Error code was OR'ed with its current value during
spectral data reading, causing it to become greater
than allowable range in error message pointer. As fix,
removed the OR operation on error code.
Also added missing returns after TNS data read.
Bug:114744498
Test: poc
Change-Id: I62d97f4c6184ad200e8e5f90f6f9b128c3b6127b
Input stream contains an erroneous PCE. While parsing
PCE error code was not handled properly,because of this
number of channels are updated with wrong value.
Internal buffers are accessed using number of channels
as array index,because of wrong number of channels
NULL pointer is getting deferred
Bug: 112715634
Test: poc
Change-Id: I3e3d30fed737d62f52f2757b547fe26f1c9c06da
Out of bound access in mps parsing. Erroneous stream
is causing OOB access (array index becomes OOB).As a
fix, this index is limited to allowable range.
Bug:112859714
Test: poc
Change-Id: Ib9a955de021988d28ef5a2326fbd893e22e58f75
For this stream, input size is very high that causes scale
factor reading to read beyond bit-buffer pointer end limit
due to no OOB access check. As a fix, added this check in
the bit read functionality.
Bug:113508105
Test: poc+asan
Change-Id: I8323815928c3104af0f037ed599455d6e239f926
For this stream, input size is very high that causes
huffman decoding to access beyond bit-buffer pointer
end limit due to no OOB access check. As a fix,added
this check in the bit read functionality.
Bug:112611181
Bug:113508101
Test: poc before/after
Change-Id: I4b7cc9624a388e8a20c7d4b11998dfed9c90d3f6
Subtraction overflow was obseerved in the process window
sequence function which was fixed by adding saturation
check after subtraction. Bits available in rvlc decode
function is becoming negative. A check has been added
before reading bits from input buffer.
Bug:113262406
Test: poc with ASAN
Change-Id: I729420c9df163b9c8cf474e884c8b6d137781855
Number of envelopes is equal to 2^n, where n obtained by
reading 2 bits from bit stream,so maximum value for number
of envelopes is 8. Time slot array table is accessed using
number of envelopes. The Minimum and Maximum values are 0
and 6,based on these values the table is modified.
Bug:112765917
Test: re-run poc
Change-Id: I42a44fc2376536d5119a8290a14726c9c5badd19
(cherry picked from commit 61a09f1063)
Maximum crc registers allowed is 7. Crc registers are accessed
and updated inside the function ixheaacd_adts_crc_start_reg().
Check has been added before the function call so that if the
register value is less than 7 then only the function gets called.
Bug:112551726
Bug:112551874
Bug:112609715
Bug:112713720
Bug:112715795
Bug:113261928
Test: poc
Change-Id: I3935546b8fb3dc5c82bee16639df771349e6d2b6
(cherry picked from commit 55c1da8c37)
(cherry picked from commit b0768b0564)
Reason for crash:
For the below reported issues input stream has only one
coupling channel element. As per the specification coupling
channel element should be associated with at least one main
channel element.
We have different output buffers for main channel
and coupling channel. In this error case the coupling
channel output buffer is not getting updated because
there is no main channel, so main decode is called with
output buffer pointing to NULL.
This is the reason for all the issues listed below.
Bug:112551721
Bug:112704700
Bug:112706520
Bug:112710190
Bug:112712274
Bug:112717301
Test: re-run poc
Change-Id: Ife593ca4ae21f05555b6a89092ff76b974e28a67
(cherry picked from commit b5597cea85)
Number of elements allowed in usac profile are 16. Erroneous input
stream in this use case has 63336 elements.We have an error
check for this max number of elements while parsing the decoder
configuration.This returned error code was not handled properly.
Maximum 16 config elements can be used while codec creation,because
of number of elements values is coming as 63336, during
creation time OOB read is happening.
Bug:112766520
Bug:112857468
Bug:112913145
Bug:112918261
Test: re-ran poc
Change-Id: If9413546371f72a6896f5c7e7d22a314e484cf76
(cherry picked from commit 4878ef09c7)
While parsing the input stream in mps_pre_matrix function,
there was an error.This error was not handled properly,
because of which further values which are read from bit stream
are getting wrong values.
We use these value in iteration in ixheaacd_mps_getstridemap()
which is causing stack-buffer-overflow
Bug:112857941
Test: poc+ASAN
Change-Id: I9549b06e0e4e362f517869aef75d579e3e4140a6
(cherry picked from commit 28a1411d72)
The maximum number of channels supported for usac profile in
libxaac decoder is two only.Input streams of the below reported
issues contain multi channel,because of multi channel the write
offset is incremented by greater 2, which causes out of bound
memory access while writing.
Bug:112858010
Bug:112859113
Test: re-run POC
Change-Id: Ide57cb8ee39d77d0f386298e899683d460a3c18b
(cherry picked from commit 2491a07484)
Maximum crc registers allowed is 7. Crc registers are accessed
and updated inside the function ixheaacd_adts_crc_start_reg().
Check has been added before the function call so that if the
register value is less than 7 then only the function gets called.
Bug:112551726
Bug:112551874
Bug:112609715
Bug:112713720
Bug:112715795
Bug:113261928
Test: poc
Change-Id: I3935546b8fb3dc5c82bee16639df771349e6d2b6
(cherry picked from commit 55c1da8c37)
Number of envelopes is equal to 2^n, where n obtained by
reading 2 bits from bit stream,so maximum value for number
of envelopes is 8. Time slot array table is accessed using
number of envelopes. The Minimum and Maximum values are 0
and 6,based on these values the table is modified.
Bug:112765917
Test: re-run poc
Change-Id: I42a44fc2376536d5119a8290a14726c9c5badd19
Reason for crash:
For the below reported issues input stream has only one
coupling channel element. As per the specification coupling
channel element should be associated with at least one main
channel element.
We have different output buffers for main channel
and coupling channel. In this error case the coupling
channel output buffer is not getting updated because
there is no main channel, so main decode is called with
output buffer pointing to NULL.
This is the reason for all the issues listed below.
Bug:112551721
Bug:112704700
Bug:112706520
Bug:112710190
Bug:112712274
Bug:112717301
Test: re-run poc
Change-Id: Ife593ca4ae21f05555b6a89092ff76b974e28a67
Number of elements allowed in usac profile are 16. Erroneous input
stream in this use case has 63336 elements.We have an error
check for this max number of elements while parsing the decoder
configuration.This returned error code was not handled properly.
Maximum 16 config elements can be used while codec creation,because
of number of elements values is coming as 63336, during
creation time OOB read is happening.
Bug:112766520
Bug:112857468
Bug:112913145
Bug:112918261
Test: re-ran poc
Change-Id: If9413546371f72a6896f5c7e7d22a314e484cf76
