diff options
| author | Neelkamal Semwal <neelkamal.semwal@ittiam.com> | 2021-09-15 21:46:10 +0530 |
|---|---|---|
| committer | Ray Essick <essick@google.com> | 2021-09-23 08:25:48 -0700 |
| commit | 878bdeb38043407869c684fb73708b04e8fe0ce4 (patch) | |
| tree | 00451145e6200d31a516d1fc672d0892fc9dff52 | |
| parent | 052c1f0817948262b1291e1a902afe7fe881406c (diff) | |
| download | libopus-878bdeb38043407869c684fb73708b04e8fe0ce4.tar.gz | |
libOpus: fix OOB read in ssse4 correlation kernel
Few SIMD functions read 16 bytes at a time and this
potentially leads to OOB read for some buffers
allocated on stack using ALLOC() calls. In order to
avoid these OOB reads, ALLOC() now allocates 16 additional bytes.
Bug: 191352053
Test: poc in bug description
Test: atest VtsHalMediaC2V1_0TargetAudioDecTest
Test: atest VtsHalMediaC2V1_0TargetAudioEncTest
Change-Id: I4da2840844d60f251dd7a222f51d508e4eb8749f
| -rw-r--r-- | Android.bp | 1 | ||||
| -rw-r--r-- | celt/stack_alloc.h | 25 |
2 files changed, 23 insertions, 3 deletions
@@ -208,6 +208,7 @@ cc_library { "-DOPUS_BUILD", "-DFIXED_POINT", "-DUSE_ALLOCA", + "-DSIMD_EXTRA_ALLOC_BYTES=16", "-DHAVE_LRINT", "-DHAVE_LRINTF", "-DENABLE_HARDENING", diff --git a/celt/stack_alloc.h b/celt/stack_alloc.h index ae40e2a1..b289facd 100644 --- a/celt/stack_alloc.h +++ b/celt/stack_alloc.h @@ -88,10 +88,22 @@ * @param type Type of element */ +#ifndef SIMD_EXTRA_ALLOC_BYTES +#error define SIMD_EXTRA_ALLOC_BYTES appropriately in your makefile +/* + * Useful values: + * 0 for an all-scalar processor, which should never over-read the arrays + * 16 for an implementation using ARM Neon or X86 SSE4 instructions, which work + * with blocks of 16 bytes (128 bits) + */ +#endif + #if defined(VAR_ARRAYS) #define VARDECL(type, var) -#define ALLOC(var, size, type) type var[size] +// include a full SIMD width afterwards; +#define ALLOC(var, size, type) type var[(size) + ((SIMD_EXTRA_ALLOC_BYTES)/sizeof(type))] + #define SAVE_STACK #define RESTORE_STACK #define ALLOC_STACK @@ -103,9 +115,11 @@ #define VARDECL(type, var) type *var # ifdef _WIN32 -# define ALLOC(var, size, type) var = ((type*)_alloca(sizeof(type)*(size))) +# define ALLOC(var, size, type) var = \ + ((type*)_alloca(sizeof(type)*(size) + SIMD_EXTRA_ALLOC_BYTES)) # else -# define ALLOC(var, size, type) var = ((type*)alloca(sizeof(type)*(size))) +# define ALLOC(var, size, type) var = \ + ((type*)alloca(sizeof(type)*(size) + SIMD_EXTRA_ALLOC_BYTES)) # endif #define SAVE_STACK @@ -151,6 +165,11 @@ extern char *global_stack_top; #endif /* ENABLE_VALGRIND */ +// this path has NOT been modified to be safe in the face of SIMD over-reads +#if SIMD_EXTRA_ALLOC_BYTES != 0 +#error "ALLOC() is not updated in this configuration to provide for SIMD over-reads" +#endif + #include "os_support.h" #define VARDECL(type, var) type *var #define ALLOC(var, size, type) var = PUSH(global_stack, size, type) |