wrapper/libxaac
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

Merge "Fix for OOB write in mpeg-d drc bit stream parsing by adding bound checks" into pi-dev

Browse source
This commit is contained in:
Ray Essick 2018-11-21 17:21:38 +00:00 committed by Android (Google) Code Review
commit 850b4ba6f3
3 changed files with 67 additions and 5 deletions
Download patch file Download diff file Expand all files Collapse all files

21
decoder/drc_src/impd_drc_dynamic_payload.c
View file

@ -536,6 +536,9 @@ WORD32 impd_parse_drc_ext_v1(ia_bit_buf_struct* it_bit_buff,
if (dwnmix_instructions_v1_flag == 1) {
dwnmix_instructions_v1_count = impd_read_bits_buf(it_bit_buff, 7);
if (it_bit_buff->error) return it_bit_buff->error;
if ((dwnmix_instructions_v1_count + drc_config->dwnmix_instructions_count) >
DOWNMIX_INSTRUCTION_COUNT_MAX)
return UNEXPECTED_ERROR;
for (i = 0; i < dwnmix_instructions_v1_count; i++) {
err = impd_parse_dwnmix_instructions(
it_bit_buff, version, ia_drc_params_struct,
@ -591,6 +594,9 @@ WORD32 impd_parse_drc_ext_v1(ia_bit_buf_struct* it_bit_buff,
return UNEXPECTED_ERROR;
if (it_bit_buff->error) return it_bit_buff->error;
if (str_drc_config_ext->loud_eq_instructions_count >
LOUD_EQ_INSTRUCTIONS_COUNT_MAX)
return UNEXPECTED_ERROR;
for (i = 0; i < str_drc_config_ext->loud_eq_instructions_count; i++) {
err = impd_parse_loud_eq_instructions(
it_bit_buff, &str_drc_config_ext->loud_eq_instructions[i]);
@ -941,6 +947,8 @@ WORD32 impd_parse_eq_coefficients(ia_bit_buf_struct* it_bit_buff,
str_eq_coeff->unique_td_filter_element_count =
impd_read_bits_buf(it_bit_buff, 6);
if (str_eq_coeff->unique_td_filter_element_count > FILTER_ELEMENT_COUNT_MAX)
return (UNEXPECTED_ERROR);
if (it_bit_buff->error) return it_bit_buff->error;
err = impd_parse_unique_td_filt_ele(
@ -950,6 +958,9 @@ WORD32 impd_parse_eq_coefficients(ia_bit_buf_struct* it_bit_buff,
str_eq_coeff->unique_eq_subband_gains_count =
impd_read_bits_buf(it_bit_buff, 6);
if (str_eq_coeff->unique_eq_subband_gains_count >
UNIQUE_SUBBAND_GAIN_COUNT_MAX)
return (UNEXPECTED_ERROR);
if (it_bit_buff->error) return it_bit_buff->error;
if (str_eq_coeff->unique_eq_subband_gains_count > 0) {
@ -1087,6 +1098,9 @@ WORD32 impd_parse_eq_instructions(
additional_dmix_id_cnt = impd_read_bits_buf(it_bit_buff, 7);
if (it_bit_buff->error) return it_bit_buff->error;
if (additional_dmix_id_cnt >= DOWNMIX_ID_COUNT_MAX)
return UNEXPECTED_ERROR;
for (i = 1; i < additional_dmix_id_cnt + 1; i++) {
str_eq_instructions->downmix_id[i] = impd_read_bits_buf(it_bit_buff, 7);
if (it_bit_buff->error) return it_bit_buff->error;
@ -1108,6 +1122,8 @@ WORD32 impd_parse_eq_instructions(
if (additional_drc_set_id_present) {
additional_drc_set_id_cnt = impd_read_bits_buf(it_bit_buff, 6);
if (it_bit_buff->error) return it_bit_buff->error;
if (additional_drc_set_id_cnt >= DRC_SET_ID_COUNT_MAX)
return UNEXPECTED_ERROR;
for (i = 1; i < additional_drc_set_id_cnt + 1; i++) {
str_eq_instructions->drc_set_id[i] = impd_read_bits_buf(it_bit_buff, 6);
@ -1250,7 +1266,8 @@ WORD32 impd_parse_loud_eq_instructions(
if (additional_dmix_id_present) {
additional_dmix_id_cnt = impd_read_bits_buf(it_bit_buff, 7);
if (it_bit_buff->error) return it_bit_buff->error;
if (additional_dmix_id_cnt >= DOWNMIX_ID_COUNT_MAX)
return UNEXPECTED_ERROR;
for (i = 1; i < additional_dmix_id_cnt + 1; i++) {
loud_eq_instructions->downmix_id[i] =
impd_read_bits_buf(it_bit_buff, 7);
@ -1277,6 +1294,8 @@ WORD32 impd_parse_loud_eq_instructions(
if (additional_drc_set_id_present) {
additional_drc_set_id_cnt = impd_read_bits_buf(it_bit_buff, 6);
if (it_bit_buff->error) return it_bit_buff->error;
if ((additional_drc_set_id_cnt >= DRC_SET_ID_COUNT_MAX))
return UNEXPECTED_ERROR;
for (i = 1; i < additional_drc_set_id_cnt + 1; i++) {
loud_eq_instructions->drc_set_id[i] =

18
decoder/drc_src/impd_drc_selection_process_drcset_selection.c
View file

@ -305,6 +305,7 @@ WORD32 impd_select_drcs_without_compr_effects(
}
}
if (match == 1) {
if (k >= SELECTION_CANDIDATE_COUNT_MAX) return UNEXPECTED_ERROR;
memcpy(&selection_candidate_info_step_2[k], &selection_candidate_info[i],
sizeof(ia_selection_candidate_info_struct));
k++;
@ -365,6 +366,7 @@ WORD32 impd_match_effect_type_attempt(
0x0) ||
((drc_instructions_dependent->drc_set_effect & effect_bit_idx) !=
0x0)) {
if (k >= SELECTION_CANDIDATE_COUNT_MAX) return UNEXPECTED_ERROR;
memcpy(&selection_candidate_info_step_2[k],
&selection_candidate_info[i],
sizeof(ia_selection_candidate_info_struct));
@ -375,6 +377,7 @@ WORD32 impd_match_effect_type_attempt(
0x0) &&
((drc_instructions_dependent->drc_set_effect & effect_bit_idx) ==
0x0)) {
if (k >= SELECTION_CANDIDATE_COUNT_MAX) return UNEXPECTED_ERROR;
memcpy(&selection_candidate_info_step_2[k],
&selection_candidate_info[i],
sizeof(ia_selection_candidate_info_struct));
@ -385,6 +388,7 @@ WORD32 impd_match_effect_type_attempt(
if (state_requested == 1) {
if ((str_drc_instruction_str->drc_set_effect & effect_bit_idx) !=
0x0) {
if (k >= SELECTION_CANDIDATE_COUNT_MAX) return UNEXPECTED_ERROR;
memcpy(&selection_candidate_info_step_2[k],
&selection_candidate_info[i],
sizeof(ia_selection_candidate_info_struct));
@ -393,6 +397,7 @@ WORD32 impd_match_effect_type_attempt(
} else {
if ((str_drc_instruction_str->drc_set_effect & effect_bit_idx) ==
0x0) {
if (k >= SELECTION_CANDIDATE_COUNT_MAX) return UNEXPECTED_ERROR;
memcpy(&selection_candidate_info_step_2[k],
&selection_candidate_info[i],
sizeof(ia_selection_candidate_info_struct));
@ -511,6 +516,7 @@ WORD32 impd_match_dynamic_range(
if (requested_dyn_range_range_flag == 1) {
if ((lp_avg_val >= dynamic_range_min_requested) &&
(lp_avg_val <= dynamic_range_max_requested)) {
if (k >= DRC_INSTRUCTIONS_COUNT_MAX) return UNEXPECTED_ERROR;
selected[k] = i;
k++;
}
@ -522,6 +528,7 @@ WORD32 impd_match_dynamic_range(
deviation_min = deviation;
k = 0;
}
if (k >= DRC_INSTRUCTIONS_COUNT_MAX) return UNEXPECTED_ERROR;
selected[k] = i;
k++;
}
@ -645,6 +652,7 @@ WORD32 impd_match_drc_characteristic_attempt(
}
}
if ((ref_count > 0) && (((FLOAT32)match_count) > 0.5f * ref_count)) {
if (n >= SELECTION_CANDIDATE_COUNT_MAX) return UNEXPECTED_ERROR;
memcpy(&selection_candidate_info[n], &selection_candidate_info[i],
sizeof(ia_selection_candidate_info_struct));
n++;
@ -981,6 +989,7 @@ WORD32 impd_drc_set_preselection(
&matching_eq_set_count, matching_eq_instrucions_index);
if (err) return (err);
for (j = 0; j < matching_eq_set_count; j++) {
if (n >= SELECTION_CANDIDATE_COUNT_MAX) return UNEXPECTED_ERROR;
memcpy(&selection_candidate_info_step_2[n],
&selection_candidate_info[k],
sizeof(ia_selection_candidate_info_struct));
@ -992,6 +1001,7 @@ WORD32 impd_drc_set_preselection(
}
}
if (str_drc_instruction_str->requires_eq == 0) {
if (n >= SELECTION_CANDIDATE_COUNT_MAX) return UNEXPECTED_ERROR;
memcpy(&selection_candidate_info_step_2[n],
&selection_candidate_info[k],
sizeof(ia_selection_candidate_info_struct));
@ -999,10 +1009,9 @@ WORD32 impd_drc_set_preselection(
n++;
}
}
for (k = 0; k < n; k++) {
memcpy(&selection_candidate_info[k], &selection_candidate_info_step_2[k],
sizeof(ia_selection_candidate_info_struct));
}
if (n > SELECTION_CANDIDATE_COUNT_MAX) return UNEXPECTED_ERROR;
memcpy(selection_candidate_info, selection_candidate_info_step_2,
n * sizeof(ia_selection_candidate_info_struct));
*selection_candidate_count = n;
n = 0;
for (k = 0; k < *selection_candidate_count; k++) {
@ -1084,6 +1093,7 @@ WORD32 impd_drc_set_preselection(
for (n = 0; n < pstr_loudness_info->loudness_info_album_count; n++) {
if (loudness_drc_set_id_requested ==
pstr_loudness_info->str_loudness_info_album[n].drc_set_id) {
if (j >= SELECTION_CANDIDATE_COUNT_MAX) return UNEXPECTED_ERROR;
memcpy(&selection_candidate_info[j], &selection_candidate_info[k],
sizeof(ia_selection_candidate_info_struct));
j++;

33
decoder/drc_src/impd_drc_static_payload.c
View file

@ -695,6 +695,8 @@ WORD32 impd_parse_loud_info_set_ext_eq(
offset = loudness_info_set->loudness_info_album_count;
loudness_info_set->loudness_info_album_count += loudness_info_v1_album_cnt;
if ((offset + loudness_info_v1_album_cnt) > LOUDNESS_INFO_COUNT_MAX)
return (UNEXPECTED_ERROR);
for (i = 0; i < loudness_info_v1_album_cnt; i++) {
err = impd_parse_loudness_info(
it_bit_buff, version,
@ -703,6 +705,8 @@ WORD32 impd_parse_loud_info_set_ext_eq(
}
offset = loudness_info_set->loudness_info_count;
loudness_info_set->loudness_info_count += loudness_info_v1_cnt;
if (offset + loudness_info_v1_cnt > LOUDNESS_INFO_COUNT_MAX)
return (UNEXPECTED_ERROR);
for (i = 0; i < loudness_info_v1_cnt; i++) {
err = impd_parse_loudness_info(
it_bit_buff, version, &loudness_info_set->loudness_info[i + offset]);
@ -775,6 +779,7 @@ impd_parse_dwnmix_instructions(
dmix_coeff = impd_read_bits_buf(it_bit_buff, 4);
if (it_bit_buff->error) return it_bit_buff->error;
if (k >= DOWNMIX_COEFF_COUNT_MAX) return (UNEXPECTED_ERROR);
if (ia_drc_params_struct->lfe_channel_map[j]) {
dwnmix_instructions->downmix_coefficient[k] =
(FLOAT32)pow(10.0f, 0.05f * dwnmix_coeff_lfe[dmix_coeff]);
@ -792,10 +797,12 @@ impd_parse_dwnmix_instructions(
bs_dmix_offset = impd_read_bits_buf(it_bit_buff, 4);
if (it_bit_buff->error) return it_bit_buff->error;
k = 0;
for (i = 0; i < dwnmix_instructions->target_channel_count; i++) {
for (j = 0; j < channel_layout->base_channel_count; j++) {
dmix_coeff_v1 = impd_read_bits_buf(it_bit_buff, 5);
if (it_bit_buff->error) return it_bit_buff->error;
if (k >= DOWNMIX_COEFF_COUNT_MAX) return (UNEXPECTED_ERROR);
dwnmix_instructions->downmix_coefficient[k] =
dwnmix_coeff_v1[dmix_coeff_v1];
k++;
@ -1152,6 +1159,9 @@ impd_parse_drc_config(ia_bit_buf_struct* it_bit_buff,
drc_config->drc_coefficients_drc_count = (temp >> 6) & 7;
drc_config->drc_instructions_uni_drc_count = temp & 0x3f;
if (drc_config->drc_instructions_uni_drc_count > DRC_INSTRUCTIONS_COUNT_MAX)
return (UNEXPECTED_ERROR);
err = impd_parse_ch_layout(it_bit_buff, ia_drc_params_struct,
&drc_config->channel_layout);
if (err) return (err);
@ -1280,6 +1290,9 @@ impd_parse_loudness_info_set(
offset = loudness_info_set->loudness_info_album_count;
loudness_info_set->loudness_info_album_count += loudness_info_album_count;
if ((offset + loudness_info_set->loudness_info_album_count) >
LOUDNESS_INFO_COUNT_MAX)
return (UNEXPECTED_ERROR);
for (i = 0; i < loudness_info_set->loudness_info_album_count; i++) {
err = impd_parse_loudness_info(
it_bit_buff, version,
@ -1289,6 +1302,9 @@ impd_parse_loudness_info_set(
offset = loudness_info_set->loudness_info_count;
loudness_info_set->loudness_info_count += loudness_info_count;
if ((offset + loudness_info_set->loudness_info_count) >
LOUDNESS_INFO_COUNT_MAX)
return (UNEXPECTED_ERROR);
for (i = 0; i < loudness_info_set->loudness_info_count; i++) {
err = impd_parse_loudness_info(
it_bit_buff, version, &(loudness_info_set->loudness_info[i + offset]));
@ -1500,6 +1516,8 @@ impd_parse_gain_set_params(ia_bit_buf_struct* it_bit_buff, WORD32 version,
gain_set_params->band_count = impd_read_bits_buf(it_bit_buff, 4);
if (it_bit_buff->error) return it_bit_buff->error;
if (gain_set_params->band_count > BAND_COUNT_MAX) return (UNEXPECTED_ERROR);
if (gain_set_params->band_count > 1) {
gain_set_params->drc_band_type = impd_read_bits_buf(it_bit_buff, 1);
if (it_bit_buff->error) return it_bit_buff->error;
@ -1647,6 +1665,10 @@ impd_drc_parse_coeff(
str_p_loc_drc_coefficients_uni_drc->gain_set_count =
impd_read_bits_buf(it_bit_buff, 6);
if (it_bit_buff->error) return it_bit_buff->error;
if (str_p_loc_drc_coefficients_uni_drc->gain_set_count > GAIN_SET_COUNT_MAX)
return (UNEXPECTED_ERROR);
str_p_loc_drc_coefficients_uni_drc->gain_set_count_plus =
str_p_loc_drc_coefficients_uni_drc->gain_set_count;
for (i = 0; i < str_p_loc_drc_coefficients_uni_drc->gain_set_count; i++) {
@ -1748,6 +1770,9 @@ impd_drc_parse_coeff(
str_p_loc_drc_coefficients_uni_drc->shape_num_filter =
impd_read_bits_buf(it_bit_buff, 4);
if (it_bit_buff->error) return it_bit_buff->error;
if (str_p_loc_drc_coefficients_uni_drc->shape_num_filter >
SHAPE_FILTER_COUNT_MAX)
return (UNEXPECTED_ERROR);
for (i = 1; i <= str_p_loc_drc_coefficients_uni_drc->shape_num_filter;
i++) {
pstr_shape_filter_block_params =
@ -1810,8 +1835,16 @@ impd_drc_parse_coeff(
str_p_loc_drc_coefficients_uni_drc->gain_sequence_count =
(temp >> 6) & 0x3f;
if (str_p_loc_drc_coefficients_uni_drc->gain_sequence_count >
SEQUENCE_COUNT_MAX)
return UNEXPECTED_ERROR;
str_p_loc_drc_coefficients_uni_drc->gain_set_count = temp & 0x3f;
if (str_p_loc_drc_coefficients_uni_drc->gain_set_count > GAIN_SET_COUNT_MAX)
return (UNEXPECTED_ERROR);
str_p_loc_drc_coefficients_uni_drc->gain_set_count_plus =
str_p_loc_drc_coefficients_uni_drc->gain_set_count;
for (i = 0; i < str_p_loc_drc_coefficients_uni_drc->gain_set_count; i++) {