From 0ccd0efbd026a5f0972a37d0f416b736870c3c2c Mon Sep 17 00:00:00 2001 From: Ramesh Katuri Date: Fri, 22 Jun 2018 16:49:14 +0530 Subject: [PATCH 1/5] Fix for Segmentation fault in ixheaacd_mps_apply_pre_matrix Bug: 110649314 Test: run poc Change-Id: I40f74385499064c0e982608181d98e9e577df84c --- decoder/ixheaacd_create.c | 11 +++++++---- decoder/ixheaacd_mps_dec.c | 10 ++++++---- decoder/ixheaacd_mps_interface.h | 6 +++--- 3 files changed, 16 insertions(+), 11 deletions(-) diff --git a/decoder/ixheaacd_create.c b/decoder/ixheaacd_create.c index 9091a95..9f72de1 100644 --- a/decoder/ixheaacd_create.c +++ b/decoder/ixheaacd_create.c @@ -324,8 +324,11 @@ WORD32 ixheaacd_decode_init( .str_usac_element_config[ele_id] .str_usac_mps212_config); - ixheaacd_mps_create(&aac_dec_handle->mps_dec_handle, bs_frame_length, - bs_residual_coding, ptr_usac_mps212_config); + if (ixheaacd_mps_create(&aac_dec_handle->mps_dec_handle, + bs_frame_length, bs_residual_coding, + ptr_usac_mps212_config)) { + return -1; + } } break; } @@ -425,7 +428,7 @@ WORD32 ixheaacd_dec_data_init(VOID *handle, err_code = ixheaacd_decode_init(handle, pstr_frame_data->str_layer.sample_rate_layer, usac_data, pstr_stream_config); - if (err_code == -1) return -1; + if (err_code != 0) return err_code; for (i_ch = 0; i_ch < MAX_NUM_CHANNELS; i_ch++) { if (usac_data->tw_mdct[0] == 1) { @@ -556,7 +559,7 @@ WORD32 ixheaacd_decode_create(ia_exhaacplus_dec_api_struct *handle, handle->aac_config.ui_sbr_mode = 0; } - if (err == -1) return -1; + if (err != 0) return err; break; diff --git a/decoder/ixheaacd_mps_dec.c b/decoder/ixheaacd_mps_dec.c index 3075c1b..0e5cb7d 100644 --- a/decoder/ixheaacd_mps_dec.c +++ b/decoder/ixheaacd_mps_dec.c @@ -79,9 +79,9 @@ extern ia_huff_cld_nodes_struct ixheaacd_huff_cld_nodes; extern ia_huff_icc_nodes_struct ixheaacd_huff_icc_nodes; extern ia_huff_res_nodes_struct ixheaacd_huff_reshape_nodes; -VOID ixheaacd_mps_create(ia_mps_dec_state_struct* self, WORD32 bs_frame_len, - WORD32 residual_coding, - ia_usac_dec_mps_config_struct* mps212_config) { +WORD32 ixheaacd_mps_create(ia_mps_dec_state_struct* self, WORD32 bs_frame_len, + WORD32 residual_coding, + ia_usac_dec_mps_config_struct* mps212_config) { WORD32 num_ch; WORD32 err_code = 0; @@ -109,6 +109,8 @@ VOID ixheaacd_mps_create(ia_mps_dec_state_struct* self, WORD32 bs_frame_len, err_code = ixheaacd_mps_header_decode(self); + if (err_code != 0) return err_code; + if ((self->residual_coding) && (self->res_bands > 0)) self->res_ch_count++; ixheaacd_mps_env_init(self); @@ -147,7 +149,7 @@ VOID ixheaacd_mps_create(ia_mps_dec_state_struct* self, WORD32 bs_frame_len, memset(self->opd_smooth.smooth_r_phase, 0, MAX_PARAMETER_BANDS * sizeof(WORD32)); - return; + return 0; } static FLOAT32 ixheaacd_tsd_mul_re[] = { diff --git a/decoder/ixheaacd_mps_interface.h b/decoder/ixheaacd_mps_interface.h index 7587773..a488aef 100644 --- a/decoder/ixheaacd_mps_interface.h +++ b/decoder/ixheaacd_mps_interface.h @@ -20,9 +20,9 @@ #ifndef IXHEAACD_MPS_INTERFACE_H #define IXHEAACD_MPS_INTERFACE_H -VOID ixheaacd_mps_create(ia_mps_dec_state_struct* self, WORD32 bs_frame_len, - WORD32 residual_coding, - ia_usac_dec_mps_config_struct* usac_mps_config); +WORD32 ixheaacd_mps_create(ia_mps_dec_state_struct* self, WORD32 bs_frame_len, + WORD32 residual_coding, + ia_usac_dec_mps_config_struct* usac_mps_config); VOID ixheaacd_mps_frame_parsing(ia_mps_dec_state_struct* self, WORD32 independency_flag, From 40c1157b52adfd71abc5db618252f381b95a2b72 Mon Sep 17 00:00:00 2001 From: Ramesh Katuri Date: Fri, 22 Jun 2018 11:15:18 +0530 Subject: [PATCH 2/5] Fix for sanitizer multiplication overflow error Bug: 110596152 Test: re-run POC Change-Id: I24b01b4ab13987abd028f013262f732cd06e81f8 --- decoder/ixheaacd_arith_dec.c | 3 +++ decoder/ixheaacd_avq_dec.c | 7 ++++--- decoder/ixheaacd_ext_ch_ele.c | 10 ++++++---- 3 files changed, 13 insertions(+), 7 deletions(-) diff --git a/decoder/ixheaacd_arith_dec.c b/decoder/ixheaacd_arith_dec.c index af9f4c0..fa18f61 100644 --- a/decoder/ixheaacd_arith_dec.c +++ b/decoder/ixheaacd_arith_dec.c @@ -1950,6 +1950,9 @@ static VOID ixheaacd_esc_iquant(WORD32 *q, WORD32 *coef, WORD32 noise_level, if (q[i] < 0) { flag = -1; q[i] = -q[i]; + if (q[i] >= 8192) { + q[i] = 8191; + } } if (q[i] < 1024) { diff --git a/decoder/ixheaacd_avq_dec.c b/decoder/ixheaacd_avq_dec.c index fae899d..478edd8 100644 --- a/decoder/ixheaacd_avq_dec.c +++ b/decoder/ixheaacd_avq_dec.c @@ -97,7 +97,8 @@ static VOID ixheaacd_nearest_neighbor_2d(WORD32 x[], WORD32 y[], WORD32 count, VOID ixheaacd_voronoi_search(WORD32 x[], WORD32 y[], WORD32 count, WORD32 *rem1, WORD32 *rem2) { WORD32 i, y0[8], y1[8]; - WORD32 e0, e1, x1[8], tmp; + WORD32 x1[8], tmp; + WORD64 e0, e1; ixheaacd_nearest_neighbor_2d(x, y0, count, rem1); for (i = 0; i < 8; i++) { @@ -122,9 +123,9 @@ VOID ixheaacd_voronoi_search(WORD32 x[], WORD32 y[], WORD32 count, WORD32 *rem1, e0 = e1 = 0; for (i = 0; i < 8; i++) { tmp = rem1[i]; - e0 += tmp * tmp; + e0 += (WORD64)tmp * tmp; tmp = rem2[i]; - e1 += tmp * tmp; + e1 += (WORD64)tmp * tmp; } if (e0 < e1) { diff --git a/decoder/ixheaacd_ext_ch_ele.c b/decoder/ixheaacd_ext_ch_ele.c index 5f09ba8..8bc17e7 100644 --- a/decoder/ixheaacd_ext_ch_ele.c +++ b/decoder/ixheaacd_ext_ch_ele.c @@ -364,18 +364,20 @@ static VOID ixheaacd_filter_and_add(const WORD32 *in, const WORD32 length, sum = ixheaacd_mult32x32in64(in[0], filter[0]); sum = ixheaacd_mac32x32in64_n(sum, &in[0], &filter[1], 6); - *out += (WORD32)((sum * factor_even) >> 15); + + *out = ixheaacd_add32_sat(*out, (WORD32)((sum * factor_even) >> 15)); + out++; for (i = 3; i < length - 4; i += 2) { sum = 0; sum = ixheaacd_mac32x32in64_7(sum, &in[i - 3], filter); - *out += (WORD32)((sum * factor_odd) >> 15); + *out = ixheaacd_add32_sat(*out, (WORD32)((sum * factor_odd) >> 15)); out++; sum = 0; sum = ixheaacd_mac32x32in64_7(sum, &in[i - 2], filter); - *out += (WORD32)((sum * factor_even) >> 15); + *out = ixheaacd_add32_sat(*out, (WORD32)((sum * factor_even) >> 15)); out++; } i = length - 3; @@ -525,7 +527,7 @@ static WORD32 ixheaacd_cplx_pred_upmixing( (WORD32)((WORD64)ixheaacd_mult32x32in64( alpha_q_im_temp, dmx_im[i]) >> 24); - r_spec[i] = (factor) * (l_spec[i] - mid_side); + r_spec[i] = (factor)*ixheaacd_sub32_sat(l_spec[i], mid_side); l_spec[i] = l_spec[i] + mid_side; } From 97123f8e06bce2f45ef5cb447795bd650325e04a Mon Sep 17 00:00:00 2001 From: Ray Essick Date: Mon, 15 Oct 2018 17:45:52 -0700 Subject: [PATCH 3/5] Clean an array bounds violation. unchecked bounds on array that was also 1 entry to small. Bug: 110596152 Test: vendor Change-Id: Ia6c0ddd342257177323a87af85fb42ba24eb8d11 --- decoder/ixheaacd_arith_dec.c | 16 +++++++--------- 1 file changed, 7 insertions(+), 9 deletions(-) diff --git a/decoder/ixheaacd_arith_dec.c b/decoder/ixheaacd_arith_dec.c index fa18f61..77b516d 100644 --- a/decoder/ixheaacd_arith_dec.c +++ b/decoder/ixheaacd_arith_dec.c @@ -599,7 +599,7 @@ const WORD64 ixheaacd_table_exp[32] = { static const WORD32 ixheaacd_pow_14_3[8] = {0, 3251, 4096, 5161, 6502, 8192, 10321, 13004}; -const WORD32 ixheaacd_pow_table_Q13[1024] = {0, +const WORD32 ixheaacd_pow_table_Q13[1025] = {0, 131072 >> 4, 330281 >> 4, 567116 >> 4, @@ -1622,7 +1622,8 @@ const WORD32 ixheaacd_pow_table_Q13[1024] = {0, 84111783, 84221751, 84331755, - 84441795}; + 84441795, + 84551870}; static WORD32 ixheaacd_esc_nb_offset[8] = {0, 131072, 262144, 393216, 524288, 655360, 786432, 917504}; @@ -1943,16 +1944,13 @@ static VOID ixheaacd_esc_iquant(WORD32 *q, WORD32 *coef, WORD32 noise_level, } } - if (q[i] >= 8192) { - q[i] = 8191; - } - if (q[i] < 0) { flag = -1; q[i] = -q[i]; - if (q[i] >= 8192) { - q[i] = 8191; - } + } + + if (q[i] >= 8192) { + q[i] = 8191; } if (q[i] < 1024) { From 639e7a88a52194b0473f2d76cccfc7b3e3f4d152 Mon Sep 17 00:00:00 2001 From: Ramesh Katuri Date: Wed, 10 Oct 2018 13:27:48 +0530 Subject: [PATCH 4/5] Fix for OOB read in bit stream parsing in mps module icc and cld index are calculated using parameters derived from bit stream.There is no bound check for icc and cld index, because of which OOB read is happening in mps parsing After icc and cld index calculation,values are clamped to avoid OOB read Bug:112856493 Bug:112858430 Test: poc Change-Id: I59905926d8a2d1a532bec33e5998a67531a99bd9 --- decoder/ixheaacd_mps_parse.c | 15 ++++++++++++++- 1 file changed, 14 insertions(+), 1 deletion(-) diff --git a/decoder/ixheaacd_mps_parse.c b/decoder/ixheaacd_mps_parse.c index 9326edf..e5ba760 100644 --- a/decoder/ixheaacd_mps_parse.c +++ b/decoder/ixheaacd_mps_parse.c @@ -110,6 +110,12 @@ static int ixheaacd_smoothing_time_table[] = {64, 128, 256, 512}; static int ixheaacd_inverse_smoothing_time_table_q30[] = {16777216, 8388608, 4194304, 2097152}; +static WORD32 bound_check(WORD32 var, WORD32 lower_bound, WORD32 upper_bound) { + var = min(var, upper_bound); + var = max(var, lower_bound); + return var; +} + static VOID ixheaacd_longmult1(unsigned short a[], unsigned short b, unsigned short d[], int len) { int k; @@ -803,9 +809,16 @@ static VOID ixheaacd_mps_mapindexdata( } for (ps = 0; ps < num_parameter_sets; ps++) { - for (band = band_start; band < band_stop; band++) + for (band = band_start; band < band_stop; band++) { + if (param_type == CLD) { + out_idx_data[ps][band] = bound_check(out_idx_data[ps][band], -15, 15); + } else if (param_type == ICC) // param_type is ICC + { + out_idx_data[ps][band] = bound_check(out_idx_data[ps][band], 0, 7); + } out_data[ps][band] = ixheaacd_mps_de_quantize(out_idx_data[ps][band], param_type); + } } if (ext_frame_flag) { From 48b9e0f8576ae7b1d3eb52cc2e04b1ffbcc7b03c Mon Sep 17 00:00:00 2001 From: Ramesh Katuri Date: Wed, 10 Oct 2018 14:48:15 +0530 Subject: [PATCH 5/5] Fix for stack buffer overflow in mps ecdata pair decode Bug:116971427 Test: vendor Change-Id: Icb76f5700651ba701b51fdc626e797f0ae86c2cf --- decoder/ixheaacd_mps_dec.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/decoder/ixheaacd_mps_dec.c b/decoder/ixheaacd_mps_dec.c index 0e5cb7d..851f942 100644 --- a/decoder/ixheaacd_mps_dec.c +++ b/decoder/ixheaacd_mps_dec.c @@ -1426,6 +1426,8 @@ WORD32 ixheaacd_mps_ecdatapairdec(ia_handle_bit_buf_struct it_bit_buff, } } + if (data_bands <= 0) return -1; + if (!ixheaacd_huff_decode(it_bit_buff, data_array[0], data_array[1], data_type, diff_type[0], diff_type[1], pilot_coding_flag, pilot_data, data_bands,