a9931f97820 --- decoder/drc_src/impd_drc_common.h | 2 ++ .../drc_src/impd_drc_selection_process_drcset_selection.c | 6 +++++- 2 files changed, 7 insertions(+), 1 deletion(-) diff --git a/decoder/drc_src/impd_drc_common.h b/decoder/drc_src/impd_drc_common.h index dd0e621..bbc42ce 100644 --- a/decoder/drc_src/impd_drc_common.h +++ b/decoder/drc_src/impd_drc_common.h @@ -149,6 +149,8 @@ extern "C" { #define PARAM_DRC_TYPE_LIM_ATTACK_DEFAULT 5 #define PARAM_DRC_TYPE_LIM_RELEASE_DEFAULT 50 +#define MAX_LOUDNESS_INFO_COUNT (16) + #define UNIDRCCONFEXT_V1 0x2 #define UNIDRCLOUDEXT_EQ 0x1 #define UNIDRCINTERFACEEXT_EQ 0x1 diff --git a/decoder/drc_src/impd_drc_selection_process_drcset_selection.c b/decoder/drc_src/impd_drc_selection_process_drcset_selection.c index 7ca8aec..370d169 100644 --- a/decoder/drc_src/impd_drc_selection_process_drcset_selection.c +++ b/decoder/drc_src/impd_drc_selection_process_drcset_selection.c @@ -775,6 +775,9 @@ WORD32 impd_drc_set_preselection( loudness_normalization_gain_db, loudness); if (err) return (err); + if (loudness_info_count > MAX_LOUDNESS_INFO_COUNT) + return UNEXPECTED_ERROR; + err = impd_signal_peak_level_info( pstr_drc_config, pstr_loudness_info, str_drc_instruction_str, requested_dwnmix_id[d], @@ -787,6 +790,7 @@ WORD32 impd_drc_set_preselection( for (l = 0; l < loudness_info_count; l++) { WORD32 match_found_flag = 0; WORD32 p; + if (k >= SELECTION_CANDIDATE_COUNT_MAX) return UNEXPECTED_ERROR; selection_candidate_info[k].loudness_norm_db_gain_adjusted = loudness_normalization_gain_db[l]; @@ -873,7 +877,6 @@ WORD32 impd_drc_set_preselection( !str_drc_instruction_str ->drc_set_target_loudness_present)) { k++; - } else { } } } @@ -913,6 +916,7 @@ WORD32 impd_drc_set_preselection( signal_peak_level[p] + loudness_normalization_gain_db[l] - pstr_drc_sel_proc_params_struct->output_peak_level_max); adjustment = min(adjustment, max(0.0f, loudness_deviation_max)); + if (k >= SELECTION_CANDIDATE_COUNT_MAX) return UNEXPECTED_ERROR; selection_candidate_info[k].loudness_norm_db_gain_adjusted = loudness_normalization_gain_db[l] - adjustment; From c14b25793cfdbecaedb36c34e24b60ee2f85069c Mon Sep 17 00:00:00 2001 From: Ramesh Katuri Date: Fri, 21 Sep 2018 18:56:04 +0530 Subject: [PATCH 20/35] Fix for stack overflow in impd parse equalizer coefficients Bug:115907334 Test: vendor Change-Id: I031ba8064d24bec2db3ea68beea713387ea19762 --- decoder/drc_src/impd_drc_common.h | 2 +- decoder/drc_src/impd_drc_dynamic_payload.c | 17 +++++++++-------- 2 files changed, 10 insertions(+), 9 deletions(-) diff --git a/decoder/drc_src/impd_drc_common.h b/decoder/drc_src/impd_drc_common.h index dd0e621..33634b7 100644 --- a/decoder/drc_src/impd_drc_common.h +++ b/decoder/drc_src/impd_drc_common.h @@ -69,7 +69,7 @@ extern "C" { #define UNIQUE_SUBBAND_GAIN_COUNT_MAX 16 #define FILTER_BLOCK_COUNT_MAX 16 #define FILTER_ELEMENT_COUNT_MAX 16 -#define UNIQUE_SUBBAND_GAINS_COUNT_MAX 8 + #define EQ_CHANNEL_GROUP_COUNT_MAX 4 #define EQ_FILTER_BLOCK_COUNT_MAX 4 #define LOUD_EQ_INSTRUCTIONS_COUNT_MAX 8 diff --git a/decoder/drc_src/impd_drc_dynamic_payload.c b/decoder/drc_src/impd_drc_dynamic_payload.c index 68583b2..d868e90 100644 --- a/decoder/drc_src/impd_drc_dynamic_payload.c +++ b/decoder/drc_src/impd_drc_dynamic_payload.c @@ -28,7 +28,6 @@ #include "impd_drc_parser.h" #include "impd_drc_filter_bank.h" #include "impd_drc_rom.h" - WORD32 impd_parse_loud_eq_instructions( ia_bit_buf_struct* it_bit_buff, ia_loud_eq_instructions_struct* loud_eq_instructions); @@ -918,7 +917,7 @@ WORD32 impd_parse_eq_coefficients(ia_bit_buf_struct* it_bit_buff, ia_eq_coeff_struct* str_eq_coeff) { WORD32 err = 0; WORD32 eq_gain_cnt, mu, nu, temp; - WORD32 subband_gain_len_tbl[7] = {0, 32, 39, 64, 71, 128, 135}; + static const WORD32 subband_gain_len_tbl[7] = {0, 32, 39, 64, 71, 128, 135}; str_eq_coeff->eq_delay_max_present = impd_read_bits_buf(it_bit_buff, 1); if (it_bit_buff->error) return it_bit_buff->error; @@ -961,15 +960,17 @@ WORD32 impd_parse_eq_coefficients(ia_bit_buf_struct* it_bit_buff, str_eq_coeff->eq_subband_gain_representation = (temp >> 4) & 0x01; str_eq_coeff->eq_subband_gain_format = temp & 0x0F; - - if (str_eq_coeff->eq_subband_gain_format == GAINFORMAT_UNIFORM) { + if ((str_eq_coeff->eq_subband_gain_format > 0) && + (str_eq_coeff->eq_subband_gain_format < GAINFORMAT_UNIFORM)) { + str_eq_coeff->eq_subband_gain_count = + subband_gain_len_tbl[str_eq_coeff->eq_subband_gain_format]; + } else { + /* Gain format 0 or any value between 7 to 15 is considered as default + * case */ eq_gain_cnt = impd_read_bits_buf(it_bit_buff, 8); if (it_bit_buff->error) return it_bit_buff->error; str_eq_coeff->eq_subband_gain_count = eq_gain_cnt + 1; - - } else - str_eq_coeff->eq_subband_gain_count = - subband_gain_len_tbl[str_eq_coeff->eq_subband_gain_format]; + } if (str_eq_coeff->eq_subband_gain_representation == 1) { err = impd_parse_eq_subband_gain_spline( From 06296604c8e980d6cfca12135e2bd74bd1c286f0 Mon Sep 17 00:00:00 2001 From: Ramesh Katuri Date: Wed, 3 Oct 2018 18:46:36 +0530 Subject: [PATCH 21/35] Fix for OOB write in loudness info set ext Bug:117099943 Bug: 117100484 Test: Vendor Change-Id: Id657372bde3b0218108c3d8aa7f9f898cde5b583 --- decoder/drc_src/impd_drc_bitbuffer.c | 22 +++++++++++++++++++++- decoder/drc_src/impd_drc_bitbuffer.h | 1 + decoder/drc_src/impd_drc_dynamic_payload.c | 14 +++++--------- decoder/drc_src/impd_drc_static_payload.c | 1 + 4 files changed, 28 insertions(+), 10 deletions(-) diff --git a/decoder/drc_src/impd_drc_bitbuffer.c b/decoder/drc_src/impd_drc_bitbuffer.c index de1f86d..3750f11 100644 --- a/decoder/drc_src/impd_drc_bitbuffer.c +++ b/decoder/drc_src/impd_drc_bitbuffer.c @@ -34,7 +34,6 @@ WORD32 impd_read_bits_buf(ia_bit_buf_struct* it_bit_buff, WORD no_of_bits) { UWORD32 ret_val; UWORD8* ptr_read_next = it_bit_buff->ptr_read_next; WORD bit_pos = it_bit_buff->bit_pos; - it_bit_buff->error = 0; if (it_bit_buff->cnt_bits <= 0) { it_bit_buff->error = 1; @@ -68,6 +67,26 @@ WORD32 impd_read_bits_buf(ia_bit_buf_struct* it_bit_buff, WORD no_of_bits) { return ret_val; } +WORD32 impd_skip_bits_buf(ia_bit_buf_struct* it_bit_buff, WORD no_of_bits) { + UWORD8* ptr_read_next = it_bit_buff->ptr_read_next; + WORD bit_pos = it_bit_buff->bit_pos; + + if (it_bit_buff->cnt_bits < no_of_bits) { + it_bit_buff->error = 1; + return -1; + } + + it_bit_buff->cnt_bits -= no_of_bits; + + bit_pos -= no_of_bits; + while (bit_pos < 0) { + bit_pos += 8; + ptr_read_next++; + } + it_bit_buff->ptr_read_next = ptr_read_next; + it_bit_buff->bit_pos = (WORD16)bit_pos; + return no_of_bits; +} ia_bit_buf_struct* impd_create_bit_buf(ia_bit_buf_struct* it_bit_buff, UWORD8* ptr_bit_buf_base, WORD32 bit_buf_size) { @@ -79,6 +98,7 @@ ia_bit_buf_struct* impd_create_bit_buf(ia_bit_buf_struct* it_bit_buff, it_bit_buff->cnt_bits = 0; it_bit_buff->size = bit_buf_size << 3; + it_bit_buff->error = 0; return it_bit_buff; } diff --git a/decoder/drc_src/impd_drc_bitbuffer.h b/decoder/drc_src/impd_drc_bitbuffer.h index f42e24a..9e29825 100644 --- a/decoder/drc_src/impd_drc_bitbuffer.h +++ b/decoder/drc_src/impd_drc_bitbuffer.h @@ -44,4 +44,5 @@ ia_bit_buf_struct *impd_create_init_bit_buf(ia_bit_buf_struct *it_bit_buff, WORD32 impd_read_bits_buf(ia_bit_buf_struct *it_bit_buff, WORD no_of_bits); +WORD32 impd_skip_bits_buf(ia_bit_buf_struct *it_bit_buff, WORD no_of_bits); #endif diff --git a/decoder/drc_src/impd_drc_dynamic_payload.c b/decoder/drc_src/impd_drc_dynamic_payload.c index 68583b2..4797154 100644 --- a/decoder/drc_src/impd_drc_dynamic_payload.c +++ b/decoder/drc_src/impd_drc_dynamic_payload.c @@ -343,7 +343,7 @@ WORD32 impd_drc_uni_gain_read(ia_bit_buf_struct* it_bit_buff, WORD32 impd_parse_uni_drc_gain_ext( ia_bit_buf_struct* it_bit_buff, ia_uni_drc_gain_ext_struct* uni_drc_gain_ext) { - WORD32 i, k; + WORD32 k; WORD32 bit_size_len, ext_size_bits, bit_size, other_bit; k = 0; @@ -351,6 +351,7 @@ WORD32 impd_parse_uni_drc_gain_ext( impd_read_bits_buf(it_bit_buff, 4); if (it_bit_buff->error) return it_bit_buff->error; while (uni_drc_gain_ext->uni_drc_gain_ext_type[k] != UNIDRCGAINEXT_TERM) { + if (k >= (EXT_COUNT_MAX - 1)) return UNEXPECTED_ERROR; bit_size_len = impd_read_bits_buf(it_bit_buff, 3); if (it_bit_buff->error) return it_bit_buff->error; ext_size_bits = bit_size_len + 4; @@ -359,14 +360,9 @@ WORD32 impd_parse_uni_drc_gain_ext( if (it_bit_buff->error) return it_bit_buff->error; uni_drc_gain_ext->ext_bit_size[k] = bit_size + 1; - switch (uni_drc_gain_ext->uni_drc_gain_ext_type[k]) { - default: - for (i = 0; i < uni_drc_gain_ext->ext_bit_size[k]; i++) { - other_bit = impd_read_bits_buf(it_bit_buff, 1); - if (it_bit_buff->error) return it_bit_buff->error; - } - break; - } + other_bit = + impd_skip_bits_buf(it_bit_buff, uni_drc_gain_ext->ext_bit_size[k]); + if (it_bit_buff->error) return it_bit_buff->error; k++; uni_drc_gain_ext->uni_drc_gain_ext_type[k] = impd_read_bits_buf(it_bit_buff, 4); diff --git a/decoder/drc_src/impd_drc_static_payload.c b/decoder/drc_src/impd_drc_static_payload.c index de4ceec..286e714 100644 --- a/decoder/drc_src/impd_drc_static_payload.c +++ b/decoder/drc_src/impd_drc_static_payload.c @@ -1590,6 +1590,7 @@ impd_parse_loudness_info_set_ext( bit_size = impd_read_bits_buf(it_bit_buff, ext_size_bits); if (it_bit_buff->error) return it_bit_buff->error; + if (k >= (EXT_COUNT_MAX - 1)) return UNEXPECTED_ERROR; loudness_info_set->str_loudness_info_set_ext.ext_bit_size[k] = bit_size + 1; switch (loudness_info_set->str_loudness_info_set_ext From 7e8303bbaa4e53933330bc01dfd93a60242564b1 Mon Sep 17 00:00:00 2001 From: Ramesh Katuri Date: Fri, 21 Sep 2018 17:45:08 +0530 Subject: [PATCH 22/35] Fix for OOB in parsing loud equalizer instruction in drc Bug:116117112 Test: vendor Change-Id: I9d69d07dc36e8874d1784b4cf1f1a0a4fc99cee7 --- decoder/drc_src/impd_drc_dynamic_payload.c | 8 ++++++ decoder/drc_src/impd_drc_static_payload.c | 2 ++ decoder/drc_src/impd_drc_struct.h | 33 +++++++++++++--------- 3 files changed, 30 insertions(+), 13 deletions(-) diff --git a/decoder/drc_src/impd_drc_dynamic_payload.c b/decoder/drc_src/impd_drc_dynamic_payload.c index 68583b2..cf7b93b 100644 --- a/decoder/drc_src/impd_drc_dynamic_payload.c +++ b/decoder/drc_src/impd_drc_dynamic_payload.c @@ -1307,12 +1307,20 @@ WORD32 impd_parse_loud_eq_instructions( temp = impd_read_bits_buf(it_bit_buff, 8); if (it_bit_buff->error) return it_bit_buff->error; + /* Parsed but unused */ loud_eq_instructions->loudness_after_drc = (temp >> 7) & 0x01; + /* Parsed but unused */ loud_eq_instructions->loudness_after_eq = (temp >> 6) & 0x01; + /* Parsed but unused */ loud_eq_instructions->loud_eq_gain_sequence_count = temp & 0x3F; + if (loud_eq_instructions->loud_eq_gain_sequence_count > + LOUD_EQ_GAIN_SEQUENCE_COUNT_MAX) + return UNEXPECTED_ERROR; + + /* Section under for loop, Parsed but unused */ for (i = 0; i < loud_eq_instructions->loud_eq_gain_sequence_count; i++) { temp = impd_read_bits_buf(it_bit_buff, 7); if (it_bit_buff->error) return it_bit_buff->error; diff --git a/decoder/drc_src/impd_drc_static_payload.c b/decoder/drc_src/impd_drc_static_payload.c index de4ceec..675ce8b 100644 --- a/decoder/drc_src/impd_drc_static_payload.c +++ b/decoder/drc_src/impd_drc_static_payload.c @@ -2382,7 +2382,9 @@ impd_parse_loudness_info(ia_bit_buf_struct* it_bit_buff, WORD32 version, temp = impd_read_bits_buf(it_bit_buff, 6); if (it_bit_buff->error) return it_bit_buff->error; + /* Parsed but unused */ loudness_info->true_peak_level_measurement_system = (temp >> 2) & 0xf; + /* Parsed but unused */ loudness_info->true_peak_level_reliability = temp & 3; } diff --git a/decoder/drc_src/impd_drc_struct.h b/decoder/drc_src/impd_drc_struct.h index a608da9..0ee8fd8 100644 --- a/decoder/drc_src/impd_drc_struct.h +++ b/decoder/drc_src/impd_drc_struct.h @@ -441,8 +441,8 @@ typedef struct { FLOAT32 sample_peak_level; WORD32 true_peak_level_present; FLOAT32 true_peak_level; - WORD32 true_peak_level_measurement_system; - WORD32 true_peak_level_reliability; + WORD32 true_peak_level_measurement_system; /* Parsed but unused */ + WORD32 true_peak_level_reliability; /* Parsed but unused */ WORD32 measurement_count; ia_loudness_measure_struct loudness_measure[MEASUREMENT_COUNT_MAX]; } ia_loudness_info_struct; @@ -456,17 +456,24 @@ typedef struct { WORD32 drc_set_id[DRC_SET_ID_COUNT_MAX]; WORD32 eq_set_id_count; WORD32 eq_set_id[EQ_SET_ID_COUNT_MAX]; - WORD32 loudness_after_drc; - WORD32 loudness_after_eq; - WORD32 loud_eq_gain_sequence_count; - WORD32 gain_seq_idx[LOUD_EQ_GAIN_SEQUENCE_COUNT_MAX]; - WORD32 drc_characteristic_format_is_cicp[LOUD_EQ_GAIN_SEQUENCE_COUNT_MAX]; - WORD32 drc_characteristic[LOUD_EQ_GAIN_SEQUENCE_COUNT_MAX]; - WORD32 drc_characteristic_left_index[LOUD_EQ_GAIN_SEQUENCE_COUNT_MAX]; - WORD32 drc_characteristic_right_index[LOUD_EQ_GAIN_SEQUENCE_COUNT_MAX]; - WORD32 frequency_range_index[LOUD_EQ_GAIN_SEQUENCE_COUNT_MAX]; - FLOAT32 loud_eq_scaling[LOUD_EQ_GAIN_SEQUENCE_COUNT_MAX]; - FLOAT32 loud_eq_offset[LOUD_EQ_GAIN_SEQUENCE_COUNT_MAX]; + WORD32 loudness_after_drc; /* Parsed but unused */ + WORD32 loudness_after_eq; /* Parsed but unused */ + WORD32 loud_eq_gain_sequence_count; /* Parsed but unused */ + WORD32 gain_seq_idx[LOUD_EQ_GAIN_SEQUENCE_COUNT_MAX]; /* Parsed but unused */ + WORD32 drc_characteristic_format_is_cicp + [LOUD_EQ_GAIN_SEQUENCE_COUNT_MAX]; /* Parsed but unused */ + WORD32 drc_characteristic[LOUD_EQ_GAIN_SEQUENCE_COUNT_MAX]; /* Parsed but + unused */ + WORD32 drc_characteristic_left_index + [LOUD_EQ_GAIN_SEQUENCE_COUNT_MAX]; /* Parsed but unused */ + WORD32 drc_characteristic_right_index + [LOUD_EQ_GAIN_SEQUENCE_COUNT_MAX]; /* Parsed but unused */ + WORD32 frequency_range_index[LOUD_EQ_GAIN_SEQUENCE_COUNT_MAX]; /* Parsed but + unused */ + FLOAT32 + loud_eq_scaling[LOUD_EQ_GAIN_SEQUENCE_COUNT_MAX]; /* Parsed but unused */ + FLOAT32 + loud_eq_offset[LOUD_EQ_GAIN_SEQUENCE_COUNT_MAX]; /* Parsed but unused */ } ia_loud_eq_instructions_struct; typedef struct { From 8e1635aaeab6751802da1a4b756c9f80dee2668e Mon Sep 17 00:00:00 2001 From: Ramesh Katuri Date: Wed, 3 Oct 2018 18:52:05 +0530 Subject: [PATCH 23/35] Fix for OOB in parse drc config extension Bug:117100617 Test: vendor Change-Id: I0e6bcbdfb21f40b9687b2d36366112bc67cee88a --- decoder/drc_src/impd_drc_static_payload.c | 1 + 1 file changed, 1 insertion(+) diff --git a/decoder/drc_src/impd_drc_static_payload.c b/decoder/drc_src/impd_drc_static_payload.c index de4ceec..250dd29 100644 --- a/decoder/drc_src/impd_drc_static_payload.c +++ b/decoder/drc_src/impd_drc_static_payload.c @@ -896,6 +896,7 @@ impd_parse_drc_config_ext(ia_bit_buf_struct* it_bit_buff, impd_read_bits_buf(it_bit_buff, 4); if (it_bit_buff->error) return it_bit_buff->error; while (str_drc_config_ext->drc_config_ext_type[k] != UNIDRCCONFEXT_TERM) { + if (k >= (EXT_COUNT_MAX - 1)) return UNEXPECTED_ERROR; bit_size_len = impd_read_bits_buf(it_bit_buff, 4); if (it_bit_buff->error) return it_bit_buff->error; ext_size_bits = bit_size_len + 4; From 851d0d122afe3664e417750e50c96c0b97c99220 Mon Sep 17 00:00:00 2001 From: Ramesh Katuri Date: Mon, 24 Sep 2018 15:58:55 +0530 Subject: [PATCH 24/35] Fix for stack buffer overflow in drc loudness control Bug:114749542 Test: vendor Change-Id: I3b394faf8e6659724ee361fb94ec7d89f60eaf5e --- decoder/drc_src/impd_drc_loudness_control.c | 4 +++- decoder/drc_src/impd_drc_selection_process_drcset_selection.c | 3 ++- 2 files changed, 5 insertions(+), 2 deletions(-) diff --git a/decoder/drc_src/impd_drc_loudness_control.c b/decoder/drc_src/impd_drc_loudness_control.c index ec8fcf1..687fc6f 100644 --- a/decoder/drc_src/impd_drc_loudness_control.c +++ b/decoder/drc_src/impd_drc_loudness_control.c @@ -28,7 +28,6 @@ #include "impd_drc_selection_process.h" #include "impd_drc_filter_bank.h" #include "impd_drc_rom.h" - WORD32 impd_signal_peak_level_info( ia_drc_config* pstr_drc_config, ia_drc_loudness_info_set_struct* pstr_loudness_info, @@ -717,8 +716,11 @@ WORD32 impd_init_loudness_control( loudness_normalization_gain_db[k] = 0.0f; } } + if (k >= MAX_NUM_COMPRESSION_EQ) return UNEXPECTED_ERROR; eq_set_id[k] = 0; + loudness[k] = UNDEFINED_LOUDNESS_VALUE; + loudness_normalization_gain_db[k] = 0.0f; k++; diff --git a/decoder/drc_src/impd_drc_selection_process_drcset_selection.c b/decoder/drc_src/impd_drc_selection_process_drcset_selection.c index 370d169..f05eceb 100644 --- a/decoder/drc_src/impd_drc_selection_process_drcset_selection.c +++ b/decoder/drc_src/impd_drc_selection_process_drcset_selection.c @@ -1414,10 +1414,11 @@ WORD32 impd_select_drc_set(ia_drc_sel_pro_struct* pstr_drc_uni_sel_proc, } while (!selection_candidate_count) { - impd_drc_set_preselection( + err = impd_drc_set_preselection( pstr_drc_sel_proc_params_struct, pstr_drc_config, pstr_loudness_info, restrict_to_drc_with_album_loudness, pstr_drc_uni_sel_proc, &selection_candidate_count, selection_candidate_info); + if (err) return err; if (selection_candidate_count == 0) { if (restrict_to_drc_with_album_loudness == 1) { From 6bd9129c03def91deffc3013672854625f475d79 Mon Sep 17 00:00:00 2001 From: Ramesh Katuri Date: Fri, 21 Sep 2018 18:12:29 +0530 Subject: [PATCH 25/35] Fix for OOB write in parsing eq sub band gain vector in drc bounds checking on subband information. Bug:115908308 Test: vendor Change-Id: I8cb2684c7f02b287065ef8b0b1a11c7dcf88e6d1 --- decoder/drc_src/impd_drc_dynamic_payload.c | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/decoder/drc_src/impd_drc_dynamic_payload.c b/decoder/drc_src/impd_drc_dynamic_payload.c index 645d080..2ffbb22 100644 --- a/decoder/drc_src/impd_drc_dynamic_payload.c +++ b/decoder/drc_src/impd_drc_dynamic_payload.c @@ -968,8 +968,13 @@ WORD32 impd_parse_eq_coefficients(ia_bit_buf_struct* it_bit_buff, /* Gain format 0 or any value between 7 to 15 is considered as default * case */ eq_gain_cnt = impd_read_bits_buf(it_bit_buff, 8); + if (it_bit_buff->error) return it_bit_buff->error; str_eq_coeff->eq_subband_gain_count = eq_gain_cnt + 1; + + if (str_eq_coeff->eq_subband_gain_count > EQ_SUBBAND_GAIN_COUNT_MAX) + return UNEXPECTED_ERROR; + } if (str_eq_coeff->eq_subband_gain_representation == 1) { From 0ccd0efbd026a5f0972a37d0f416b736870c3c2c Mon Sep 17 00:00:00 2001 From: Ramesh Katuri Date: Fri, 22 Jun 2018 16:49:14 +0530 Subject: [PATCH 26/35] Fix for Segmentation fault in ixheaacd_mps_apply_pre_matrix Bug: 110649314 Test: run poc Change-Id: I40f74385499064c0e982608181d98e9e577df84c --- decoder/ixheaacd_create.c | 11 +++++++---- decoder/ixheaacd_mps_dec.c | 10 ++++++---- decoder/ixheaacd_mps_interface.h | 6 +++--- 3 files changed, 16 insertions(+), 11 deletions(-) diff --git a/decoder/ixheaacd_create.c b/decoder/ixheaacd_create.c index 9091a95..9f72de1 100644 --- a/decoder/ixheaacd_create.c +++ b/decoder/ixheaacd_create.c @@ -324,8 +324,11 @@ WORD32 ixheaacd_decode_init( .str_usac_element_config[ele_id] .str_usac_mps212_config); - ixheaacd_mps_create(&aac_dec_handle->mps_dec_handle, bs_frame_length, - bs_residual_coding, ptr_usac_mps212_config); + if (ixheaacd_mps_create(&aac_dec_handle->mps_dec_handle, + bs_frame_length, bs_residual_coding, + ptr_usac_mps212_config)) { + return -1; + } } break; } @@ -425,7 +428,7 @@ WORD32 ixheaacd_dec_data_init(VOID *handle, err_code = ixheaacd_decode_init(handle, pstr_frame_data->str_layer.sample_rate_layer, usac_data, pstr_stream_config); - if (err_code == -1) return -1; + if (err_code != 0) return err_code; for (i_ch = 0; i_ch < MAX_NUM_CHANNELS; i_ch++) { if (usac_data->tw_mdct[0] == 1) { @@ -556,7 +559,7 @@ WORD32 ixheaacd_decode_create(ia_exhaacplus_dec_api_struct *handle, handle->aac_config.ui_sbr_mode = 0; } - if (err == -1) return -1; + if (err != 0) return err; break; diff --git a/decoder/ixheaacd_mps_dec.c b/decoder/ixheaacd_mps_dec.c index 3075c1b..0e5cb7d 100644 --- a/decoder/ixheaacd_mps_dec.c +++ b/decoder/ixheaacd_mps_dec.c @@ -79,9 +79,9 @@ extern ia_huff_cld_nodes_struct ixheaacd_huff_cld_nodes; extern ia_huff_icc_nodes_struct ixheaacd_huff_icc_nodes; extern ia_huff_res_nodes_struct ixheaacd_huff_reshape_nodes; -VOID ixheaacd_mps_create(ia_mps_dec_state_struct* self, WORD32 bs_frame_len, - WORD32 residual_coding, - ia_usac_dec_mps_config_struct* mps212_config) { +WORD32 ixheaacd_mps_create(ia_mps_dec_state_struct* self, WORD32 bs_frame_len, + WORD32 residual_coding, + ia_usac_dec_mps_config_struct* mps212_config) { WORD32 num_ch; WORD32 err_code = 0; @@ -109,6 +109,8 @@ VOID ixheaacd_mps_create(ia_mps_dec_state_struct* self, WORD32 bs_frame_len, err_code = ixheaacd_mps_header_decode(self); + if (err_code != 0) return err_code; + if ((self->residual_coding) && (self->res_bands > 0)) self->res_ch_count++; ixheaacd_mps_env_init(self); @@ -147,7 +149,7 @@ VOID ixheaacd_mps_create(ia_mps_dec_state_struct* self, WORD32 bs_frame_len, memset(self->opd_smooth.smooth_r_phase, 0, MAX_PARAMETER_BANDS * sizeof(WORD32)); - return; + return 0; } static FLOAT32 ixheaacd_tsd_mul_re[] = { diff --git a/decoder/ixheaacd_mps_interface.h b/decoder/ixheaacd_mps_interface.h index 7587773..a488aef 100644 --- a/decoder/ixheaacd_mps_interface.h +++ b/decoder/ixheaacd_mps_interface.h @@ -20,9 +20,9 @@ #ifndef IXHEAACD_MPS_INTERFACE_H #define IXHEAACD_MPS_INTERFACE_H -VOID ixheaacd_mps_create(ia_mps_dec_state_struct* self, WORD32 bs_frame_len, - WORD32 residual_coding, - ia_usac_dec_mps_config_struct* usac_mps_config); +WORD32 ixheaacd_mps_create(ia_mps_dec_state_struct* self, WORD32 bs_frame_len, + WORD32 residual_coding, + ia_usac_dec_mps_config_struct* usac_mps_config); VOID ixheaacd_mps_frame_parsing(ia_mps_dec_state_struct* self, WORD32 independency_flag, From 40c1157b52adfd71abc5db618252f381b95a2b72 Mon Sep 17 00:00:00 2001 From: Ramesh Katuri Date: Fri, 22 Jun 2018 11:15:18 +0530 Subject: [PATCH 27/35] Fix for sanitizer multiplication overflow error Bug: 110596152 Test: re-run POC Change-Id: I24b01b4ab13987abd028f013262f732cd06e81f8 --- decoder/ixheaacd_arith_dec.c | 3 +++ decoder/ixheaacd_avq_dec.c | 7 ++++--- decoder/ixheaacd_ext_ch_ele.c | 10 ++++++---- 3 files changed, 13 insertions(+), 7 deletions(-) diff --git a/decoder/ixheaacd_arith_dec.c b/decoder/ixheaacd_arith_dec.c index af9f4c0..fa18f61 100644 --- a/decoder/ixheaacd_arith_dec.c +++ b/decoder/ixheaacd_arith_dec.c @@ -1950,6 +1950,9 @@ static VOID ixheaacd_esc_iquant(WORD32 *q, WORD32 *coef, WORD32 noise_level, if (q[i] < 0) { flag = -1; q[i] = -q[i]; + if (q[i] >= 8192) { + q[i] = 8191; + } } if (q[i] < 1024) { diff --git a/decoder/ixheaacd_avq_dec.c b/decoder/ixheaacd_avq_dec.c index fae899d..478edd8 100644 --- a/decoder/ixheaacd_avq_dec.c +++ b/decoder/ixheaacd_avq_dec.c @@ -97,7 +97,8 @@ static VOID ixheaacd_nearest_neighbor_2d(WORD32 x[], WORD32 y[], WORD32 count, VOID ixheaacd_voronoi_search(WORD32 x[], WORD32 y[], WORD32 count, WORD32 *rem1, WORD32 *rem2) { WORD32 i, y0[8], y1[8]; - WORD32 e0, e1, x1[8], tmp; + WORD32 x1[8], tmp; + WORD64 e0, e1; ixheaacd_nearest_neighbor_2d(x, y0, count, rem1); for (i = 0; i < 8; i++) { @@ -122,9 +123,9 @@ VOID ixheaacd_voronoi_search(WORD32 x[], WORD32 y[], WORD32 count, WORD32 *rem1, e0 = e1 = 0; for (i = 0; i < 8; i++) { tmp = rem1[i]; - e0 += tmp * tmp; + e0 += (WORD64)tmp * tmp; tmp = rem2[i]; - e1 += tmp * tmp; + e1 += (WORD64)tmp * tmp; } if (e0 < e1) { diff --git a/decoder/ixheaacd_ext_ch_ele.c b/decoder/ixheaacd_ext_ch_ele.c index 5f09ba8..8bc17e7 100644 --- a/decoder/ixheaacd_ext_ch_ele.c +++ b/decoder/ixheaacd_ext_ch_ele.c @@ -364,18 +364,20 @@ static VOID ixheaacd_filter_and_add(const WORD32 *in, const WORD32 length, sum = ixheaacd_mult32x32in64(in[0], filter[0]); sum = ixheaacd_mac32x32in64_n(sum, &in[0], &filter[1], 6); - *out += (WORD32)((sum * factor_even) >> 15); + + *out = ixheaacd_add32_sat(*out, (WORD32)((sum * factor_even) >> 15)); + out++; for (i = 3; i < length - 4; i += 2) { sum = 0; sum = ixheaacd_mac32x32in64_7(sum, &in[i - 3], filter); - *out += (WORD32)((sum * factor_odd) >> 15); + *out = ixheaacd_add32_sat(*out, (WORD32)((sum * factor_odd) >> 15)); out++; sum = 0; sum = ixheaacd_mac32x32in64_7(sum, &in[i - 2], filter); - *out += (WORD32)((sum * factor_even) >> 15); + *out = ixheaacd_add32_sat(*out, (WORD32)((sum * factor_even) >> 15)); out++; } i = length - 3; @@ -525,7 +527,7 @@ static WORD32 ixheaacd_cplx_pred_upmixing( (WORD32)((WORD64)ixheaacd_mult32x32in64( alpha_q_im_temp, dmx_im[i]) >> 24); - r_spec[i] = (factor) * (l_spec[i] - mid_side); + r_spec[i] = (factor)*ixheaacd_sub32_sat(l_spec[i], mid_side); l_spec[i] = l_spec[i] + mid_side; } From 97123f8e06bce2f45ef5cb447795bd650325e04a Mon Sep 17 00:00:00 2001 From: Ray Essick Date: Mon, 15 Oct 2018 17:45:52 -0700 Subject: [PATCH 28/35] Clean an array bounds violation. unchecked bounds on array that was also 1 entry to small. Bug: 110596152 Test: vendor Change-Id: Ia6c0ddd342257177323a87af85fb42ba24eb8d11 --- decoder/ixheaacd_arith_dec.c | 16 +++++++--------- 1 file changed, 7 insertions(+), 9 deletions(-) diff --git a/decoder/ixheaacd_arith_dec.c b/decoder/ixheaacd_arith_dec.c index fa18f61..77b516d 100644 --- a/decoder/ixheaacd_arith_dec.c +++ b/decoder/ixheaacd_arith_dec.c @@ -599,7 +599,7 @@ const WORD64 ixheaacd_table_exp[32] = { static const WORD32 ixheaacd_pow_14_3[8] = {0, 3251, 4096, 5161, 6502, 8192, 10321, 13004}; -const WORD32 ixheaacd_pow_table_Q13[1024] = {0, +const WORD32 ixheaacd_pow_table_Q13[1025] = {0, 131072 >> 4, 330281 >> 4, 567116 >> 4, @@ -1622,7 +1622,8 @@ const WORD32 ixheaacd_pow_table_Q13[1024] = {0, 84111783, 84221751, 84331755, - 84441795}; + 84441795, + 84551870}; static WORD32 ixheaacd_esc_nb_offset[8] = {0, 131072, 262144, 393216, 524288, 655360, 786432, 917504}; @@ -1943,16 +1944,13 @@ static VOID ixheaacd_esc_iquant(WORD32 *q, WORD32 *coef, WORD32 noise_level, } } - if (q[i] >= 8192) { - q[i] = 8191; - } - if (q[i] < 0) { flag = -1; q[i] = -q[i]; - if (q[i] >= 8192) { - q[i] = 8191; - } + } + + if (q[i] >= 8192) { + q[i] = 8191; } if (q[i] < 1024) { From 639e7a88a52194b0473f2d76cccfc7b3e3f4d152 Mon Sep 17 00:00:00 2001 From: Ramesh Katuri Date: Wed, 10 Oct 2018 13:27:48 +0530 Subject: [PATCH 29/35] Fix for OOB read in bit stream parsing in mps module icc and cld index are calculated using parameters derived from bit stream.There is no bound check for icc and cld index, because of which OOB read is happening in mps parsing After icc and cld index calculation,values are clamped to avoid OOB read Bug:112856493 Bug:112858430 Test: poc Change-Id: I59905926d8a2d1a532bec33e5998a67531a99bd9 --- decoder/ixheaacd_mps_parse.c | 15 ++++++++++++++- 1 file changed, 14 insertions(+), 1 deletion(-) diff --git a/decoder/ixheaacd_mps_parse.c b/decoder/ixheaacd_mps_parse.c index 9326edf..e5ba760 100644 --- a/decoder/ixheaacd_mps_parse.c +++ b/decoder/ixheaacd_mps_parse.c @@ -110,6 +110,12 @@ static int ixheaacd_smoothing_time_table[] = {64, 128, 256, 512}; static int ixheaacd_inverse_smoothing_time_table_q30[] = {16777216, 8388608, 4194304, 2097152}; +static WORD32 bound_check(WORD32 var, WORD32 lower_bound, WORD32 upper_bound) { + var = min(var, upper_bound); + var = max(var, lower_bound); + return var; +} + static VOID ixheaacd_longmult1(unsigned short a[], unsigned short b, unsigned short d[], int len) { int k; @@ -803,9 +809,16 @@ static VOID ixheaacd_mps_mapindexdata( } for (ps = 0; ps < num_parameter_sets; ps++) { - for (band = band_start; band < band_stop; band++) + for (band = band_start; band < band_stop; band++) { + if (param_type == CLD) { + out_idx_data[ps][band] = bound_check(out_idx_data[ps][band], -15, 15); + } else if (param_type == ICC) // param_type is ICC + { + out_idx_data[ps][band] = bound_check(out_idx_data[ps][band], 0, 7); + } out_data[ps][band] = ixheaacd_mps_de_quantize(out_idx_data[ps][band], param_type); + } } if (ext_frame_flag) { From 48b9e0f8576ae7b1d3eb52cc2e04b1ffbcc7b03c Mon Sep 17 00:00:00 2001 From: Ramesh Katuri Date: Wed, 10 Oct 2018 14:48:15 +0530 Subject: [PATCH 30/35] Fix for stack buffer overflow in mps ecdata pair decode Bug:116971427 Test: vendor Change-Id: Icb76f5700651ba701b51fdc626e797f0ae86c2cf --- decoder/ixheaacd_mps_dec.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/decoder/ixheaacd_mps_dec.c b/decoder/ixheaacd_mps_dec.c index 0e5cb7d..851f942 100644 --- a/decoder/ixheaacd_mps_dec.c +++ b/decoder/ixheaacd_mps_dec.c @@ -1426,6 +1426,8 @@ WORD32 ixheaacd_mps_ecdatapairdec(ia_handle_bit_buf_struct it_bit_buff, } } + if (data_bands <= 0) return -1; + if (!ixheaacd_huff_decode(it_bit_buff, data_array[0], data_array[1], data_type, diff_type[0], diff_type[1], pilot_coding_flag, pilot_data, data_bands, From c992830e35be4219514e4e55439d2f34202f3ebf Mon Sep 17 00:00:00 2001 From: Ramesh Katuri Date: Fri, 31 Aug 2018 16:48:00 +0530 Subject: [PATCH 31/35] Fix for segmentation fault in hf generator Number of envelopes is becoming zero because of erroneous input stream.Inside SBR start band and stop band are calculated based on number of envelope's. In this case start bands is becoming negative. In sbr processing buffer is accessed from start to stop band. This is causing OOB read access Bug:113037143 Test: poc Change-Id: Iade10e8cb86676784703e7226b7e132761eb12b1 (cherry picked from commit 4e5b9cb8f61ea4c14f964fd570e6f3b7934e5255) --- decoder/ixheaacd_env_dec.c | 77 +++++++++++++++++++++++------------ decoder/ixheaacd_env_dec.h | 24 +++++------ decoder/ixheaacd_sbrdecoder.c | 4 +- 3 files changed, 65 insertions(+), 40 deletions(-) diff --git a/decoder/ixheaacd_env_dec.c b/decoder/ixheaacd_env_dec.c index ae39456..7f10188 100644 --- a/decoder/ixheaacd_env_dec.c +++ b/decoder/ixheaacd_env_dec.c @@ -238,7 +238,7 @@ VOID ixheaacd_process_del_cod_env_data( } } -static PLATFORM_INLINE VOID +static PLATFORM_INLINE WORD32 ixheaacd_wrong_timing_compensate(ia_sbr_header_data_struct *ptr_header_data, ia_sbr_frame_info_data_struct *ptr_sbr_data, ia_sbr_prev_frame_data_struct *ptr_prev_data, @@ -270,6 +270,8 @@ ixheaacd_wrong_timing_compensate(ia_sbr_header_data_struct *ptr_header_data, p_frame_info->border_vec[0] = start_pos_est; p_frame_info->noise_border_vec[0] = start_pos_est; + if (start_pos_est < 0) return -1; + if (ptr_sbr_data->coupling_mode != COUPLING_BAL) { num_env_sf = ((p_frame_info->freq_res[0]) ? num_sf_bands[HIGH] : num_sf_bands[LOW]); @@ -279,6 +281,8 @@ ixheaacd_wrong_timing_compensate(ia_sbr_header_data_struct *ptr_header_data, add16_m(ptr_sbr_data->int_env_sf_arr[i], delta_exp); } } + + return 0; } WORD16 ixheaacd_check_env_data(ia_sbr_header_data_struct *ptr_header_data, @@ -568,19 +572,22 @@ VOID ixheaacd_sbr_env_dequant_coup( (1 + pow(2, temp_r - pan_offset[1]))); } } -VOID ixheaacd_dec_sbrdata(ia_sbr_header_data_struct *ptr_header_data_ch_0, - ia_sbr_header_data_struct *ptr_header_data_ch_1, - ia_sbr_frame_info_data_struct *ptr_sbr_data_ch_0, - ia_sbr_prev_frame_data_struct *ptr_prev_data_ch_0, - ia_sbr_frame_info_data_struct *ptr_sbr_data_ch_1, - ia_sbr_prev_frame_data_struct *ptr_prev_data_ch_1, - ixheaacd_misc_tables *ptr_common_tables) { +WORD32 ixheaacd_dec_sbrdata(ia_sbr_header_data_struct *ptr_header_data_ch_0, + ia_sbr_header_data_struct *ptr_header_data_ch_1, + ia_sbr_frame_info_data_struct *ptr_sbr_data_ch_0, + ia_sbr_prev_frame_data_struct *ptr_prev_data_ch_0, + ia_sbr_frame_info_data_struct *ptr_sbr_data_ch_1, + ia_sbr_prev_frame_data_struct *ptr_prev_data_ch_1, + ixheaacd_misc_tables *ptr_common_tables) { FLAG error_code; + WORD32 err = 0; WORD32 usac_flag = ptr_header_data_ch_0->usac_flag; - ixheaacd_dec_envelope(ptr_header_data_ch_0, ptr_sbr_data_ch_0, - ptr_prev_data_ch_0, ptr_prev_data_ch_1, - ptr_common_tables); + err = ixheaacd_dec_envelope(ptr_header_data_ch_0, ptr_sbr_data_ch_0, + ptr_prev_data_ch_0, ptr_prev_data_ch_1, + ptr_common_tables); + + if (err) return err; ixheaacd_calc_noise_floor(ptr_header_data_ch_0, ptr_sbr_data_ch_0, ptr_prev_data_ch_0); @@ -598,9 +605,11 @@ VOID ixheaacd_dec_sbrdata(ia_sbr_header_data_struct *ptr_header_data_ch_0, if (ptr_sbr_data_ch_1 != NULL) { error_code = ptr_header_data_ch_0->err_flag; - ixheaacd_dec_envelope(ptr_header_data_ch_1, ptr_sbr_data_ch_1, - ptr_prev_data_ch_1, ptr_prev_data_ch_0, - ptr_common_tables); + err = ixheaacd_dec_envelope(ptr_header_data_ch_1, ptr_sbr_data_ch_1, + ptr_prev_data_ch_1, ptr_prev_data_ch_0, + ptr_common_tables); + + if (err) return err; ixheaacd_calc_noise_floor(ptr_header_data_ch_1, ptr_sbr_data_ch_1, ptr_prev_data_ch_1); @@ -618,9 +627,11 @@ VOID ixheaacd_dec_sbrdata(ia_sbr_header_data_struct *ptr_header_data_ch_0, if (!usac_flag) { if (!error_code && ptr_header_data_ch_0->err_flag) { - ixheaacd_dec_envelope(ptr_header_data_ch_0, ptr_sbr_data_ch_0, - ptr_prev_data_ch_0, ptr_prev_data_ch_1, - ptr_common_tables); + err = ixheaacd_dec_envelope(ptr_header_data_ch_0, ptr_sbr_data_ch_0, + ptr_prev_data_ch_0, ptr_prev_data_ch_1, + ptr_common_tables); + + if (err) return err; } } @@ -631,13 +642,16 @@ VOID ixheaacd_dec_sbrdata(ia_sbr_header_data_struct *ptr_header_data_ch_0, ixheaacd_sbr_env_dequant_coup(ptr_sbr_data_ch_0, ptr_sbr_data_ch_1); } } + + return 0; } -VOID ixheaacd_dec_envelope(ia_sbr_header_data_struct *ptr_header_data, - ia_sbr_frame_info_data_struct *ptr_sbr_data, - ia_sbr_prev_frame_data_struct *ptr_prev_data_ch_0, - ia_sbr_prev_frame_data_struct *ptr_prev_data_ch_1, - ixheaacd_misc_tables *pstr_common_tables) { +WORD32 ixheaacd_dec_envelope(ia_sbr_header_data_struct *ptr_header_data, + ia_sbr_frame_info_data_struct *ptr_sbr_data, + ia_sbr_prev_frame_data_struct *ptr_prev_data_ch_0, + ia_sbr_prev_frame_data_struct *ptr_prev_data_ch_1, + ixheaacd_misc_tables *pstr_common_tables) { FLAG error_code; + WORD32 err; WORD16 env_sf_local_arr[MAX_FREQ_COEFFS]; WORD32 usac_flag = ptr_header_data->usac_flag; WORD32 temp_1 = @@ -664,8 +678,12 @@ VOID ixheaacd_dec_envelope(ia_sbr_header_data_struct *ptr_header_data, if (ptr_header_data->err_flag_prev && !usac_flag) { WORD16 *ptr1, *ptr2; WORD32 i; - ixheaacd_wrong_timing_compensate(ptr_header_data, ptr_sbr_data, - ptr_prev_data_ch_0, pstr_common_tables); + + err = ixheaacd_wrong_timing_compensate(ptr_header_data, ptr_sbr_data, + ptr_prev_data_ch_0, + pstr_common_tables); + + if (err) return err; if (ptr_sbr_data->coupling_mode != (WORD16)ptr_prev_data_ch_0->coupling_mode) { @@ -708,14 +726,19 @@ VOID ixheaacd_dec_envelope(ia_sbr_header_data_struct *ptr_header_data, memcpy(ptr_prev_data_ch_0->sfb_nrg_prev, env_sf_local_arr, sizeof(WORD16) * MAX_FREQ_COEFFS); - ixheaacd_dec_envelope(ptr_header_data, ptr_sbr_data, ptr_prev_data_ch_0, - ptr_prev_data_ch_1, pstr_common_tables); - return; + err = ixheaacd_dec_envelope(ptr_header_data, ptr_sbr_data, + ptr_prev_data_ch_0, ptr_prev_data_ch_1, + pstr_common_tables); + + if (err) return err; + return 0; } } } if (!usac_flag) ixheaacd_dequant_env_data(ptr_sbr_data, ptr_sbr_data->amp_res); + + return 0; } VOID ixheaacd_adj_timeslot(WORD32 *ptr_buf_real, WORD32 *ptr_buf_imag, diff --git a/decoder/ixheaacd_env_dec.h b/decoder/ixheaacd_env_dec.h index 3f4556a..3c36486 100644 --- a/decoder/ixheaacd_env_dec.h +++ b/decoder/ixheaacd_env_dec.h @@ -20,13 +20,13 @@ #ifndef IXHEAACD_ENV_DEC_H #define IXHEAACD_ENV_DEC_H -VOID ixheaacd_dec_sbrdata(ia_sbr_header_data_struct *ptr_header_data_ch_0, - ia_sbr_header_data_struct *ptr_header_data_ch_1, - ia_sbr_frame_info_data_struct *ptr_sbr_data_ch_0, - ia_sbr_prev_frame_data_struct *ptr_prev_data_ch_0, - ia_sbr_frame_info_data_struct *ptr_sbr_data_ch_1, - ia_sbr_prev_frame_data_struct *ptr_prev_data_ch_1, - ixheaacd_misc_tables *ptr_common_tables); +WORD32 ixheaacd_dec_sbrdata(ia_sbr_header_data_struct *ptr_header_data_ch_0, + ia_sbr_header_data_struct *ptr_header_data_ch_1, + ia_sbr_frame_info_data_struct *ptr_sbr_data_ch_0, + ia_sbr_prev_frame_data_struct *ptr_prev_data_ch_0, + ia_sbr_frame_info_data_struct *ptr_sbr_data_ch_1, + ia_sbr_prev_frame_data_struct *ptr_prev_data_ch_1, + ixheaacd_misc_tables *ptr_common_tables); VOID ixheaacd_dec_sbrdata_for_pvc(ia_sbr_header_data_struct *ptr_header_data, ia_sbr_frame_info_data_struct *ptr_sbr_data, @@ -55,11 +55,11 @@ VOID ixheaacd_harm_idx_onethree(FLAG noise_absc_flag, WORD16 num_subband, WORD16 *ptr_sine_level_buf, WORD16 noise_e, WORD freq_inv_flag, WORD32 harm_index); -VOID ixheaacd_dec_envelope(ia_sbr_header_data_struct *ptr_header_data, - ia_sbr_frame_info_data_struct *ptr_sbr_data, - ia_sbr_prev_frame_data_struct *ptr_prev_data, - ia_sbr_prev_frame_data_struct *ptr_prev_data_ch_1, - ixheaacd_misc_tables *pstr_common_tables); +WORD32 ixheaacd_dec_envelope(ia_sbr_header_data_struct *ptr_header_data, + ia_sbr_frame_info_data_struct *ptr_sbr_data, + ia_sbr_prev_frame_data_struct *ptr_prev_data, + ia_sbr_prev_frame_data_struct *ptr_prev_data_ch_1, + ixheaacd_misc_tables *pstr_common_tables); VOID ixheaacd_lean_sbrconcealment(ia_sbr_header_data_struct *ptr_header_data, ia_sbr_frame_info_data_struct *ptr_sbr_data, diff --git a/decoder/ixheaacd_sbrdecoder.c b/decoder/ixheaacd_sbrdecoder.c index c40b37f..e357af2 100644 --- a/decoder/ixheaacd_sbrdecoder.c +++ b/decoder/ixheaacd_sbrdecoder.c @@ -566,13 +566,15 @@ WORD16 ixheaacd_applysbr(ia_handle_sbr_dec_inst_struct self, ixheaacd_dec_sbrdata_for_pvc(ptr_header_data[0], ptr_frame_data[0], pstr_sbr_channel[0]->pstr_prev_frame_data); } else if (ptr_frame_data[0]->sbr_mode == ORIG_SBR) { - ixheaacd_dec_sbrdata( + err = ixheaacd_dec_sbrdata( ptr_header_data[0], ptr_header_data[1], ptr_frame_data[0], pstr_sbr_channel[0]->pstr_prev_frame_data, (stereo || dual_mono) ? ptr_frame_data[1] : NULL, (stereo || dual_mono) ? pstr_sbr_channel[1]->pstr_prev_frame_data : NULL, self->pstr_common_tables); + + if (err) return err; } if (ptr_header_data[0]->channel_mode == PS_STEREO && From ae206c1fa51a79736167e5b671fd953eaedbce0b Mon Sep 17 00:00:00 2001 From: Ramesh Katuri Date: Thu, 27 Sep 2018 16:02:31 +0530 Subject: [PATCH 32/35] Fix for OOB write in td filter casecade parsing Add bounds checks for values delivered as N-bits in the bitstream but that have smaller allowed range in this implementation. Bug:116617847 Test: vendor Change-Id: Iad0c020ceacd2226d8e1af688a52a46179a39a2d --- decoder/drc_src/impd_drc_dynamic_payload.c | 9 +++++++++ 1 file changed, 9 insertions(+) diff --git a/decoder/drc_src/impd_drc_dynamic_payload.c b/decoder/drc_src/impd_drc_dynamic_payload.c index 3c5e0cb..576bc45 100644 --- a/decoder/drc_src/impd_drc_dynamic_payload.c +++ b/decoder/drc_src/impd_drc_dynamic_payload.c @@ -638,6 +638,8 @@ WORD32 impd_parse_filt_block(ia_bit_buf_struct* it_bit_buff, if (it_bit_buff->error) return it_bit_buff->error; str_filter_element->filt_ele_idx = (temp & 0x7E) >> 1; + if (str_filter_element->filt_ele_idx >= FILTER_ELEMENT_COUNT_MAX) + return (UNEXPECTED_ERROR); str_filter_element->filt_ele_gain_flag = temp & 1; ; @@ -1016,10 +1018,17 @@ WORD32 impd_parser_td_filter_cascade( str_filter_block_refs->filter_block_count = impd_read_bits_buf(it_bit_buff, 4); if (it_bit_buff->error) return it_bit_buff->error; + if (str_filter_block_refs->filter_block_count > EQ_FILTER_BLOCK_COUNT_MAX) { + return (UNEXPECTED_ERROR); + } + for (ii = 0; ii < str_filter_block_refs->filter_block_count; ii++) { str_filter_block_refs->filter_block_index[ii] = impd_read_bits_buf(it_bit_buff, 7); if (it_bit_buff->error) return it_bit_buff->error; + if (str_filter_block_refs->filter_block_index[ii] >= + FILTER_BLOCK_COUNT_MAX) + return (UNEXPECTED_ERROR); } str_filter_block_refs++; } From bd5770772f2b992f38a7f582fe19611e15b50c14 Mon Sep 17 00:00:00 2001 From: Ramesh Katuri Date: Sat, 13 Oct 2018 13:42:08 +0530 Subject: [PATCH 33/35] Fix for Stack buffer overflow in ixheaacd_mps_getstridemap Bug:117495103 Bug:117495366 Test: vendor + poc Change-Id: Iff5b9135a8fc1b9ad1f00b6fdbe6a8e20c0a61c4 --- decoder/ixheaacd_mps_parse.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/decoder/ixheaacd_mps_parse.c b/decoder/ixheaacd_mps_parse.c index e5ba760..3d9bde9 100644 --- a/decoder/ixheaacd_mps_parse.c +++ b/decoder/ixheaacd_mps_parse.c @@ -1063,6 +1063,8 @@ WORD32 ixheaacd_mps_header_decode(ia_mps_dec_state_struct *self) { } } + if (self->num_bands_ipd > MAX_PARAMETER_BANDS) return -1; + self->dir_sig_count = 1; self->decor_sig_count = 1; From c9ecca9cd87edee9072fb4a56bcc8f8053e441a6 Mon Sep 17 00:00:00 2001 From: Ramesh Katuri Date: Fri, 5 Oct 2018 18:00:42 +0530 Subject: [PATCH 34/35] Fix for OOB write in equalizer instructions parsing. Bound check was missing for eq_ch_group_count. Added as fix. Bug: 117216549 Test: vendor Change-Id: Ie36446a3604ae1cb2471dad0a938a96f2b7fff64 --- decoder/drc_src/impd_drc_dynamic_payload.c | 3 +++ 1 file changed, 3 insertions(+) diff --git a/decoder/drc_src/impd_drc_dynamic_payload.c b/decoder/drc_src/impd_drc_dynamic_payload.c index 3c5e0cb..35a3c37 100644 --- a/decoder/drc_src/impd_drc_dynamic_payload.c +++ b/decoder/drc_src/impd_drc_dynamic_payload.c @@ -1170,6 +1170,9 @@ WORD32 impd_parse_eq_instructions( } } + if (str_eq_instructions->eq_ch_group_count > EQ_CHANNEL_GROUP_COUNT_MAX) + return (UNEXPECTED_ERROR); + str_eq_instructions->td_filter_cascade_present = impd_read_bits_buf(it_bit_buff, 1); if (it_bit_buff->error) return it_bit_buff->error; From 565b25f4321abc7b563e6363bb7760c822a61afd Mon Sep 17 00:00:00 2001 From: Ramesh Katuri Date: Tue, 9 Oct 2018 14:29:43 +0530 Subject: [PATCH 35/35] Fix for stack-buffer-underflow in ixheaacd_sbr_env_calc Bug:117050162 Test: vendor, poc no longer fails Change-Id: I1ff8f0ce42ade33c93653edc9e19282b68108b9b --- decoder/ixheaacd_esbr_envcal.c | 14 ++++++---- decoder/ixheaacd_sbr_dec.c | 49 +++++++++++++--------------------- decoder/ixheaacd_sbr_dec.h | 11 ++++---- 3 files changed, 34 insertions(+), 40 deletions(-) diff --git a/decoder/ixheaacd_esbr_envcal.c b/decoder/ixheaacd_esbr_envcal.c index 53aacef..b90df22 100644 --- a/decoder/ixheaacd_esbr_envcal.c +++ b/decoder/ixheaacd_esbr_envcal.c @@ -68,11 +68,12 @@ VOID ixheaacd_shellsort(WORD32 *in, WORD32 n) { } while (inc > 1); } -VOID ixheaacd_sbr_env_calc(ia_sbr_frame_info_data_struct *frame_data, - FLOAT32 input_real[][64], FLOAT32 input_imag[][64], - FLOAT32 input_real1[][64], FLOAT32 input_imag1[][64], - WORD32 x_over_qmf[MAX_NUM_PATCHES], - FLOAT32 *scratch_buff, FLOAT32 *env_out) { +WORD32 ixheaacd_sbr_env_calc(ia_sbr_frame_info_data_struct *frame_data, + FLOAT32 input_real[][64], FLOAT32 input_imag[][64], + FLOAT32 input_real1[][64], + FLOAT32 input_imag1[][64], + WORD32 x_over_qmf[MAX_NUM_PATCHES], + FLOAT32 *scratch_buff, FLOAT32 *env_out) { WORD8 harmonics[64]; FLOAT32(*env_tmp)[48]; FLOAT32(*noise_level_pvc)[48]; @@ -192,6 +193,7 @@ VOID ixheaacd_sbr_env_calc(ia_sbr_frame_info_data_struct *frame_data, ui = frame_data->pstr_sbr_header->pstr_freq_band_data ->freq_band_tbl_hi[i + 1]; tmp = ((ui + li) - (sub_band_start << 1)) >> 1; + if ((tmp >= 64) || (tmp < 0)) return -1; harmonics[tmp] = add_harmonics[i]; } @@ -559,6 +561,7 @@ VOID ixheaacd_sbr_env_calc(ia_sbr_frame_info_data_struct *frame_data, ui = frame_data->pstr_sbr_header->pstr_freq_band_data ->freq_band_tbl_hi[i + 1]; tmp = ((ui + li) - (sub_band_start << 1)) >> 1; + if ((tmp >= 64) || (tmp < 0)) return -1; harmonics[tmp] = add_harmonics[i]; } @@ -783,6 +786,7 @@ VOID ixheaacd_sbr_env_calc(ia_sbr_frame_info_data_struct *frame_data, frame_data->phase_index = phase_index; frame_data->pstr_sbr_header->esbr_start_up = esbr_start_up; frame_data->pstr_sbr_header->esbr_start_up_pvc = esbr_start_up_pvc; + return 0; } VOID ixheaacd_createlimiterbands(WORD32 lim_table[4][12 + 1], diff --git a/decoder/ixheaacd_sbr_dec.c b/decoder/ixheaacd_sbr_dec.c index 1adc72a..049433d 100644 --- a/decoder/ixheaacd_sbr_dec.c +++ b/decoder/ixheaacd_sbr_dec.c @@ -759,21 +759,16 @@ WORD32 ixheaacd_sbr_dec(ia_sbr_dec_struct *ptr_sbr_dec, WORD16 *ptr_time_data, ptr_pvc_data->prev_pvc_rate = ptr_pvc_data->pvc_rate; ptr_frame_data->pstr_sbr_header = ptr_header_data; - if (ptr_header_data->hbe_flag == 0) - ixheaacd_sbr_env_calc( - ptr_frame_data, ptr_sbr_dec->sbr_qmf_out_real + (SBR_HF_ADJ_OFFSET), - ptr_sbr_dec->sbr_qmf_out_imag + (SBR_HF_ADJ_OFFSET), - ptr_sbr_dec->qmf_buf_real + (SBR_HF_ADJ_OFFSET), - ptr_sbr_dec->qmf_buf_imag + (SBR_HF_ADJ_OFFSET), NULL, - ptr_sbr_dec->scratch_buff, pvc_dec_out_buf); - else - ixheaacd_sbr_env_calc( - ptr_frame_data, ptr_sbr_dec->sbr_qmf_out_real + (SBR_HF_ADJ_OFFSET), - ptr_sbr_dec->sbr_qmf_out_imag + (SBR_HF_ADJ_OFFSET), - ptr_sbr_dec->qmf_buf_real + (SBR_HF_ADJ_OFFSET), - ptr_sbr_dec->qmf_buf_imag + (SBR_HF_ADJ_OFFSET), - ptr_sbr_dec->p_hbe_txposer->x_over_qmf, ptr_sbr_dec->scratch_buff, - pvc_dec_out_buf); + err_code = ixheaacd_sbr_env_calc( + ptr_frame_data, ptr_sbr_dec->sbr_qmf_out_real + (SBR_HF_ADJ_OFFSET), + ptr_sbr_dec->sbr_qmf_out_imag + (SBR_HF_ADJ_OFFSET), + ptr_sbr_dec->qmf_buf_real + (SBR_HF_ADJ_OFFSET), + ptr_sbr_dec->qmf_buf_imag + (SBR_HF_ADJ_OFFSET), + (ptr_header_data->hbe_flag == 0) + ? NULL + : ptr_sbr_dec->p_hbe_txposer->x_over_qmf, + ptr_sbr_dec->scratch_buff, pvc_dec_out_buf); + if (err_code) return err_code; } else { for (i = 0; i < 64; i++) { @@ -1213,22 +1208,16 @@ WORD32 ixheaacd_sbr_dec_from_mps(FLOAT32 *p_mps_qmf_output, VOID *p_sbr_dec, ptr_frame_data->pstr_sbr_header = ptr_header_data; ptr_frame_data->sbr_mode = ORIG_SBR; ptr_frame_data->prev_sbr_mode = ORIG_SBR; - if (ptr_header_data->hbe_flag == 0) - ixheaacd_sbr_env_calc(ptr_frame_data, - ptr_sbr_dec->mps_sbr_qmf_buf_real + SBR_HF_ADJ_OFFSET, - ptr_sbr_dec->mps_sbr_qmf_buf_imag + SBR_HF_ADJ_OFFSET, - ptr_sbr_dec->mps_qmf_buf_real + SBR_HF_ADJ_OFFSET, - ptr_sbr_dec->mps_qmf_buf_imag + SBR_HF_ADJ_OFFSET, - NULL, ptr_sbr_dec->scratch_buff, NULL); - else - ixheaacd_sbr_env_calc(ptr_frame_data, - ptr_sbr_dec->mps_sbr_qmf_buf_real + SBR_HF_ADJ_OFFSET, - ptr_sbr_dec->mps_sbr_qmf_buf_imag + SBR_HF_ADJ_OFFSET, - ptr_sbr_dec->mps_qmf_buf_real + SBR_HF_ADJ_OFFSET, - ptr_sbr_dec->mps_qmf_buf_imag + SBR_HF_ADJ_OFFSET, - ptr_sbr_dec->p_hbe_txposer->x_over_qmf, - ptr_sbr_dec->scratch_buff, NULL); + err = ixheaacd_sbr_env_calc( + ptr_frame_data, ptr_sbr_dec->mps_sbr_qmf_buf_real + SBR_HF_ADJ_OFFSET, + ptr_sbr_dec->mps_sbr_qmf_buf_imag + SBR_HF_ADJ_OFFSET, + ptr_sbr_dec->mps_qmf_buf_real + SBR_HF_ADJ_OFFSET, + ptr_sbr_dec->mps_qmf_buf_imag + SBR_HF_ADJ_OFFSET, + (ptr_header_data->hbe_flag == 0) ? NULL + : ptr_sbr_dec->p_hbe_txposer->x_over_qmf, + ptr_sbr_dec->scratch_buff, NULL); + if (err) return err; for (i = 0; i < no_bins; i++) { FLOAT32 *p_loc_mps_qmf_output = p_mps_qmf_output + i * (MAX_NUM_QMF_BANDS_ESBR * 2); diff --git a/decoder/ixheaacd_sbr_dec.h b/decoder/ixheaacd_sbr_dec.h index 0beec6d..69a4d23 100644 --- a/decoder/ixheaacd_sbr_dec.h +++ b/decoder/ixheaacd_sbr_dec.h @@ -183,11 +183,12 @@ WORD32 ixheaacd_qmf_hbe_apply(ia_esbr_hbe_txposer_struct *h_hbe_txposer, FLOAT32 pv_qmf_buf_imag[][64], WORD32 pitch_in_bins); -VOID ixheaacd_sbr_env_calc(ia_sbr_frame_info_data_struct *frame_data, - FLOAT32 input_real[][64], FLOAT32 input_imag[][64], - FLOAT32 input_real1[][64], FLOAT32 input_imag1[][64], - WORD32 x_over_qmf[MAX_NUM_PATCHES], - FLOAT32 *scratch_buff, FLOAT32 *env_out); +WORD32 ixheaacd_sbr_env_calc(ia_sbr_frame_info_data_struct *frame_data, + FLOAT32 input_real[][64], FLOAT32 input_imag[][64], + FLOAT32 input_real1[][64], + FLOAT32 input_imag1[][64], + WORD32 x_over_qmf[MAX_NUM_PATCHES], + FLOAT32 *scratch_buff, FLOAT32 *env_out); WORD32 ixheaacd_generate_hf(FLOAT32 ptr_src_buf_real[][64], FLOAT32 ptr_src_buf_imag[][64],