Merge "Fix for heap-buffer-overflow in ixheaacd_aac_showbits_32"

author: TreeHugger Robot <treehugger-gerrit@google.com> 2019-03-08 14:57:21 +0000
committer: Android (Google) Code Review <android-gerrit@google.com> 2019-03-08 14:57:21 +0000
commit: 7b0b01f14de0382e6d16ea2e06d92cc2b1b9df57 (patch)
tree: 8ae190f1052cfcff9e5902b351b48c4fdd324960
parent: ee391b5dfade6345617a0af0c1b740dabc1a97aa (diff)
parent: 2c9929c4a356ae19bd690e0660bd2fa822290fe2 (diff)
download: libxaac-7b0b01f14de0382e6d16ea2e06d92cc2b1b9df57.tar.gz
8 files changed, 120 insertions, 57 deletions
diff --git a/decoder/ixheaacd_bitbuffer.c b/decoder/ixheaacd_bitbuffer.c
index efb82c6..0882689 100644
--- a/decoder/ixheaacd_bitbuffer.c
+++ b/decoder/ixheaacd_bitbuffer.c
@@ -17,6 +17,7 @@
  *****************************************************************************
  * Originally developed and contributed by Ittiam Systems Pvt. Ltd, Bangalore
 */
+#include <string.h>
 #include "ixheaacd_sbr_common.h"
 #include <ixheaacd_type_def.h>
 #include <assert.h>
@@ -289,7 +290,8 @@ WORD32 ixheaacd_read_bit(ia_bit_buf_struct *it_bit_buff, WORD32 no_of_bits) {
     return 0;
   }
 
-  ret_val = ixheaacd_aac_showbits_32(ptr_read_next);
+  ret_val =
+      ixheaacd_aac_showbits_32(ptr_read_next, it_bit_buff->bit_count, NULL);
   it_bit_buff->byte_ptr += (no_of_bits >> 3);
 
   if (it_bit_buff->valid_bits != 8) {
diff --git a/decoder/ixheaacd_bitbuffer.h b/decoder/ixheaacd_bitbuffer.h
index 09315cd..d029971 100644
--- a/decoder/ixheaacd_bitbuffer.h
+++ b/decoder/ixheaacd_bitbuffer.h
@@ -113,7 +113,8 @@ WORD32 ixheaacd_show_bits_buf(ia_bit_buf_struct *it_bit_buff, WORD no_of_bits);
 VOID ixheaacd_read_bidirection(ia_bit_buf_struct *it_bit_buff,
                                WORD32 ixheaacd_drc_offset);
 
-UWORD32 ixheaacd_aac_showbits_32(UWORD8 *ptr_read_next);
+UWORD32 ixheaacd_aac_showbits_32(UWORD8 *ptr_read_next, WORD32 cnt_bits,
+                                 WORD32 *increment);
 
 UWORD32 ixheaacd_aac_read_byte(UWORD8 **ptr_read_next, WORD32 *bit_pos,
                                WORD32 *readword);
diff --git a/decoder/ixheaacd_block.c b/decoder/ixheaacd_block.c
index ada5e61..d67e817 100644
--- a/decoder/ixheaacd_block.c
+++ b/decoder/ixheaacd_block.c
@@ -169,10 +169,14 @@ static PLATFORM_INLINE WORD ixheaacd_huffman_dec_word1(
   WORD len_idx = 0;
   UWORD8 *ptr_read_next = it_bit_buff->ptr_read_next;
   WORD32 bit_pos = it_bit_buff->bit_pos;
-  WORD32 read_word = ixheaacd_aac_showbits_32(ptr_read_next);
   WORD16 index;
   WORD32 length;
-  ptr_read_next += 4;
+  WORD32 read_word;
+  WORD32 increment;
+
+  read_word = ixheaacd_aac_showbits_32(ptr_read_next, it_bit_buff->cnt_bits,
+                                       &increment);
+  ptr_read_next += increment;
 
   do {
     len_idx = offsets[1] - offsets[0];
@@ -320,8 +324,12 @@ static PLATFORM_INLINE WORD ixheaacd_huffman_dec_word1(
     no_bands--;
   } while (no_bands >= 0);
 
+  ptr_read_next = ptr_read_next - increment;
+  ixheaacd_aac_read_byte_corr1(&ptr_read_next, &bit_pos, &read_word,
+                               it_bit_buff->ptr_bit_buf_end);
+
   it_bit_buff->bit_pos = bit_pos;
-  it_bit_buff->ptr_read_next = ptr_read_next - 4;
+  it_bit_buff->ptr_read_next = ptr_read_next;
 
   return err_code;
 }
@@ -340,8 +348,12 @@ static PLATFORM_INLINE WORD ixheaacd_huffman_dec_word2_11(
   WORD32 length;
   UWORD8 *ptr_read_next = it_bit_buff->ptr_read_next;
   WORD32 bit_pos = it_bit_buff->bit_pos;
-  WORD32 read_word = ixheaacd_aac_showbits_32(ptr_read_next);
-  ptr_read_next += 4;
+  WORD32 read_word;
+  WORD32 increment;
+
+  read_word = ixheaacd_aac_showbits_32(ptr_read_next, it_bit_buff->cnt_bits,
+                                       &increment);
+  ptr_read_next += increment;
 
   for (idx = width; idx != 0; idx -= 2) {
     {
@@ -473,8 +485,11 @@ static PLATFORM_INLINE WORD ixheaacd_huffman_dec_word2_11(
       }
     }
   }
+  ptr_read_next = ptr_read_next - increment;
+  ixheaacd_aac_read_byte_corr1(&ptr_read_next, &bit_pos, &read_word,
+                               it_bit_buff->ptr_bit_buf_end);
 
-  it_bit_buff->ptr_read_next = ptr_read_next - 4;
+  it_bit_buff->ptr_read_next = ptr_read_next;
   it_bit_buff->bit_pos = bit_pos;
 
   return err_code;
@@ -490,8 +505,12 @@ static PLATFORM_INLINE WORD ixheaacd_huffman_dec_quad(
   WORD16 index, length;
   UWORD8 *ptr_read_next = it_bit_buff->ptr_read_next;
   WORD32 bit_pos = it_bit_buff->bit_pos;
-  WORD32 read_word = ixheaacd_aac_showbits_32(ptr_read_next);
-  ptr_read_next += 4;
+  WORD32 read_word;
+  WORD32 increment;
+
+  read_word = ixheaacd_aac_showbits_32(ptr_read_next, it_bit_buff->cnt_bits,
+                                       &increment);
+  ptr_read_next += increment;
   spec_orig = spec_coef;
   do {
     idx_len = offsets[1] - offsets[0];
@@ -610,7 +629,10 @@ static PLATFORM_INLINE WORD ixheaacd_huffman_dec_quad(
     no_bands--;
   } while (no_bands >= 0);
 
-  it_bit_buff->ptr_read_next = ptr_read_next - 4;
+  ptr_read_next = ptr_read_next - increment;
+  ixheaacd_aac_read_byte_corr1(&ptr_read_next, &bit_pos, &read_word,
+                               it_bit_buff->ptr_bit_buf_end);
+  it_bit_buff->ptr_read_next = ptr_read_next;
   it_bit_buff->bit_pos = bit_pos;
 
   return 0;
@@ -624,8 +646,12 @@ static PLATFORM_INLINE WORD ixheaacd_huffman_dec_word2_quad(
   WORD16 index, length;
   UWORD8 *ptr_read_next = it_bit_buff->ptr_read_next;
   WORD32 bit_pos = it_bit_buff->bit_pos;
-  WORD32 read_word = ixheaacd_aac_showbits_32(ptr_read_next);
-  ptr_read_next += 4;
+  WORD32 read_word;
+  WORD32 increment;
+
+  read_word = ixheaacd_aac_showbits_32(ptr_read_next, it_bit_buff->cnt_bits,
+                                       &increment);
+  ptr_read_next += increment;
 
   for (idx = width; idx != 0; idx -= 4) {
     WORD32 ampres, ampres1;
@@ -765,7 +791,10 @@ static PLATFORM_INLINE WORD ixheaacd_huffman_dec_word2_quad(
                                 it_bit_buff->ptr_bit_buf_end);
   }
 
-  it_bit_buff->ptr_read_next = ptr_read_next - 4;
+  ptr_read_next = ptr_read_next - increment;
+  ixheaacd_aac_read_byte_corr1(&ptr_read_next, &bit_pos, &read_word,
+                               it_bit_buff->ptr_bit_buf_end);
+  it_bit_buff->ptr_read_next = ptr_read_next;
   it_bit_buff->bit_pos = bit_pos;
 
   return 0;
@@ -786,8 +815,12 @@ static PLATFORM_INLINE WORD ixheaacd_huffman_dec_pair(
 
   UWORD8 *ptr_read_next = it_bit_buff->ptr_read_next;
   WORD32 bit_pos = it_bit_buff->bit_pos;
-  WORD32 read_word = ixheaacd_aac_showbits_32(ptr_read_next);
-  ptr_read_next += 4;
+  WORD32 read_word;
+  WORD32 increment;
+
+  read_word = ixheaacd_aac_showbits_32(ptr_read_next, it_bit_buff->cnt_bits,
+                                       &increment);
+  ptr_read_next += increment;
 
   do {
     len_idx = offsets[1] - offsets[0];
@@ -860,7 +893,10 @@ static PLATFORM_INLINE WORD ixheaacd_huffman_dec_pair(
     no_bands--;
   } while (no_bands >= 0);
 
-  it_bit_buff->ptr_read_next = ptr_read_next - 4;
+  ptr_read_next = ptr_read_next - increment;
+  ixheaacd_aac_read_byte_corr1(&ptr_read_next, &bit_pos, &read_word,
+                               it_bit_buff->ptr_bit_buf_end);
+  it_bit_buff->ptr_read_next = ptr_read_next;
   it_bit_buff->bit_pos = bit_pos;
 
   return 0;
@@ -877,8 +913,12 @@ static PLATFORM_INLINE WORD ixheaacd_huffman_dec_word2_pair(
   WORD16 index, length;
   UWORD8 *ptr_read_next = it_bit_buff->ptr_read_next;
   WORD32 bit_pos = it_bit_buff->bit_pos;
-  WORD32 read_word = ixheaacd_aac_showbits_32(ptr_read_next);
-  ptr_read_next += 4;
+  WORD32 read_word;
+  WORD32 increment;
+
+  read_word = ixheaacd_aac_showbits_32(ptr_read_next, it_bit_buff->cnt_bits,
+                                       &increment);
+  ptr_read_next += increment;
 
   for (idx = width; idx != 0; idx -= 2) {
     {
@@ -957,7 +997,10 @@ static PLATFORM_INLINE WORD ixheaacd_huffman_dec_word2_pair(
                                 it_bit_buff->ptr_bit_buf_end);
   }
 
-  it_bit_buff->ptr_read_next = ptr_read_next - 4;
+  ptr_read_next = ptr_read_next - increment;
+  ixheaacd_aac_read_byte_corr1(&ptr_read_next, &bit_pos, &read_word,
+                               it_bit_buff->ptr_bit_buf_end);
+  it_bit_buff->ptr_read_next = ptr_read_next;
   it_bit_buff->bit_pos = bit_pos;
 
   return 0;
@@ -1030,6 +1073,7 @@ WORD ixheaacd_huffman_dec_word2(ia_bit_buf_struct *it_bit_buff, WORD32 cb_no,
   WORD ret_val = 0;
   WORD32 huff_mode;
   WORD start_bit_pos = it_bit_buff->bit_pos;
+  WORD32 cnt_bits = it_bit_buff->cnt_bits;
   WORD32 *pow_table =
       (WORD32 *)ptr_aac_tables->pstr_block_tables->ixheaacd_pow_table_Q13;
   UWORD8 *start_read_pos = it_bit_buff->ptr_read_next;
@@ -1072,14 +1116,14 @@ WORD ixheaacd_huffman_dec_word2(ia_bit_buf_struct *it_bit_buff, WORD32 cb_no,
     if (it_bit_buff->bit_pos <= 7) {
       bits_cons = ((it_bit_buff->ptr_read_next - start_read_pos) << 3) +
                   (it_bit_buff->bit_pos - start_bit_pos);
-      it_bit_buff->cnt_bits -= bits_cons;
+      it_bit_buff->cnt_bits = cnt_bits - bits_cons;
     } else {
       it_bit_buff->ptr_read_next += (it_bit_buff->bit_pos) >> 3;
       it_bit_buff->bit_pos = it_bit_buff->bit_pos & 0x7;
 
       bits_cons = ((it_bit_buff->ptr_read_next - start_read_pos) << 3) +
                   ((it_bit_buff->bit_pos - start_bit_pos));
-      it_bit_buff->cnt_bits -= bits_cons;
+      it_bit_buff->cnt_bits = cnt_bits - bits_cons;
     }
   }
   return ret_val;
diff --git a/decoder/ixheaacd_channel.c b/decoder/ixheaacd_channel.c
index e452f37..6ebe402 100644
--- a/decoder/ixheaacd_channel.c
+++ b/decoder/ixheaacd_channel.c
@@ -82,15 +82,25 @@
 
 #define SPEC(ptr, w, gl) ((ptr) + ((w) * (gl)))
 
-#define _SWAP(a, b)                                                         \
-  (b = (((WORD32)a[0] << 24) | ((WORD32)a[1] << 16) | ((WORD32)a[2] << 8) | \
-        ((WORD32)a[3])))
-
-UWORD32 ixheaacd_aac_showbits_32(UWORD8 *ptr_read_next) {
+UWORD32 ixheaacd_aac_showbits_32(UWORD8 *ptr_read_next, WORD32 cnt_bits,
+                                 WORD32 *increment) {
   UWORD8 *v = ptr_read_next;
   UWORD32 b = 0;
-
-  _SWAP(v, b);
+  WORD32 i;
+  WORD32 bumped = 0;
+
+  for (i = 0; i < 4; i++) {
+    b = b << 8;
+    if (cnt_bits > 0) {
+      b = b | *v;
+      v++;
+      bumped++;
+    }
+    cnt_bits -= 8;
+  }
+  if (increment != NULL) {
+    *increment = bumped;
+  }
   return b;
 }
 
diff --git a/decoder/ixheaacd_huff_code_reorder.c b/decoder/ixheaacd_huff_code_reorder.c
index 8a67f2e..c7ef853 100644
--- a/decoder/ixheaacd_huff_code_reorder.c
+++ b/decoder/ixheaacd_huff_code_reorder.c
@@ -739,7 +739,10 @@ static PLATFORM_INLINE WORD16 ixheaacd_huff_dec_pair_hcr_non_pcw(
   WORD16 index, length;
   WORD32 y, z;
   WORD32 read_word1;
-  WORD32 read_word = ixheaacd_aac_showbits_32(itt_bit_buff->byte_ptr);
+  WORD32 read_word;
+
+  read_word = ixheaacd_aac_showbits_32(itt_bit_buff->byte_ptr,
+                                       itt_bit_buff->bit_count, NULL);
 
   ixheaacd_huffman_decode(read_word, &index, &length, code_book_tbl, idx_table);
   read_word1 = read_word << length;
@@ -1078,6 +1081,7 @@ static VOID ixheaacd_decode_pcw(ia_bit_buf_struct *itt_bit_buff,
   UWORD16 cur_ext_sort_cw_sec;
   UWORD8 codebook;
   UWORD8 dimension;
+  WORD32 increment;
 
   WORD32 num_ext_sorted_cw_in_sect_idx =
       ptr_hcr_info->sect_info.num_ext_sorted_cw_in_sect_idx;
@@ -1101,10 +1105,11 @@ static VOID ixheaacd_decode_pcw(ia_bit_buf_struct *itt_bit_buff,
   const UWORD8 *ptr_cb_dimension_tbl =
       ptr_hcr_info->table_info.ptr_cb_dimension_tbl;
 
-  WORD32 read_word = ixheaacd_aac_showbits_32(itt_bit_buff->ptr_read_next);
+  WORD32 read_word = ixheaacd_aac_showbits_32(
+      itt_bit_buff->ptr_read_next, itt_bit_buff->cnt_bits, &increment);
   WORD32 read_bits = itt_bit_buff->cnt_bits;
 
-  itt_bit_buff->ptr_read_next += 4;
+  itt_bit_buff->ptr_read_next += increment;
 
   for (ext_sort_sec =
            ptr_num_ext_sorted_sect_in_sets[num_ext_sorted_sect_in_sets_idx];
@@ -1279,7 +1284,10 @@ static PLATFORM_INLINE UWORD16 ixheaacd_huff_dec_quad_hcr_non_pcw(
     const UWORD16 *code_book_tbl, WORD32 tbl_sign, const UWORD32 *idx_table) {
   WORD16 index, length;
   WORD16 cw_len;
-  WORD32 read_word = ixheaacd_aac_showbits_32(itt_bit_buff->byte_ptr);
+  WORD32 read_word;
+
+  read_word = ixheaacd_aac_showbits_32(itt_bit_buff->byte_ptr,
+                                       itt_bit_buff->bit_count, NULL);
   ixheaacd_huffman_decode(read_word, &index, &length, code_book_tbl, idx_table);
   cw_len = length;
   if (tbl_sign) {
@@ -1350,9 +1358,14 @@ static PLATFORM_INLINE UWORD16 ixheaacd_huff_dec_word_hcr_non_pcw(
   WORD16 index;
   WORD32 length;
 
-  WORD32 read_word = ixheaacd_aac_showbits_32(itt_bit_buff->byte_ptr);
+  WORD32 read_word;
+  WORD32 increment;
+
+  read_word = ixheaacd_aac_showbits_32(itt_bit_buff->byte_ptr,
+                                       itt_bit_buff->bit_count, &increment);
+
   UWORD8 *ptr_read_next = itt_bit_buff->byte_ptr;
-  ptr_read_next += 4;
+  ptr_read_next += increment;
 
   ixheaacd_huff_sfb_table(read_word, &index, &length, code_book_tbl, idx_table);
   cw_len = length;
diff --git a/decoder/ixheaacd_longblock.c b/decoder/ixheaacd_longblock.c
index 164d73b..7ac686b 100644
--- a/decoder/ixheaacd_longblock.c
+++ b/decoder/ixheaacd_longblock.c
@@ -174,23 +174,10 @@ VOID ixheaacd_read_scale_factor_data(
   UWORD8 *ptr_read_next = it_bit_buff->ptr_read_next;
   WORD32 bit_pos = 7 - it_bit_buff->bit_pos;
   WORD32 read_word;
-  WORD32 diffbytes;
-
-  diffbytes = it_bit_buff->ptr_bit_buf_end - ptr_read_next;
-  diffbytes++;
-  if (diffbytes >= 4) {
-    read_word = ixheaacd_aac_showbits_32(ptr_read_next);
-    diffbytes = 4;
-    ptr_read_next = it_bit_buff->ptr_read_next + 4;
-  } else {
-    WORD32 ii;
-    read_word = 0;
-    for (ii = 0; ii < diffbytes; ii++) {
-      read_word = (read_word << 8) | (*ptr_read_next);
-      ptr_read_next++;
-    }
-    read_word <<= ((4 - diffbytes) << 3);
-  }
+  WORD32 increment;
+  read_word = ixheaacd_aac_showbits_32(ptr_read_next, it_bit_buff->cnt_bits,
+                                       &increment);
+  ptr_read_next += increment;
 
   ptr_code_book = ptr_aac_dec_channel_info->ptr_code_book;
 
@@ -305,7 +292,7 @@ VOID ixheaacd_read_scale_factor_data(
     }
   }
 
-  it_bit_buff->ptr_read_next = ptr_read_next - diffbytes;
+  it_bit_buff->ptr_read_next = ptr_read_next - increment;
 
   it_bit_buff->bit_pos = 7 - bit_pos;
   {
diff --git a/decoder/ixheaacd_multichannel.c b/decoder/ixheaacd_multichannel.c
index 1c276b6..f7bc713 100644
--- a/decoder/ixheaacd_multichannel.c
+++ b/decoder/ixheaacd_multichannel.c
@@ -213,7 +213,8 @@ WORD16 ixheaacd_dec_coupling_channel_element(
     if (cge) {
       UWORD8 *ptr_read_next = bs->ptr_read_next;
       WORD32 bit_pos = 7 - bs->bit_pos;
-      WORD32 read_word = ixheaacd_aac_showbits_32(ptr_read_next);
+      WORD32 read_word =
+          ixheaacd_aac_showbits_32(bs->ptr_read_next, bs->cnt_bits, NULL);
       UWORD32 read_word1;
 
       read_word1 = read_word << bit_pos;
diff --git a/decoder/ixheaacd_spectrum_dec.c b/decoder/ixheaacd_spectrum_dec.c
index c0b663c..c827a02 100644
--- a/decoder/ixheaacd_spectrum_dec.c
+++ b/decoder/ixheaacd_spectrum_dec.c
@@ -243,8 +243,10 @@ VOID ixheaacd_section_data(ia_usac_data_struct *usac_data,
   WORD32 is_1_group = 1;
 
   WORD32 bb = 0, i;
-  WORD32 read_word = ixheaacd_aac_showbits_32(ptr_read_next);
-  ptr_read_next = g_bs->ptr_read_next + 4;
+  WORD32 increment;
+  WORD32 read_word =
+      ixheaacd_aac_showbits_32(ptr_read_next, g_bs->cnt_bits, &increment);
+  ptr_read_next = g_bs->ptr_read_next + increment;
 
   trans_sfb = info->sfb_per_sbk;
   temp_ptr_scale_fac = factors;
@@ -313,8 +315,11 @@ VOID ixheaacd_section_data(ia_usac_data_struct *usac_data,
       }
     }
   }
+  ptr_read_next = ptr_read_next - increment;
+  ixheaacd_aac_read_byte_corr1(&ptr_read_next, &bit_pos, &read_word,
+                               g_bs->ptr_bit_buf_end);
 
-  g_bs->ptr_read_next = ptr_read_next - 4;
+  g_bs->ptr_read_next = ptr_read_next;
 
   g_bs->bit_pos = 7 - bit_pos;
   {
author	TreeHugger Robot <treehugger-gerrit@google.com>	2019-03-08 14:57:21 +0000
committer	Android (Google) Code Review <android-gerrit@google.com>	2019-03-08 14:57:21 +0000
commit	7b0b01f14de0382e6d16ea2e06d92cc2b1b9df57 (patch)
tree	8ae190f1052cfcff9e5902b351b48c4fdd324960
parent	ee391b5dfade6345617a0af0c1b740dabc1a97aa (diff)
parent	2c9929c4a356ae19bd690e0660bd2fa822290fe2 (diff)
download	libxaac-7b0b01f14de0382e6d16ea2e06d92cc2b1b9df57.tar.gz