From eb58cff8321e8c8c9f3059d298829ad4b0ef863f Mon Sep 17 00:00:00 2001
From: Rajat Kumar <rajat.kumar@ittiam.com>
Date: Thu, 27 Dec 2018 19:27:17 +0530
Subject: [PATCH] Fix for array bound overflows

Added bound checks and handled the respective returned
error across source and header files.

Bug:120452956
Test: vendor, poc
Change-Id: I5a9ebf68e7a5d2f41a0112aff113f0b1b8eeba7c
---
 decoder/ixheaacd_aac_rom.h           |  5 +++--
 decoder/ixheaacd_api.c               |  2 +-
 decoder/ixheaacd_avq_dec.c           |  4 ++--
 decoder/ixheaacd_env_dec.c           | 30 +++++++++++++++++++---------
 decoder/ixheaacd_env_dec.h           |  7 ++++---
 decoder/ixheaacd_esbr_envcal.c       |  4 +++-
 decoder/ixheaacd_esbr_rom.h          |  2 +-
 decoder/ixheaacd_headerdecode.c      |  3 +++
 decoder/ixheaacd_huff_code_reorder.c | 10 ++++++----
 decoder/ixheaacd_process.c           | 13 ++++++------
 decoder/ixheaacd_sbrdecoder.c        | 24 +++++++++++-----------
 decoder/ixheaacd_sbrdecoder.h        |  2 +-
 12 files changed, 64 insertions(+), 42 deletions(-)

diff --git a/decoder/ixheaacd_aac_rom.h b/decoder/ixheaacd_aac_rom.h
index 0d99e9e..a6a8142 100644
--- a/decoder/ixheaacd_aac_rom.h
+++ b/decoder/ixheaacd_aac_rom.h
@@ -21,6 +21,7 @@
 #define IXHEAACD_AAC_ROM_H
 
 #define AAC_NF_NO_RANDOM_VAL 512
+#define MAX_CB_SIZE 13
 
 typedef struct {
   WORD32 ixheaacd_pow_table_Q13[129];
@@ -153,8 +154,8 @@ typedef struct {
   WORD16 sfb_long_table[52];
   WORD16 sfb_short_table[16];
 
-  UWORD16 *code_book[13];
-  UWORD32 *index_table[13];
+  UWORD16 *code_book[MAX_CB_SIZE];
+  UWORD32 *index_table[MAX_CB_SIZE];
 
   WORD8 *scale_fac_bands_512[16];
   WORD8 *scale_fac_bands_480[16];
diff --git a/decoder/ixheaacd_api.c b/decoder/ixheaacd_api.c
index 1cc1f75..6c6118e 100644
--- a/decoder/ixheaacd_api.c
+++ b/decoder/ixheaacd_api.c
@@ -1460,7 +1460,7 @@ IA_ERRORCODE ixheaacd_dec_init(
                 p_obj_exhaacplus_dec, inbuffer, outbuffer, &out_bytes,
                 frames_done, pcm_size,
                 &p_obj_exhaacplus_dec->p_state_aac->num_of_output_ch);
-            if (error_code == -1) return error_code;
+            if (error_code) return error_code;
             p_obj_exhaacplus_dec->p_state_aac->frame_counter++;
           } else {
             out_bytes = 0;
diff --git a/decoder/ixheaacd_avq_dec.c b/decoder/ixheaacd_avq_dec.c
index fc29c82..a6d239d 100644
--- a/decoder/ixheaacd_avq_dec.c
+++ b/decoder/ixheaacd_avq_dec.c
@@ -31,8 +31,8 @@
 
 extern const WORD32 ixheaacd_factorial_7[8];
 extern const WORD32 ixheaacd_iso_code_index_table[LEN_ABS_LEADER];
-extern const UWORD8 ixheaacd_iso_code_data_table[LEN_ABS_LEADER];
-extern const UWORD32 ixheaacd_signed_leader_is[LEN_ABS_LEADER];
+extern const UWORD8 ixheaacd_iso_code_data_table[LEN_SIGN_LEADER];
+extern const UWORD32 ixheaacd_signed_leader_is[LEN_SIGN_LEADER];
 extern const WORD32 ixheaacd_iso_code_num_table[],
     ixheaacd_pos_abs_leaders_a3[], ixheaacd_pos_abs_leaders_a4[];
 extern const UWORD8 ixheaacd_absolute_leader_tab_da[][8];
diff --git a/decoder/ixheaacd_env_dec.c b/decoder/ixheaacd_env_dec.c
index 6da6ad6..e363def 100644
--- a/decoder/ixheaacd_env_dec.c
+++ b/decoder/ixheaacd_env_dec.c
@@ -20,6 +20,7 @@
 #include <string.h>
 #include "ixheaacd_sbr_common.h"
 #include <ixheaacd_type_def.h>
+#include "ixheaacd_error_standards.h"
 
 #include "ixheaacd_constants.h"
 #include <ixheaacd_basic_ops32.h>
@@ -377,9 +378,10 @@ VOID ixheaacd_add_arr(WORD16 *ptr1, WORD16 *ptr2, WORD32 num) {
   }
 }
 
-VOID ixheaacd_calc_noise_floor(ia_sbr_header_data_struct *ptr_header_data,
-                               ia_sbr_frame_info_data_struct *ptr_sbr_data,
-                               ia_sbr_prev_frame_data_struct *ptr_prev_data) {
+IA_ERRORCODE ixheaacd_calc_noise_floor(
+    ia_sbr_header_data_struct *ptr_header_data,
+    ia_sbr_frame_info_data_struct *ptr_sbr_data,
+    ia_sbr_prev_frame_data_struct *ptr_prev_data) {
   WORD32 i;
   WORD32 num_nf_bands;
   WORD32 num_noise_env;
@@ -424,6 +426,8 @@ VOID ixheaacd_calc_noise_floor(ia_sbr_header_data_struct *ptr_header_data,
   ixheaacd_limit_noise_floor_fac(ptr_header_data, ptr_sbr_data);
 
   ixheaacd_drc_offset = num_nf_bands * (num_noise_env - 1);
+  if (ixheaacd_drc_offset < 0 || ixheaacd_drc_offset >= MAX_NUM_NOISE_VALUES)
+    return IA_FATAL_ERROR;
   ptr1 = &ptr_sbr_data->int_noise_floor[ixheaacd_drc_offset];
   ptr2 = ptr_prev_noise_floor;
 
@@ -443,13 +447,16 @@ VOID ixheaacd_calc_noise_floor(ia_sbr_header_data_struct *ptr_header_data,
       *ptr_noise_floor++ = (WORD16)(0x4000 + (noise_floor_exp & MASK_FOR_EXP));
     }
   }
+  return IA_NO_ERROR;
 }
 
-VOID ixheaacd_dec_sbrdata_for_pvc(
+IA_ERRORCODE ixheaacd_dec_sbrdata_for_pvc(
     ia_sbr_header_data_struct *ptr_header_data,
     ia_sbr_frame_info_data_struct *ptr_sbr_data,
     ia_sbr_prev_frame_data_struct *ptr_prev_data) {
-  ixheaacd_calc_noise_floor(ptr_header_data, ptr_sbr_data, ptr_prev_data);
+  WORD32 err = 0;
+  err = ixheaacd_calc_noise_floor(ptr_header_data, ptr_sbr_data, ptr_prev_data);
+  if (err) return err;
 
   if (!ptr_sbr_data->coupling_mode) {
     ptr_sbr_data->num_noise_sfac =
@@ -458,6 +465,7 @@ VOID ixheaacd_dec_sbrdata_for_pvc(
     ixheaacd_dequant_pvc_env_data(ptr_sbr_data->num_noise_sfac,
                                   ptr_sbr_data->flt_noise_floor);
   }
+  return IA_NO_ERROR;
 }
 
 VOID ixheaacd_sbr_env_dequant_coup_fix(
@@ -589,8 +597,10 @@ WORD32 ixheaacd_dec_sbrdata(ia_sbr_header_data_struct *ptr_header_data_ch_0,
 
   if (err) return err;
 
-  ixheaacd_calc_noise_floor(ptr_header_data_ch_0, ptr_sbr_data_ch_0,
-                            ptr_prev_data_ch_0);
+  err = ixheaacd_calc_noise_floor(ptr_header_data_ch_0, ptr_sbr_data_ch_0,
+                                  ptr_prev_data_ch_0);
+
+  if (err == (WORD32)IA_FATAL_ERROR) return (WORD32)IA_FATAL_ERROR;
 
   if (!ptr_sbr_data_ch_0->coupling_mode && usac_flag) {
     ptr_sbr_data_ch_0->num_noise_sfac =
@@ -611,8 +621,10 @@ WORD32 ixheaacd_dec_sbrdata(ia_sbr_header_data_struct *ptr_header_data_ch_0,
 
     if (err) return err;
 
-    ixheaacd_calc_noise_floor(ptr_header_data_ch_1, ptr_sbr_data_ch_1,
-                              ptr_prev_data_ch_1);
+    err = ixheaacd_calc_noise_floor(ptr_header_data_ch_1, ptr_sbr_data_ch_1,
+                                    ptr_prev_data_ch_1);
+
+    if (err) return err;
 
     if (!ptr_sbr_data_ch_1->coupling_mode && usac_flag) {
       ptr_sbr_data_ch_1->num_noise_sfac =
diff --git a/decoder/ixheaacd_env_dec.h b/decoder/ixheaacd_env_dec.h
index 3c36486..b0eaa7e 100644
--- a/decoder/ixheaacd_env_dec.h
+++ b/decoder/ixheaacd_env_dec.h
@@ -28,9 +28,10 @@ WORD32 ixheaacd_dec_sbrdata(ia_sbr_header_data_struct *ptr_header_data_ch_0,
                             ia_sbr_prev_frame_data_struct *ptr_prev_data_ch_1,
                             ixheaacd_misc_tables *ptr_common_tables);
 
-VOID ixheaacd_dec_sbrdata_for_pvc(ia_sbr_header_data_struct *ptr_header_data,
-                                  ia_sbr_frame_info_data_struct *ptr_sbr_data,
-                                  ia_sbr_prev_frame_data_struct *ptr_prev_data);
+IA_ERRORCODE ixheaacd_dec_sbrdata_for_pvc(
+    ia_sbr_header_data_struct *ptr_header_data,
+    ia_sbr_frame_info_data_struct *ptr_sbr_data,
+    ia_sbr_prev_frame_data_struct *ptr_prev_data);
 
 VOID ixheaacd_harm_idx_onethreelp(WORD32 *ptr_real_buf, WORD16 *ptr_gain_buf,
                                   WORD scale_change, WORD16 *ptr_sine_level_buf,
diff --git a/decoder/ixheaacd_esbr_envcal.c b/decoder/ixheaacd_esbr_envcal.c
index e1bb1c7..a3382c3 100644
--- a/decoder/ixheaacd_esbr_envcal.c
+++ b/decoder/ixheaacd_esbr_envcal.c
@@ -22,7 +22,7 @@
 #include <string.h>
 
 #include <ixheaacd_type_def.h>
-
+#include "ixheaacd_error_standards.h"
 #include "ixheaacd_sbr_const.h"
 #include "ixheaacd_sbrdecsettings.h"
 #include "ixheaacd_bitbuffer.h"
@@ -569,6 +569,8 @@ WORD32 ixheaacd_sbr_env_calc(ia_sbr_frame_info_data_struct *frame_data,
     }
 
     for (i = 0; i < bs_num_env; i++) {
+      if (kk > MAX_NOISE_ENVELOPES) return IA_FATAL_ERROR;
+
       if (p_frame_info->border_vec[i] == p_frame_info->noise_border_vec[kk])
         kk++, next++;
 
diff --git a/decoder/ixheaacd_esbr_rom.h b/decoder/ixheaacd_esbr_rom.h
index 57edc24..253f8c3 100644
--- a/decoder/ixheaacd_esbr_rom.h
+++ b/decoder/ixheaacd_esbr_rom.h
@@ -57,5 +57,5 @@ extern const FLOAT32 ixheaacd_analy_cos_sin_table_kl_16[16 * 16 * 2];
 extern const FLOAT32 ixheaacd_analy_cos_sin_table_kl_24[24 * 24 * 2];
 extern const FLOAT32 ixheaacd_analy_cos_sin_table_kl_32[32 * 32 * 2];
 extern const FLOAT32 ixheaacd_analy_cos_sin_table_kl_40[40 * 80 * 2];
-extern const FLOAT32 ixheaacd_sel_case[4][8];
+extern const FLOAT32 ixheaacd_sel_case[5][8];
 #endif
diff --git a/decoder/ixheaacd_headerdecode.c b/decoder/ixheaacd_headerdecode.c
index dccb479..2e740a8 100644
--- a/decoder/ixheaacd_headerdecode.c
+++ b/decoder/ixheaacd_headerdecode.c
@@ -19,6 +19,7 @@
 */
 #include <stdlib.h>
 #include <ixheaacd_type_def.h>
+#include "ixheaacd_error_standards.h"
 #include "ixheaacd_constants.h"
 #include <ixheaacd_basic_ops32.h>
 #include <ixheaacd_basic_ops16.h>
@@ -1092,6 +1093,8 @@ WORD32 ixheaacd_aac_headerdecode(
             return result;
           } else if (result == -1)
             return -1;
+          else if (result == (WORD32)IA_FATAL_ERROR)
+            return IA_FATAL_ERROR;
           else
             bytes_taken += *bytes_consumed - 1;
           continue;
diff --git a/decoder/ixheaacd_huff_code_reorder.c b/decoder/ixheaacd_huff_code_reorder.c
index b7e2aa6..f9f178c 100644
--- a/decoder/ixheaacd_huff_code_reorder.c
+++ b/decoder/ixheaacd_huff_code_reorder.c
@@ -1095,8 +1095,6 @@ static VOID ixheaacd_decode_pcw(ia_bit_buf_struct *itt_bit_buff,
   WORD32 num_decoded_bits;
   const UWORD8 *ptr_cb_dimension_tbl =
       ptr_hcr_info->table_info.ptr_cb_dimension_tbl;
-  const UWORD16 *cb_table;
-  const UWORD32 *idx_table;
 
   WORD32 read_word = ixheaacd_aac_showbits_32(itt_bit_buff->ptr_read_next);
   WORD32 read_bits = itt_bit_buff->cnt_bits;
@@ -1107,8 +1105,8 @@ static VOID ixheaacd_decode_pcw(ia_bit_buf_struct *itt_bit_buff,
            ptr_num_ext_sorted_sect_in_sets[num_ext_sorted_sect_in_sets_idx];
        ext_sort_sec != 0; ext_sort_sec--) {
     codebook = ptr_ext_sorted_cw[ext_sorted_cw_idx];
-    cb_table = (UWORD16 *)(ptr_aac_tables->code_book[codebook]);
-    idx_table = (UWORD32 *)(ptr_aac_tables->index_table[codebook]);
+    if (codebook <= 0) return;
+
     ext_sorted_cw_idx++;
     if (ext_sorted_cw_idx >= (MAX_SFB_HCR + MAX_HCR_SETS)) {
       return;
@@ -1123,6 +1121,8 @@ static VOID ixheaacd_decode_pcw(ia_bit_buf_struct *itt_bit_buff,
 
     if (codebook <= 4) {
       WORD32 tbl_sign = 0;
+      const UWORD16 *cb_table = (UWORD16 *)(ptr_aac_tables->code_book[codebook]);
+      const UWORD32 *idx_table = (UWORD32 *)(ptr_aac_tables->index_table[codebook]);
 
       if (codebook > 2) {
         tbl_sign = 1;
@@ -1158,6 +1158,8 @@ static VOID ixheaacd_decode_pcw(ia_bit_buf_struct *itt_bit_buff,
       {
         WORD32 tbl_sign = 0;
         WORD32 huff_mode = 9;
+        const UWORD16 *cb_table = (UWORD16 *)(ptr_aac_tables->code_book[codebook]);
+        const UWORD32 *idx_table = (UWORD32 *)(ptr_aac_tables->index_table[codebook]);
         num_decoded_bits = 0;
 
         if (codebook > 6) {
diff --git a/decoder/ixheaacd_process.c b/decoder/ixheaacd_process.c
index 533042c..d9e7175 100644
--- a/decoder/ixheaacd_process.c
+++ b/decoder/ixheaacd_process.c
@@ -97,7 +97,7 @@ VOID ixheaacd_allocate_sbr_scr(ia_sbr_scr_struct *sbr_scratch_struct,
                                WORD total_elements, WORD ch_fac,
                                WORD32 object_type);
 
-WORD16 ixheaacd_applysbr(
+IA_ERRORCODE ixheaacd_applysbr(
     ia_handle_sbr_dec_inst_struct self,
     ia_aac_dec_sbr_bitstream_struct *p_sbr_bit_stream, WORD16 *core_sample_buf,
     WORD16 *codec_num_channels, FLAG frame_status, FLAG down_samp_flag,
@@ -105,11 +105,12 @@ WORD16 ixheaacd_applysbr(
     WORD32 ch_fac, WORD32 slot_element, ia_bit_buf_struct *it_bit_buff,
     ia_drc_dec_struct *pstr_drc_dec, WORD eld_sbr_flag, WORD32 object_type);
 
-WORD16 ixheaacd_esbr_process(ia_usac_data_struct *usac_data,
-                             ia_bit_buf_struct *it_bit_buff,
-                             WORD32 stereo_config_idx, WORD16 num_channels,
-                             WORD32 audio_object_type) {
-  WORD16 err_code = 0;
+IA_ERRORCODE ixheaacd_esbr_process(ia_usac_data_struct *usac_data,
+                                   ia_bit_buf_struct *it_bit_buff,
+                                   WORD32 stereo_config_idx,
+                                   WORD16 num_channels,
+                                   WORD32 audio_object_type) {
+  WORD32 err_code = 0;
   ia_aac_dec_sbr_bitstream_struct *esbr_bit_str = &usac_data->esbr_bit_str[0];
   ia_handle_sbr_dec_inst_struct self = usac_data->pstr_esbr_dec;
 
diff --git a/decoder/ixheaacd_sbrdecoder.c b/decoder/ixheaacd_sbrdecoder.c
index c4c443f..4ab91f7 100644
--- a/decoder/ixheaacd_sbrdecoder.c
+++ b/decoder/ixheaacd_sbrdecoder.c
@@ -238,16 +238,14 @@ WORD32 ixheaacd_prepare_upsamp(ia_sbr_header_data_struct **ptr_header_data,
   return err;
 }
 
-WORD16 ixheaacd_applysbr(ia_handle_sbr_dec_inst_struct self,
-                         ia_aac_dec_sbr_bitstream_struct *p_sbr_bit_stream,
-                         WORD16 *core_sample_buf, WORD16 *codec_num_channels,
-                         FLAG frame_status, FLAG down_samp_flag,
-                         FLAG down_mix_flag,
-                         ia_sbr_scr_struct *sbr_scratch_struct,
-                         WORD32 ps_enable, WORD32 ch_fac, WORD32 slot_element,
-                         ia_bit_buf_struct *it_bit_buff,
-                         ia_drc_dec_struct *pstr_drc_dec, WORD eld_sbr_flag,
-                         WORD32 audio_object_type) {
+IA_ERRORCODE ixheaacd_applysbr(
+    ia_handle_sbr_dec_inst_struct self,
+    ia_aac_dec_sbr_bitstream_struct *p_sbr_bit_stream, WORD16 *core_sample_buf,
+    WORD16 *codec_num_channels, FLAG frame_status, FLAG down_samp_flag,
+    FLAG down_mix_flag, ia_sbr_scr_struct *sbr_scratch_struct, WORD32 ps_enable,
+    WORD32 ch_fac, WORD32 slot_element, ia_bit_buf_struct *it_bit_buff,
+    ia_drc_dec_struct *pstr_drc_dec, WORD eld_sbr_flag,
+    WORD32 audio_object_type) {
   WORD32 k;
   FLAG prev_ps_flag = 0;
   FLAG ps_flag = 0;
@@ -564,8 +562,10 @@ WORD16 ixheaacd_applysbr(ia_handle_sbr_dec_inst_struct self,
 
   if (ptr_header_data[0]->sync_state == SBR_ACTIVE) {
     if (ptr_frame_data[0]->sbr_mode == PVC_SBR) {
-      ixheaacd_dec_sbrdata_for_pvc(ptr_header_data[0], ptr_frame_data[0],
-                                   pstr_sbr_channel[0]->pstr_prev_frame_data);
+      err = ixheaacd_dec_sbrdata_for_pvc(
+          ptr_header_data[0], ptr_frame_data[0],
+          pstr_sbr_channel[0]->pstr_prev_frame_data);
+      if (err) return err;
     } else if (ptr_frame_data[0]->sbr_mode == ORIG_SBR) {
       err = ixheaacd_dec_sbrdata(
           ptr_header_data[0], ptr_header_data[1], ptr_frame_data[0],
diff --git a/decoder/ixheaacd_sbrdecoder.h b/decoder/ixheaacd_sbrdecoder.h
index cd0cebd..21c90c0 100644
--- a/decoder/ixheaacd_sbrdecoder.h
+++ b/decoder/ixheaacd_sbrdecoder.h
@@ -64,7 +64,7 @@ typedef struct {
   VOID *extra_scr_1k[2];
 } ia_sbr_scr_struct;
 
-WORD16 ixheaacd_applysbr(
+IA_ERRORCODE ixheaacd_applysbr(
     ia_handle_sbr_dec_inst_struct self,
     ia_aac_dec_sbr_bitstream_struct *p_sbr_bit_stream, WORD16 *core_sample_buf,
     WORD16 *codec_num_channels, FLAG frame_status, FLAG down_samp_flag,