diff options
author | Jean-Michel Trivi <jmtrivi@google.com> | 2018-09-10 15:50:19 -0700 |
---|---|---|
committer | Tim Schumacher <timschumi@gmx.de> | 2019-02-02 15:49:46 +0100 |
commit | ca8c9933758cb85b2a8e8cc116861a077558d696 (patch) | |
tree | df0cbc32c23f66baf4f8b5f635c0f84b72f680de | |
parent | e5fa73067cc77174871accfd35dc58d4a9be0d00 (diff) | |
download | android_external_aac-ca8c9933758cb85b2a8e8cc116861a077558d696.tar.gz android_external_aac-ca8c9933758cb85b2a8e8cc116861a077558d696.tar.bz2 android_external_aac-ca8c9933758cb85b2a8e8cc116861a077558d696.zip |
Prevent out of bounds accesses in lppTransposer()replicant-6.0-0004-transitionreplicant-6.0-0004-rc6replicant-6.0-0004-rc5-transitionreplicant-6.0-0004-rc5replicant-6.0-0004-rc4replicant-6.0-0004-rc3replicant-6.0-0004-rc2replicant-6.0-0004cm-13.0
Check validity of pSettings->noOfPatches to prevent out of bounds
access in lppTransposer(), which can also cause memSize to be
negative.
Bug: 112160868
Test: see poc in bug
Change-Id: I789030b116da7f8ea261001b43ef6c677dd58a3d
Merged-In: I6a2161865d9cb9b51dc37c09d6e3a4a8e5d11f86
(cherry picked from commit 56ef80d7fec1fd9e201262348a96b8660558105a)
-rw-r--r-- | Android.mk | 2 | ||||
-rw-r--r-- | libSBRdec/src/lpp_tran.cpp | 37 |
2 files changed, 26 insertions, 13 deletions
@@ -41,6 +41,8 @@ LOCAL_SRC_FILES := \ LOCAL_CFLAGS += -Wno-sequence-point -Wno-extra +LOCAL_SHARED_LIBRARIES := liblog + LOCAL_C_INCLUDES := \ $(LOCAL_PATH)/libAACdec/include \ $(LOCAL_PATH)/libAACenc/include \ diff --git a/libSBRdec/src/lpp_tran.cpp b/libSBRdec/src/lpp_tran.cpp index e30dd1e..c3f62fb 100644 --- a/libSBRdec/src/lpp_tran.cpp +++ b/libSBRdec/src/lpp_tran.cpp @@ -96,6 +96,10 @@ amm-info@iis.fraunhofer.de \sa lppTransposer(), main_audio.cpp, sbr_scale.h, \ref documentationOverview */ +#ifdef __ANDROID__ +#include "log/log.h" +#endif + #include "lpp_tran.h" #include "sbr_ram.h" @@ -256,7 +260,6 @@ void lppTransposer (HANDLE_SBR_LPP_TRANS hLppTrans, /*!< Handle of lpp transp int ovLowBandShift; int lowBandShift; /* int ovHighBandShift;*/ - int targetStopBand; alphai[0] = FL2FXCONST_SGL(0.0f); @@ -273,24 +276,32 @@ void lppTransposer (HANDLE_SBR_LPP_TRANS hLppTrans, /*!< Handle of lpp transp autoCorrLength = pSettings->nCols + pSettings->overlap; - /* Set upper subbands to zero: - This is required in case that the patches do not cover the complete highband - (because the last patch would be too short). - Possible optimization: Clearing bands up to usb would be sufficient here. */ - targetStopBand = patchParam[pSettings->noOfPatches-1].targetStartBand - + patchParam[pSettings->noOfPatches-1].numBandsInPatch; + if (pSettings->noOfPatches > 0) { + /* Set upper subbands to zero: + This is required in case that the patches do not cover the complete highband + (because the last patch would be too short). + Possible optimization: Clearing bands up to usb would be sufficient here. */ + int targetStopBand = patchParam[pSettings->noOfPatches-1].targetStartBand + + patchParam[pSettings->noOfPatches-1].numBandsInPatch; - int memSize = ((64) - targetStopBand) * sizeof(FIXP_DBL); + int memSize = ((64) - targetStopBand) * sizeof(FIXP_DBL); - if (!useLP) { + if (!useLP) { + for (i = startSample; i < stopSampleClear; i++) { + FDKmemclear(&qmfBufferReal[i][targetStopBand], memSize); + FDKmemclear(&qmfBufferImag[i][targetStopBand], memSize); + } + } else for (i = startSample; i < stopSampleClear; i++) { FDKmemclear(&qmfBufferReal[i][targetStopBand], memSize); - FDKmemclear(&qmfBufferImag[i][targetStopBand], memSize); } - } else - for (i = startSample; i < stopSampleClear; i++) { - FDKmemclear(&qmfBufferReal[i][targetStopBand], memSize); } +#ifdef __ANDROID__ + else { + // Safetynet logging + android_errorWriteLog(0x534e4554, "112160868"); + } +#endif /* init bwIndex for each patch */ FDKmemclear(bwIndex, MAX_NUM_PATCHES*sizeof(INT)); |