wrapper/libxaac
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

Merge changes from topic "b117495362" into pi-dev

Browse source 
* changes:
  Fix for stack buffer overflow in mps ecdata pair decode
  Fix for OOB read in bit stream parsing in mps module
  Clean an array bounds violation.
  Fix for sanitizer multiplication overflow error
  Fix for Segmentation fault in ixheaacd_mps_apply_pre_matrix
This commit is contained in:
Ray Essick 2018-11-01 22:14:01 +00:00 committed by Android (Google) Code Review
commit 8fe5da1ed4
7 changed files with 49 additions and 25 deletions
Download patch file Download diff file Expand all files Collapse all files

13
decoder/ixheaacd_arith_dec.c
View file

@ -599,7 +599,7 @@ const WORD64 ixheaacd_table_exp[32] = {
static const WORD32 ixheaacd_pow_14_3[8] = {0, 3251, 4096, 5161,
6502, 8192, 10321, 13004};
const WORD32 ixheaacd_pow_table_Q13[1024] = {0,
const WORD32 ixheaacd_pow_table_Q13[1025] = {0,
131072 >> 4,
330281 >> 4,
567116 >> 4,
@ -1622,7 +1622,8 @@ const WORD32 ixheaacd_pow_table_Q13[1024] = {0,
84111783,
84221751,
84331755,
84441795};
84441795,
84551870};
static WORD32 ixheaacd_esc_nb_offset[8] = {0, 131072, 262144, 393216,
524288, 655360, 786432, 917504};
@ -1943,15 +1944,15 @@ static VOID ixheaacd_esc_iquant(WORD32 *q, WORD32 *coef, WORD32 noise_level,
}
}
if (q[i] >= 8192) {
q[i] = 8191;
}
if (q[i] < 0) {
flag = -1;
q[i] = -q[i];
}
if (q[i] >= 8192) {
q[i] = 8191;
}
if (q[i] < 1024) {
coef[i] = flag * ixheaacd_pow_table_Q13[q[i]];
} else {

7
decoder/ixheaacd_avq_dec.c
View file

@ -97,7 +97,8 @@ static VOID ixheaacd_nearest_neighbor_2d(WORD32 x[], WORD32 y[], WORD32 count,
VOID ixheaacd_voronoi_search(WORD32 x[], WORD32 y[], WORD32 count, WORD32 *rem1,
WORD32 *rem2) {
WORD32 i, y0[8], y1[8];
WORD32 e0, e1, x1[8], tmp;
WORD32 x1[8], tmp;
WORD64 e0, e1;
ixheaacd_nearest_neighbor_2d(x, y0, count, rem1);
for (i = 0; i < 8; i++) {
@ -122,9 +123,9 @@ VOID ixheaacd_voronoi_search(WORD32 x[], WORD32 y[], WORD32 count, WORD32 *rem1,
e0 = e1 = 0;
for (i = 0; i < 8; i++) {
tmp = rem1[i];
e0 += tmp * tmp;
e0 += (WORD64)tmp * tmp;
tmp = rem2[i];
e1 += tmp * tmp;
e1 += (WORD64)tmp * tmp;
}
if (e0 < e1) {

11
decoder/ixheaacd_create.c
View file

@ -324,8 +324,11 @@ WORD32 ixheaacd_decode_init(
.str_usac_element_config[ele_id]
.str_usac_mps212_config);
ixheaacd_mps_create(&aac_dec_handle->mps_dec_handle, bs_frame_length,
bs_residual_coding, ptr_usac_mps212_config);
if (ixheaacd_mps_create(&aac_dec_handle->mps_dec_handle,
bs_frame_length, bs_residual_coding,
ptr_usac_mps212_config)) {
return -1;
}
}
break;
}
@ -425,7 +428,7 @@ WORD32 ixheaacd_dec_data_init(VOID *handle,
err_code =
ixheaacd_decode_init(handle, pstr_frame_data->str_layer.sample_rate_layer,
usac_data, pstr_stream_config);
if (err_code == -1) return -1;
if (err_code != 0) return err_code;
for (i_ch = 0; i_ch < MAX_NUM_CHANNELS; i_ch++) {
if (usac_data->tw_mdct[0] == 1) {
@ -556,7 +559,7 @@ WORD32 ixheaacd_decode_create(ia_exhaacplus_dec_api_struct *handle,
handle->aac_config.ui_sbr_mode = 0;
}
if (err == -1) return -1;
if (err != 0) return err;
break;

10
decoder/ixheaacd_ext_ch_ele.c
View file

@ -364,18 +364,20 @@ static VOID ixheaacd_filter_and_add(const WORD32 *in, const WORD32 length,
sum = ixheaacd_mult32x32in64(in[0], filter[0]);
sum = ixheaacd_mac32x32in64_n(sum, &in[0], &filter[1], 6);
*out += (WORD32)((sum * factor_even) >> 15);
*out = ixheaacd_add32_sat(*out, (WORD32)((sum * factor_even) >> 15));
out++;
for (i = 3; i < length - 4; i += 2) {
sum = 0;
sum = ixheaacd_mac32x32in64_7(sum, &in[i - 3], filter);
*out += (WORD32)((sum * factor_odd) >> 15);
*out = ixheaacd_add32_sat(*out, (WORD32)((sum * factor_odd) >> 15));
out++;
sum = 0;
sum = ixheaacd_mac32x32in64_7(sum, &in[i - 2], filter);
*out += (WORD32)((sum * factor_even) >> 15);
*out = ixheaacd_add32_sat(*out, (WORD32)((sum * factor_even) >> 15));
out++;
}
i = length - 3;
@ -525,7 +527,7 @@ static WORD32 ixheaacd_cplx_pred_upmixing(
(WORD32)((WORD64)ixheaacd_mult32x32in64(
alpha_q_im_temp, dmx_im[i]) >>
24);
r_spec[i] = (factor) * (l_spec[i] - mid_side);
r_spec[i] = (factor)*ixheaacd_sub32_sat(l_spec[i], mid_side);
l_spec[i] = l_spec[i] + mid_side;
}

12
decoder/ixheaacd_mps_dec.c
View file

@ -79,9 +79,9 @@ extern ia_huff_cld_nodes_struct ixheaacd_huff_cld_nodes;
extern ia_huff_icc_nodes_struct ixheaacd_huff_icc_nodes;
extern ia_huff_res_nodes_struct ixheaacd_huff_reshape_nodes;
VOID ixheaacd_mps_create(ia_mps_dec_state_struct* self, WORD32 bs_frame_len,
WORD32 residual_coding,
ia_usac_dec_mps_config_struct* mps212_config) {
WORD32 ixheaacd_mps_create(ia_mps_dec_state_struct* self, WORD32 bs_frame_len,
WORD32 residual_coding,
ia_usac_dec_mps_config_struct* mps212_config) {
WORD32 num_ch;
WORD32 err_code = 0;
@ -109,6 +109,8 @@ VOID ixheaacd_mps_create(ia_mps_dec_state_struct* self, WORD32 bs_frame_len,
err_code = ixheaacd_mps_header_decode(self);
if (err_code != 0) return err_code;
if ((self->residual_coding) && (self->res_bands > 0)) self->res_ch_count++;
ixheaacd_mps_env_init(self);
@ -147,7 +149,7 @@ VOID ixheaacd_mps_create(ia_mps_dec_state_struct* self, WORD32 bs_frame_len,
memset(self->opd_smooth.smooth_r_phase, 0,
MAX_PARAMETER_BANDS * sizeof(WORD32));
return;
return 0;
}
static FLOAT32 ixheaacd_tsd_mul_re[] = {
@ -1424,6 +1426,8 @@ WORD32 ixheaacd_mps_ecdatapairdec(ia_handle_bit_buf_struct it_bit_buff,
}
}
if (data_bands <= 0) return -1;
if (!ixheaacd_huff_decode(it_bit_buff, data_array[0], data_array[1],
data_type, diff_type[0], diff_type[1],
pilot_coding_flag, pilot_data, data_bands,

6
decoder/ixheaacd_mps_interface.h
View file

@ -20,9 +20,9 @@
#ifndef IXHEAACD_MPS_INTERFACE_H
#define IXHEAACD_MPS_INTERFACE_H
VOID ixheaacd_mps_create(ia_mps_dec_state_struct* self, WORD32 bs_frame_len,
WORD32 residual_coding,
ia_usac_dec_mps_config_struct* usac_mps_config);
WORD32 ixheaacd_mps_create(ia_mps_dec_state_struct* self, WORD32 bs_frame_len,
WORD32 residual_coding,
ia_usac_dec_mps_config_struct* usac_mps_config);
VOID ixheaacd_mps_frame_parsing(ia_mps_dec_state_struct* self,
WORD32 independency_flag,

15
decoder/ixheaacd_mps_parse.c
View file

@ -110,6 +110,12 @@ static int ixheaacd_smoothing_time_table[] = {64, 128, 256, 512};
static int ixheaacd_inverse_smoothing_time_table_q30[] = {16777216, 8388608,
4194304, 2097152};
static WORD32 bound_check(WORD32 var, WORD32 lower_bound, WORD32 upper_bound) {
var = min(var, upper_bound);
var = max(var, lower_bound);
return var;
}
static VOID ixheaacd_longmult1(unsigned short a[], unsigned short b,
unsigned short d[], int len) {
int k;
@ -803,9 +809,16 @@ static VOID ixheaacd_mps_mapindexdata(
}
for (ps = 0; ps < num_parameter_sets; ps++) {
for (band = band_start; band < band_stop; band++)
for (band = band_start; band < band_stop; band++) {
if (param_type == CLD) {
out_idx_data[ps][band] = bound_check(out_idx_data[ps][band], -15, 15);
} else if (param_type == ICC) // param_type is ICC
{
out_idx_data[ps][band] = bound_check(out_idx_data[ps][band], 0, 7);
}
out_data[ps][band] =
ixheaacd_mps_de_quantize(out_idx_data[ps][band], param_type);
}
}
if (ext_frame_flag) {