From e988b01822fed279ea701d55f08e598c4bee6b3b Mon Sep 17 00:00:00 2001 From: Ramesh Katuri Date: Thu, 29 Nov 2018 15:51:30 +0530 Subject: [PATCH] Bit buffer error handling using setjmp and longjmp Bug: 112552816 Bug: 116774502 Bug: 117531281 Bug: 118145923 Bug: 120124041 Test: vendor Change-Id: Ib11c82a8cf728c8a0a841b5fc0452daa1a5b37be --- decoder/ixheaacd_aacpluscheck.c | 8 +++-- decoder/ixheaacd_api.c | 43 +++++++++++++++++++++++++++ decoder/ixheaacd_arith_dec.c | 35 ++++++++++++++-------- decoder/ixheaacd_bitbuffer.c | 49 +++++++++++++++++++++++-------- decoder/ixheaacd_bitbuffer.h | 3 ++ decoder/ixheaacd_channel.c | 6 ++++ decoder/ixheaacd_common_lpfuncs.c | 14 +++++---- decoder/ixheaacd_create.c | 17 ++++++++++- decoder/ixheaacd_decode_main.c | 3 ++ decoder/ixheaacd_drc_freq_dec.c | 4 +++ decoder/ixheaacd_env_extr.c | 12 ++++++-- decoder/ixheaacd_headerdecode.c | 1 + decoder/ixheaacd_process.c | 6 +++- decoder/ixheaacd_sbr_dec.h | 3 ++ decoder/ixheaacd_sbrdecoder.c | 1 + decoder/ixheaacd_struct_def.h | 3 ++ 16 files changed, 169 insertions(+), 39 deletions(-) diff --git a/decoder/ixheaacd_aacpluscheck.c b/decoder/ixheaacd_aacpluscheck.c index dafbdfa..15d74c3 100644 --- a/decoder/ixheaacd_aacpluscheck.c +++ b/decoder/ixheaacd_aacpluscheck.c @@ -47,6 +47,7 @@ #include "ixheaacd_sbrdecoder.h" #include "ixheaacd_sbr_payload.h" #include "ixheaacd_audioobjtypes.h" +#include "ixheaacd_error_codes.h" #define SBR_EXTENSION_MPEG SBR_EXTENSION @@ -151,12 +152,13 @@ FLAG ixheaacd_check_for_sbr_payload( } else { ixheaacd_read_bits_buf(it_bit_buff, 4); + if (it_bit_buff->cnt_bits < ((count - 1) << 3)) { + longjmp(*(it_bit_buff->xaac_jmp_buf), + IA_ENHAACPLUS_DEC_EXE_NONFATAL_INSUFFICIENT_INPUT_BYTES); + } it_bit_buff->ptr_read_next += count - 1; it_bit_buff->cnt_bits -= ((count - 1) << 3); - if (it_bit_buff->ptr_read_next > it_bit_buff->ptr_bit_buf_end) { - it_bit_buff->ptr_read_next = it_bit_buff->ptr_bit_buf_base; - } } } if (it_bit_buff->cnt_bits < 0) ret = -1; diff --git a/decoder/ixheaacd_api.c b/decoder/ixheaacd_api.c index a68167f..8f9a51d 100644 --- a/decoder/ixheaacd_api.c +++ b/decoder/ixheaacd_api.c @@ -1256,10 +1256,21 @@ IA_ERRORCODE ixheaacd_dec_init( IA_ERRORCODE err_code = IA_NO_ERROR; struct ia_aac_persistent_struct *aac_persistent_mem; struct ia_sbr_pers_struct *sbr_persistent_mem; + WORD32 ret_val; p_obj_exhaacplus_dec->p_state_aac = p_obj_exhaacplus_dec->pp_mem_aac[IA_ENHAACPLUS_DEC_PERSIST_IDX]; + if (p_obj_exhaacplus_dec->p_state_aac != NULL) { + ret_val = setjmp(p_obj_exhaacplus_dec->p_state_aac->xaac_jmp_buf); + if (ret_val != 0) { + p_obj_exhaacplus_dec->p_state_aac->i_bytes_consumed = + p_obj_exhaacplus_dec->p_state_aac->ui_in_bytes; + p_obj_exhaacplus_dec->p_state_aac->ui_out_bytes = 0; + return IA_NO_ERROR; + } + } + time_data = (WORD16 *)(p_obj_exhaacplus_dec ->pp_mem_aac[IA_ENHAACPLUS_DEC_OUTPUT_IDX]); @@ -1492,6 +1503,8 @@ IA_ERRORCODE ixheaacd_dec_init( &p_state_enhaacplus_dec->str_bit_buf, (UWORD8 *)in_buffer, p_obj_exhaacplus_dec->p_mem_info_aac[IA_ENHAACPLUS_DEC_INPUT_IDX] .ui_size); + p_state_enhaacplus_dec->pstr_bit_buf->xaac_jmp_buf = + &(p_state_enhaacplus_dec->xaac_jmp_buf); p_state_enhaacplus_dec->ptr_bit_stream = p_state_enhaacplus_dec->pstr_bit_buf; @@ -1611,6 +1624,8 @@ IA_ERRORCODE ixheaacd_dec_init( ixheaacd_create_init_bit_buf(it_bit_buff, in_buffer, p_state_enhaacplus_dec->ui_in_bytes); + p_state_enhaacplus_dec->pstr_bit_buf->xaac_jmp_buf = + &(p_state_enhaacplus_dec->xaac_jmp_buf); it_bit_buff->adts_header_present = p_state_enhaacplus_dec->s_adts_hdr_present; @@ -1803,6 +1818,10 @@ IA_ERRORCODE ixheaacd_dec_init( 1, frame_size_1 * 2, NULL, NULL, p_state_enhaacplus_dec->str_sbr_config, p_state_enhaacplus_dec->audio_object_type); + if (p_state_enhaacplus_dec->str_sbr_dec_info[ch_idx]) { + p_state_enhaacplus_dec->str_sbr_dec_info[ch_idx]->xaac_jmp_buf = + &(p_state_enhaacplus_dec->xaac_jmp_buf); + } } else { } @@ -1862,6 +1881,10 @@ IA_ERRORCODE ixheaacd_dec_init( p_state_enhaacplus_dec->str_sbr_config, p_state_enhaacplus_dec->audio_object_type); } + if (p_state_enhaacplus_dec->str_sbr_dec_info[ch_idx]) { + p_state_enhaacplus_dec->str_sbr_dec_info[ch_idx]->xaac_jmp_buf = + &(p_state_enhaacplus_dec->xaac_jmp_buf); + } } if (sample_rate < sample_rate_1) sample_rate = sample_rate_1; @@ -1995,6 +2018,10 @@ IA_ERRORCODE ixheaacd_dec_init( frame_size_2 * 2, NULL, NULL, p_state_enhaacplus_dec->str_sbr_config, p_state_enhaacplus_dec->audio_object_type); + if (p_state_enhaacplus_dec->str_sbr_dec_info[i]) { + p_state_enhaacplus_dec->str_sbr_dec_info[i]->xaac_jmp_buf = + &(p_state_enhaacplus_dec->xaac_jmp_buf); + } } i++; @@ -2128,9 +2155,20 @@ IA_ERRORCODE ixheaacd_dec_execute( SIZE_T bytes_for_sync; WORD32 audio_mux_length_bytes_last = 0; + WORD32 ret_val; p_obj_exhaacplus_dec->aac_config.ui_sbr_mode = 0; + if (p_obj_exhaacplus_dec->p_state_aac != NULL) { + ret_val = setjmp(p_obj_exhaacplus_dec->p_state_aac->xaac_jmp_buf); + if (ret_val != 0) { + p_obj_exhaacplus_dec->p_state_aac->i_bytes_consumed = + p_obj_exhaacplus_dec->p_state_aac->ui_in_bytes; + p_obj_exhaacplus_dec->p_state_aac->ui_out_bytes = 0; + return IA_NO_ERROR; + } + } + time_data = (WORD16 *)(p_obj_exhaacplus_dec ->pp_mem_aac[IA_ENHAACPLUS_DEC_OUTPUT_IDX]); in_buffer = p_obj_exhaacplus_dec->pp_mem_aac[IA_ENHAACPLUS_DEC_INPUT_IDX]; @@ -2237,6 +2275,7 @@ IA_ERRORCODE ixheaacd_dec_execute( { ixheaacd_create_init_bit_buf(it_bit_buff, in_buffer, p_state_enhaacplus_dec->ui_in_bytes); + it_bit_buff->xaac_jmp_buf = &(p_state_enhaacplus_dec->xaac_jmp_buf); it_bit_buff->adts_header_present = p_state_enhaacplus_dec->s_adts_hdr_present; @@ -2536,6 +2575,10 @@ IA_ERRORCODE ixheaacd_dec_execute( ps_enable, 1, frame_size * 2, NULL, NULL, p_state_enhaacplus_dec->str_sbr_config, p_state_enhaacplus_dec->audio_object_type); + if (p_state_enhaacplus_dec->str_sbr_dec_info[ch_idx]) { + p_state_enhaacplus_dec->str_sbr_dec_info[ch_idx]->xaac_jmp_buf = + &(p_state_enhaacplus_dec->xaac_jmp_buf); + } } { diff --git a/decoder/ixheaacd_arith_dec.c b/decoder/ixheaacd_arith_dec.c index 77b516d..684b498 100644 --- a/decoder/ixheaacd_arith_dec.c +++ b/decoder/ixheaacd_arith_dec.c @@ -1662,17 +1662,7 @@ static void ixheaacd_arith_map_context(WORD32 pres_n, WORD32 prev_n, VOID ixheaacd_copy_to_bitbuff(ia_bit_buf_struct *it_bit_buff_src, ia_bit_buf_struct *it_bit_buff_dst) { - it_bit_buff_dst->ptr_bit_buf_base = it_bit_buff_src->ptr_bit_buf_base; - it_bit_buff_dst->ptr_bit_buf_end = it_bit_buff_src->ptr_bit_buf_end; - - it_bit_buff_dst->ptr_read_next = it_bit_buff_src->ptr_read_next; - - it_bit_buff_dst->bit_pos = it_bit_buff_src->bit_pos; - it_bit_buff_dst->cnt_bits = it_bit_buff_src->cnt_bits; - - it_bit_buff_dst->size = it_bit_buff_src->size; - - it_bit_buff_dst->max_size = it_bit_buff_src->max_size; + *it_bit_buff_dst = *it_bit_buff_src; } static WORD32 ixheaacd_arith_get_context(WORD8 *c_prev, WORD8 *c_pres, @@ -1699,7 +1689,13 @@ static WORD32 ixheaacd_arith_first_symbol(ia_bit_buf_struct *it_bit_buff, WORD32 bit_count = 16; val = 0; - val = ixheaacd_read_bits_buf(it_bit_buff, 16); + if (it_bit_buff->cnt_bits < 16) { + WORD32 shift_value = 16 - it_bit_buff->cnt_bits; + val = ixheaacd_read_bits_buf(it_bit_buff, it_bit_buff->cnt_bits); + val <<= shift_value; + } else { + val = ixheaacd_read_bits_buf(it_bit_buff, 16); + } s->low = 0; s->high = 65535; @@ -1738,6 +1734,17 @@ static WORD32 ixheaacd_arith_decode(ia_bit_buf_struct *it_bit_buff, register UWORD16 const *p; register UWORD16 const *q; + WORD32 short_value, i = 16; + int shift_value; + if (it_bit_buff->cnt_bits < 16) { + shift_value = 16 - it_bit_buff->cnt_bits; + short_value = ixheaacd_read_bits_buf(it_bit_buff, it_bit_buff->cnt_bits); + short_value <<= shift_value; + } else { + shift_value = 0; + short_value = ixheaacd_read_bits_buf(it_bit_buff, 16); + } + low = s->low; high = s->high; value = s->value; @@ -1779,10 +1786,12 @@ static WORD32 ixheaacd_arith_decode(ia_bit_buf_struct *it_bit_buff, low += low; high += high + 1; - value = (value << 1) | ixheaacd_read_bits_buf(it_bit_buff, 1); + i--; + value = (value << 1) | ((short_value >> i) & 1); bit_count++; } + ixheaacd_read_bidirection(it_bit_buff, -(i - shift_value)); s->low = low; s->high = high; s->value = value; diff --git a/decoder/ixheaacd_bitbuffer.c b/decoder/ixheaacd_bitbuffer.c index 3c25161..fec4b7d 100644 --- a/decoder/ixheaacd_bitbuffer.c +++ b/decoder/ixheaacd_bitbuffer.c @@ -31,6 +31,7 @@ #include "ixheaacd_bitbuffer.h" #include "ixheaacd_adts_crc_check.h" +#include "ixheaacd_error_codes.h" VOID ixheaacd_byte_align(ia_bit_buf_struct *it_bit_buff, WORD32 *align_bits_cnt) { @@ -49,6 +50,11 @@ WORD32 ixheaacd_show_bits_buf(ia_bit_buf_struct *it_bit_buff, WORD no_of_bits) { UWORD8 *ptr_read_next = it_bit_buff->ptr_read_next; WORD bit_pos = it_bit_buff->bit_pos; + if (it_bit_buff->cnt_bits < no_of_bits) { + longjmp(*(it_bit_buff->xaac_jmp_buf), + IA_ENHAACPLUS_DEC_EXE_NONFATAL_INSUFFICIENT_INPUT_BYTES); + } + ret_val = (UWORD32)*ptr_read_next; bit_pos -= no_of_bits; @@ -56,10 +62,6 @@ WORD32 ixheaacd_show_bits_buf(ia_bit_buf_struct *it_bit_buff, WORD no_of_bits) { bit_pos += 8; ptr_read_next++; - if (ptr_read_next > it_bit_buff->ptr_bit_buf_end) { - ptr_read_next = it_bit_buff->ptr_bit_buf_base; - } - ret_val <<= 8; ret_val |= (UWORD32)*ptr_read_next; @@ -79,21 +81,34 @@ WORD32 ixheaacd_read_bits_buf(ia_bit_buf_struct *it_bit_buff, WORD no_of_bits) { return 0; } + if (it_bit_buff->cnt_bits < no_of_bits) { + longjmp(*(it_bit_buff->xaac_jmp_buf), + IA_ENHAACPLUS_DEC_EXE_NONFATAL_INSUFFICIENT_INPUT_BYTES); + } + it_bit_buff->cnt_bits -= no_of_bits; ret_val = (UWORD32)*ptr_read_next; bit_pos -= no_of_bits; - while (bit_pos < 0) { - bit_pos += 8; - ptr_read_next++; - - if (ptr_read_next > it_bit_buff->ptr_bit_buf_end) { - ptr_read_next = it_bit_buff->ptr_bit_buf_base; + if (0 == it_bit_buff->cnt_bits) { + while (bit_pos < -1) { + bit_pos += 8; + ptr_read_next++; + ret_val <<= 8; + ret_val |= (UWORD32)*ptr_read_next; } - + bit_pos += 8; ret_val <<= 8; + ptr_read_next++; + } else { + while (bit_pos < 0) { + bit_pos += 8; + ptr_read_next++; - ret_val |= (UWORD32)*ptr_read_next; + ret_val <<= 8; + + ret_val |= (UWORD32)*ptr_read_next; + } } ret_val = ret_val << ((31 - no_of_bits) - bit_pos) >> (32 - no_of_bits); @@ -194,6 +209,11 @@ WORD32 ixheaacd_aac_read_bit(ia_bit_buf_struct *it_bit_buff) { ptr_read_next--; } + if (ptr_read_next < it_bit_buff->ptr_bit_buf_base) { + longjmp(*(it_bit_buff->xaac_jmp_buf), + IA_ENHAACPLUS_DEC_EXE_NONFATAL_INSUFFICIENT_INPUT_BYTES); + } + it_bit_buff->cnt_bits += no_of_bits; ret_val = *ptr_read_next; bit_pos -= no_of_bits; @@ -212,6 +232,11 @@ WORD32 ixheaacd_aac_read_bit_rev(ia_bit_buf_struct *it_bit_buff) { UWORD32 temp; WORD no_of_bits = 1; + if (it_bit_buff->cnt_bits < no_of_bits) { + longjmp(*(it_bit_buff->xaac_jmp_buf), + IA_ENHAACPLUS_DEC_EXE_NONFATAL_INSUFFICIENT_INPUT_BYTES); + } + if (bit_pos >= 8) { bit_pos -= 8; ptr_read_next++; diff --git a/decoder/ixheaacd_bitbuffer.h b/decoder/ixheaacd_bitbuffer.h index 2db8db6..275d932 100644 --- a/decoder/ixheaacd_bitbuffer.h +++ b/decoder/ixheaacd_bitbuffer.h @@ -20,6 +20,8 @@ #ifndef IXHEAACD_BITBUFFER_H #define IXHEAACD_BITBUFFER_H +#include + #define CRC_ADTS_HEADER_LEN 56 #define CRC_ADTS_RAW_DATA_BLK_LEN 192 #define CRC_ADTS_RAW_IIND_ICS 128 @@ -83,6 +85,7 @@ typedef struct ia_bit_buf_struct { UWORD8 *ptr_start; WORD32 write_bit_count; WORD32 max_size; + jmp_buf *xaac_jmp_buf; } ia_bit_buf_struct; diff --git a/decoder/ixheaacd_channel.c b/decoder/ixheaacd_channel.c index 67c2a0c..17ddf01 100644 --- a/decoder/ixheaacd_channel.c +++ b/decoder/ixheaacd_channel.c @@ -879,6 +879,12 @@ WORD16 ixheaacd_read_spectral_data( ixheaacd_huff_mute_erroneous_lines(pstr_hcr_info); } + if (it_bit_buff->cnt_bits < + ptr_aac_dec_channel_info->reorder_spect_data_len) { + longjmp(*(it_bit_buff->xaac_jmp_buf), + IA_ENHAACPLUS_DEC_EXE_NONFATAL_INSUFFICIENT_INPUT_BYTES); + } + it_bit_buff->cnt_bits += -ptr_aac_dec_channel_info->reorder_spect_data_len; it_bit_buff->ptr_read_next = diff --git a/decoder/ixheaacd_common_lpfuncs.c b/decoder/ixheaacd_common_lpfuncs.c index 4c8a5ec..d001982 100644 --- a/decoder/ixheaacd_common_lpfuncs.c +++ b/decoder/ixheaacd_common_lpfuncs.c @@ -211,12 +211,13 @@ VOID ixheaacd_read_data_stream_element(ia_bit_buf_struct *it_bit_buff, } } + if (it_bit_buff->cnt_bits < (cnt << 3)) { + longjmp(*(it_bit_buff->xaac_jmp_buf), + IA_ENHAACPLUS_DEC_EXE_NONFATAL_INSUFFICIENT_INPUT_BYTES); + } it_bit_buff->ptr_read_next += cnt; it_bit_buff->cnt_bits -= ((cnt) << 3); - if (it_bit_buff->ptr_read_next > it_bit_buff->ptr_bit_buf_end) { - it_bit_buff->ptr_read_next = it_bit_buff->ptr_bit_buf_base; - } } VOID ixheaacd_read_fill_element(ia_bit_buf_struct *it_bit_buff, @@ -243,12 +244,13 @@ VOID ixheaacd_read_fill_element(ia_bit_buf_struct *it_bit_buff, } else { ixheaacd_read_bits_buf(it_bit_buff, 4); + if (it_bit_buff->cnt_bits < ((count - 1) << 3)) { + longjmp(*(it_bit_buff->xaac_jmp_buf), + IA_ENHAACPLUS_DEC_EXE_NONFATAL_INSUFFICIENT_INPUT_BYTES); + } it_bit_buff->ptr_read_next += count - 1; it_bit_buff->cnt_bits -= ((count - 1) << 3); - if (it_bit_buff->ptr_read_next > it_bit_buff->ptr_bit_buf_end) { - it_bit_buff->ptr_read_next = it_bit_buff->ptr_bit_buf_base; - } } } } diff --git a/decoder/ixheaacd_create.c b/decoder/ixheaacd_create.c index 9f72de1..baa7b83 100644 --- a/decoder/ixheaacd_create.c +++ b/decoder/ixheaacd_create.c @@ -39,7 +39,20 @@ #include "ixheaacd_drc_data_struct.h" #include "ixheaacd_drc_dec.h" +#include "ixheaacd_sbr_scale.h" +#include "ixheaacd_env_extr_part.h" +#include "ixheaacd_sbr_rom.h" +#include "ixheaacd_hybrid.h" +#include "ixheaacd_ps_dec.h" +#include "ixheaacd_common_rom.h" +#include "ixheaacd_qmf_dec.h" +#include "ixheaacd_sbr_const.h" +#include "ixheaacd_lpp_tran.h" #include "ixheaacd_sbrdecoder.h" +#include "ixheaacd_env_extr.h" +#include "ixheaacd_env_calc.h" +#include "ixheaacd_pvc_dec.h" +#include "ixheaacd_sbr_dec.h" #include "ixheaacd_mps_polyphase.h" #include "ixheaacd_sbr_const.h" @@ -50,7 +63,6 @@ #include #include "ixheaacd_memory_standards.h" #include "ixheaacd_sbrdecsettings.h" -#include "ixheaacd_env_extr_part.h" #include "ixheaacd_defines.h" #include #include "ixheaacd_common_rom.h" @@ -677,6 +689,9 @@ WORD32 ixheaacd_decode_create(ia_exhaacplus_dec_api_struct *handle, if (pstr_dec_data->str_usac_data.pstr_esbr_dec == NULL) { return -1; + } else { + pstr_dec_data->str_usac_data.pstr_esbr_dec->xaac_jmp_buf = + &(aac_dec_handle->xaac_jmp_buf); } } } diff --git a/decoder/ixheaacd_decode_main.c b/decoder/ixheaacd_decode_main.c index 844e900..02d4670 100644 --- a/decoder/ixheaacd_decode_main.c +++ b/decoder/ixheaacd_decode_main.c @@ -280,6 +280,7 @@ WORD32 ixheaacd_dec_main(VOID *temp_handle, WORD8 *inbuffer, WORD8 *outbuffer, pstr_dec_data->dec_bit_buf.ptr_read_next = (UWORD8 *)inbuffer; pstr_dec_data->dec_bit_buf.bit_pos = 7; pstr_dec_data->dec_bit_buf.cnt_bits = pstr_dec_data->dec_bit_buf.size; + pstr_dec_data->dec_bit_buf.xaac_jmp_buf = &(aac_dec_handle->xaac_jmp_buf); pstr_dec_data->str_usac_data.usac_flag = aac_dec_handle->usac_flag; if (pstr_dec_data->dec_bit_buf.size > pstr_dec_data->dec_bit_buf.max_size) @@ -306,6 +307,7 @@ WORD32 ixheaacd_dec_main(VOID *temp_handle, WORD8 *inbuffer, WORD8 *outbuffer, config_bit_buf.ptr_bit_buf_end = (UWORD8 *)config + config_len; config_bit_buf.bit_pos = 7; config_bit_buf.cnt_bits = config_bit_buf.size; + config_bit_buf.xaac_jmp_buf = &(aac_dec_handle->xaac_jmp_buf); suitable_tracks = ixheaacd_frm_data_init(pstr_audio_specific_config, pstr_dec_data); @@ -334,6 +336,7 @@ WORD32 ixheaacd_dec_main(VOID *temp_handle, WORD8 *inbuffer, WORD8 *outbuffer, pstr_dec_data->dec_bit_buf.ptr_read_next = (UWORD8 *)inbuffer; pstr_dec_data->dec_bit_buf.bit_pos = 7; pstr_dec_data->dec_bit_buf.cnt_bits = pstr_dec_data->dec_bit_buf.size; + pstr_dec_data->dec_bit_buf.xaac_jmp_buf = &(aac_dec_handle->xaac_jmp_buf); pstr_dec_data->str_usac_data.usac_flag = aac_dec_handle->usac_flag; diff --git a/decoder/ixheaacd_drc_freq_dec.c b/decoder/ixheaacd_drc_freq_dec.c index 9adef97..b522e63 100644 --- a/decoder/ixheaacd_drc_freq_dec.c +++ b/decoder/ixheaacd_drc_freq_dec.c @@ -677,6 +677,10 @@ static int ixheaacd_drc_read_compression(ia_handle_bit_buf_struct bs, memcpy(&local_bs, bs, sizeof(ia_bit_buf_struct)); + if (local_bs.size < bs_pos) { + longjmp(*(local_bs.xaac_jmp_buf), + IA_ENHAACPLUS_DEC_EXE_NONFATAL_INSUFFICIENT_INPUT_BYTES); + } bytes = (local_bs.size - bs_pos) >> 3; bits = (local_bs.size - bs_pos) % 8; diff --git a/decoder/ixheaacd_env_extr.c b/decoder/ixheaacd_env_extr.c index 5fe9e6f..728d8a1 100644 --- a/decoder/ixheaacd_env_extr.c +++ b/decoder/ixheaacd_env_extr.c @@ -1138,9 +1138,15 @@ VOID ixheaacd_read_env_data(ia_sbr_frame_info_data_struct *ptr_frame_data, } for (i = (1 - dtdf_dir_flag); i < no_band[j]; i++) { - readword = ixheaacd_show_bits_buf(it_bit_buff, 20); - ixheaacd_huffman_decode(readword << 12, &index, &length, - (const UWORD16 *)h, (const UWORD32 *)idx_tab); + if (it_bit_buff->cnt_bits < 20) { + readword = ixheaacd_show_bits_buf(it_bit_buff, it_bit_buff->cnt_bits); + readword = readword << (32 - it_bit_buff->cnt_bits); + } else { + readword = ixheaacd_show_bits_buf(it_bit_buff, 20); + readword = readword << 12; + } + ixheaacd_huffman_decode(readword, &index, &length, (const UWORD16 *)h, + (const UWORD32 *)idx_tab); delta = index - lav; ixheaacd_read_bits_buf(it_bit_buff, length); p_sbr_sf[ixheaacd_drc_offset + i] = diff --git a/decoder/ixheaacd_headerdecode.c b/decoder/ixheaacd_headerdecode.c index d7b7f30..94c1aae 100644 --- a/decoder/ixheaacd_headerdecode.c +++ b/decoder/ixheaacd_headerdecode.c @@ -968,6 +968,7 @@ WORD32 ixheaacd_aac_headerdecode( handle_bit_buff = ixheaacd_create_bit_buf(&it_bit_buff, (UWORD8 *)buffer, (WORD16)header_len); handle_bit_buff->cnt_bits += (header_len << 3); + handle_bit_buff->xaac_jmp_buf = &aac_state_struct->xaac_jmp_buf; if (is_ga_header == 1) { return ixheaacd_ga_hdr_dec(aac_state_struct, header_len, bytes_consumed, diff --git a/decoder/ixheaacd_process.c b/decoder/ixheaacd_process.c index 2950191..533042c 100644 --- a/decoder/ixheaacd_process.c +++ b/decoder/ixheaacd_process.c @@ -203,10 +203,14 @@ static WORD32 ixheaacd_read_ext_element( } pstr_usac_dec_config->usac_ext_gain_payload_len += pay_load_length; } else { + if (it_bit_buff->cnt_bits < (WORD32)(pay_load_length << 3)) { + longjmp(*(it_bit_buff->xaac_jmp_buf), + IA_ENHAACPLUS_DEC_EXE_NONFATAL_INSUFFICIENT_INPUT_BYTES); + } it_bit_buff->ptr_read_next = it_bit_buff->ptr_read_next + pay_load_length; it_bit_buff->cnt_bits = - it_bit_buff->cnt_bits - (WORD32)(pay_load_length * 8); + it_bit_buff->cnt_bits - (WORD32)(pay_load_length << 3); } } } diff --git a/decoder/ixheaacd_sbr_dec.h b/decoder/ixheaacd_sbr_dec.h index 69a4d23..4b373a9 100644 --- a/decoder/ixheaacd_sbr_dec.h +++ b/decoder/ixheaacd_sbr_dec.h @@ -20,6 +20,8 @@ #ifndef IXHEAACD_SBR_DEC_H #define IXHEAACD_SBR_DEC_H +#include + typedef struct { WORD32 x_over_qmf[MAX_NUM_PATCHES]; WORD32 max_stretch; @@ -121,6 +123,7 @@ struct ia_sbr_dec_inst_struct { FLAG prev_sbr_mode; FLAG inter_tes_flag; FLAG aot_usac_flag; + jmp_buf *xaac_jmp_buf; }; typedef struct ia_sbr_pers_struct { diff --git a/decoder/ixheaacd_sbrdecoder.c b/decoder/ixheaacd_sbrdecoder.c index e357af2..de29afe 100644 --- a/decoder/ixheaacd_sbrdecoder.c +++ b/decoder/ixheaacd_sbrdecoder.c @@ -383,6 +383,7 @@ WORD16 ixheaacd_applysbr(ia_handle_sbr_dec_inst_struct self, ptr_bit_str_ele->size_payload); it_bit_buff = &local_bit_buf; + it_bit_buff->xaac_jmp_buf = self->xaac_jmp_buf; if (audio_object_type == AOT_ER_AAC_ELD) { if (eld_sbr_flag != 1) { ixheaacd_read_bits_buf(&local_bit_buf, LEN_NIBBLE); diff --git a/decoder/ixheaacd_struct_def.h b/decoder/ixheaacd_struct_def.h index 95ad94b..ef67415 100644 --- a/decoder/ixheaacd_struct_def.h +++ b/decoder/ixheaacd_struct_def.h @@ -20,6 +20,8 @@ #ifndef IXHEAACD_STRUCT_DEF_H #define IXHEAACD_STRUCT_DEF_H +#include + #define MAX_OUTPUT_CHANNELS (8) #define MAX_NUM_OTT (1) @@ -230,6 +232,7 @@ typedef struct ia_aac_dec_state_struct { UWORD8 *header_ptr; WORD32 header_length; ia_sbr_header_data_struct str_sbr_config; + jmp_buf xaac_jmp_buf; } ia_aac_dec_state_struct; typedef struct ia_exhaacplus_dec_api_struct {