wrapper/libxaac
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

Fix for stack buffer underflow in sbr

Browse source 
Sbr frame size is not getting updated in all the sbr decoder
calling paths, because of which in one of the paths the number
of samples are passed as 0 to sbr decode call.

Inside the sbr decode call one of the buffer is accessed with
(shifted value of this number of samples - offset),
which is becoming negative in this cause. This negative offset
is causing OOB read access.

Bug:113263695
Test: poc from bug
Change-Id: I8fb5391a6ba9dd4919f8b761de295d02dda685b4
This commit is contained in:
Ramesh Katuri 2018-08-31 16:40:42 +05:30 committed by Ray Essick
parent cad0d07efc
commit 69f8d42a89
1 changed files with 6 additions and 4 deletions
Download patch file Download diff file Expand all files Collapse all files

10
decoder/ixheaacd_api.c
View file

@ -1786,6 +1786,9 @@ IA_ERRORCODE ixheaacd_dec_init(
p_state_enhaacplus_dec->b_n_raw_data_blk--;
}
sample_rate_2 = sample_rate_1;
frame_size_2 = frame_size_1;
if (!p_state_enhaacplus_dec->str_sbr_dec_info[ch_idx] &&
p_state_enhaacplus_dec->pstr_stream_sbr[0][0].no_elements) {
if ((p_obj_exhaacplus_dec->aac_config.flag_16khz_out == 1) &&
@ -1793,9 +1796,6 @@ IA_ERRORCODE ixheaacd_dec_init(
p_obj_exhaacplus_dec->aac_config.flag_16khz_out = 0;
}
sample_rate_2 = sample_rate_1;
frame_size_2 = frame_size_1;
p_state_enhaacplus_dec->str_sbr_dec_info[ch_idx] = ixheaacd_init_sbr(
sample_rate_1, frame_size_1,
(FLAG *)&p_obj_exhaacplus_dec->aac_config.down_sample_flag,
@ -1807,7 +1807,8 @@ IA_ERRORCODE ixheaacd_dec_init(
} else {
}
if (p_state_enhaacplus_dec->str_sbr_dec_info[ch_idx]) {
if (p_state_enhaacplus_dec->str_sbr_dec_info[ch_idx] &&
p_state_enhaacplus_dec->pstr_stream_sbr[0][0].no_elements) {
ia_sbr_scr_struct sbr_scratch_struct;
WORD16 num_channels_1_t = num_channels_1;
ixheaacd_allocate_sbr_scr(
@ -1895,6 +1896,7 @@ IA_ERRORCODE ixheaacd_dec_init(
WORD max_ch_num = p_obj_exhaacplus_dec->aac_config.ui_max_channels;
i = 0;
p_obj_exhaacplus_dec->aac_config.ui_n_channels = ch_idx;
while (p_obj_exhaacplus_dec->aac_config.element_type[ch_idx_err] <= 3 &&
p_obj_exhaacplus_dec->aac_config.element_type[ch_idx_err] >= 0) {
ch_idx_err++;