aboutsummaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorRajat Kumar <rajat.kumar@ittiam.com>2019-04-29 17:54:00 +0530
committerRay Essick <essick@google.com>2020-01-09 14:24:30 -0800
commit0e6ba2531414125ee93d042f8264663206d7c9af (patch)
tree50abd1a66d62299414fbbb1197fbf2446b4bdd6e
parentda82edd619dd5679267750f9b68708dab2ad652e (diff)
downloadlibxaac-0e6ba2531414125ee93d042f8264663206d7c9af.tar.gz
Fix for array out of bound esbr_envcalc file.
Added bound checks before access Bug:131878685 Test: poc in bug Change-Id: Ibd8dec7875509fc98f7c57d000bcc3635f36f297
-rw-r--r--decoder/ixheaacd_env_extr.h15
-rw-r--r--decoder/ixheaacd_esbr_envcal.c12
2 files changed, 18 insertions, 9 deletions
diff --git a/decoder/ixheaacd_env_extr.h b/decoder/ixheaacd_env_extr.h
index 109dfe2..d699b5e 100644
--- a/decoder/ixheaacd_env_extr.h
+++ b/decoder/ixheaacd_env_extr.h
@@ -31,6 +31,7 @@
#define ROUNDING (1 << (EXP_BITS - 1))
#define NRG_EXP_OFFSET 16
#define NOISE_EXP_OFFSET 38
+#define MAX_QMF_SUB_BANDS 64
typedef const UWORD16 *ia_huffman_data_type;
@@ -100,13 +101,13 @@ typedef struct {
WORD32 gate_mode[4];
WORD8 harm_flag_varlen_prev[64];
WORD8 harm_flag_varlen[64];
- FLOAT32 qmapped_pvc[64][48];
- FLOAT32 env_tmp[64][48];
- FLOAT32 noise_level_pvc[64][48];
- FLOAT32 nrg_est_pvc[64][48];
- FLOAT32 nrg_ref_pvc[64][48];
- FLOAT32 nrg_gain_pvc[64][48];
- FLOAT32 nrg_tone_pvc[64][48];
+ FLOAT32 qmapped_pvc[MAX_QMF_SUB_BANDS][MAX_FREQ_COEFFS_SBR];
+ FLOAT32 env_tmp[MAX_QMF_SUB_BANDS][MAX_FREQ_COEFFS_SBR];
+ FLOAT32 noise_level_pvc[MAX_QMF_SUB_BANDS][MAX_FREQ_COEFFS_SBR];
+ FLOAT32 nrg_est_pvc[MAX_QMF_SUB_BANDS][MAX_FREQ_COEFFS_SBR];
+ FLOAT32 nrg_ref_pvc[MAX_QMF_SUB_BANDS][MAX_FREQ_COEFFS_SBR];
+ FLOAT32 nrg_gain_pvc[MAX_QMF_SUB_BANDS][MAX_FREQ_COEFFS_SBR];
+ FLOAT32 nrg_tone_pvc[MAX_QMF_SUB_BANDS][MAX_FREQ_COEFFS_SBR];
WORD32 stereo_config_idx;
FLAG reset_flag;
FLAG mps_sbr_flag;
diff --git a/decoder/ixheaacd_esbr_envcal.c b/decoder/ixheaacd_esbr_envcal.c
index c964bf6..492287d 100644
--- a/decoder/ixheaacd_esbr_envcal.c
+++ b/decoder/ixheaacd_esbr_envcal.c
@@ -207,12 +207,14 @@ WORD32 ixheaacd_sbr_env_calc(ia_sbr_frame_info_data_struct *frame_data,
}
for (i = 0; i < bs_num_env; i++) {
+ if (kk > MAX_NOISE_ENVELOPES) return IA_FATAL_ERROR;
if (p_frame_info->border_vec[i] == p_frame_info->noise_border_vec[kk])
kk++, next++;
start_pos = p_frame_info->border_vec[i];
end_pos = p_frame_info->border_vec[i + 1];
-
+ if ((start_pos < 0) || (end_pos > MAX_FREQ_COEFFS_SBR))
+ return IA_FATAL_ERROR;
for (t = start_pos; t < end_pos; t++) {
band_loop_end = num_sf_bands[p_frame_info->freq_res[i]];
@@ -224,6 +226,7 @@ WORD32 ixheaacd_sbr_env_calc(ia_sbr_frame_info_data_struct *frame_data,
for (k = 0; k < ui - li; k++) {
o = (k + li >= ui2) ? o + 1 : o;
+ if (o >= MAX_NOISE_COEFFS) return IA_FATAL_ERROR;
ui2 = freq_band_table_noise[o + 1];
frame_data->qmapped_pvc[c][t] =
@@ -238,12 +241,14 @@ WORD32 ixheaacd_sbr_env_calc(ia_sbr_frame_info_data_struct *frame_data,
next = -1;
for (i = 0; i < bs_num_env; i++) {
+ if (kk > MAX_NOISE_ENVELOPES) return IA_FATAL_ERROR;
if (p_frame_info->border_vec[i] == p_frame_info->noise_border_vec[kk])
kk++, next++;
start_pos = pvc_frame_info->border_vec[i];
end_pos = pvc_frame_info->border_vec[i + 1];
-
+ if ((start_pos < 0) || (end_pos > MAX_FREQ_COEFFS_SBR))
+ return IA_FATAL_ERROR;
for (t = start_pos; t < end_pos; t++) {
for (c = 0; c < 64; c++) {
env_tmp[c][t] = env_out[64 * t + c];
@@ -301,6 +306,7 @@ WORD32 ixheaacd_sbr_env_calc(ia_sbr_frame_info_data_struct *frame_data,
for (k = 0; k < ui - li; k++) {
o = (k + li >= ui2) ? o + 1 : o;
+ if (o >= MAX_NOISE_COEFFS) return IA_FATAL_ERROR;
ui2 = freq_band_table_noise[o + 1];
nrg_est_pvc[c][t] = (!int_mode) ? nrg : nrg_est_pvc[c][t];
nrg_tone_pvc[c][t] = 0.0f;
@@ -419,6 +425,7 @@ WORD32 ixheaacd_sbr_env_calc(ia_sbr_frame_info_data_struct *frame_data,
for (k = 0; k < ui - li; k++) {
o = (k + li >= ui2) ? o + 1 : o;
+ if (o >= MAX_NOISE_COEFFS) return IA_FATAL_ERROR;
ui2 = freq_band_table_noise[o + 1];
nrg_est_pvc[c][t] = (!int_mode) ? nrg : nrg_est_pvc[c][t];
nrg_tone_pvc[c][t] = 0.0f;
@@ -612,6 +619,7 @@ WORD32 ixheaacd_sbr_env_calc(ia_sbr_frame_info_data_struct *frame_data,
for (k = 0; k < ui - li; k++) {
FLOAT64 guard = 1e-17;
o = (k + li >= ui2) ? o + 1 : o;
+ if (o >= MAX_NOISE_COEFFS) return IA_FATAL_ERROR;
ui2 = frame_data->pstr_sbr_header->pstr_freq_band_data
->freq_band_tbl_noise[o + 1];
nrg_ref[c] = sfb_nrg[m];