diff options
author | Rajat Kumar <rajat.kumar@ittiam.com> | 2019-04-29 17:54:00 +0530 |
---|---|---|
committer | Ray Essick <essick@google.com> | 2020-01-09 14:24:30 -0800 |
commit | 0e6ba2531414125ee93d042f8264663206d7c9af (patch) | |
tree | 50abd1a66d62299414fbbb1197fbf2446b4bdd6e | |
parent | da82edd619dd5679267750f9b68708dab2ad652e (diff) | |
download | libxaac-0e6ba2531414125ee93d042f8264663206d7c9af.tar.gz |
Fix for array out of bound esbr_envcalc file.
Added bound checks before access
Bug:131878685
Test: poc in bug
Change-Id: Ibd8dec7875509fc98f7c57d000bcc3635f36f297
-rw-r--r-- | decoder/ixheaacd_env_extr.h | 15 | ||||
-rw-r--r-- | decoder/ixheaacd_esbr_envcal.c | 12 |
2 files changed, 18 insertions, 9 deletions
diff --git a/decoder/ixheaacd_env_extr.h b/decoder/ixheaacd_env_extr.h index 109dfe2..d699b5e 100644 --- a/decoder/ixheaacd_env_extr.h +++ b/decoder/ixheaacd_env_extr.h @@ -31,6 +31,7 @@ #define ROUNDING (1 << (EXP_BITS - 1)) #define NRG_EXP_OFFSET 16 #define NOISE_EXP_OFFSET 38 +#define MAX_QMF_SUB_BANDS 64 typedef const UWORD16 *ia_huffman_data_type; @@ -100,13 +101,13 @@ typedef struct { WORD32 gate_mode[4]; WORD8 harm_flag_varlen_prev[64]; WORD8 harm_flag_varlen[64]; - FLOAT32 qmapped_pvc[64][48]; - FLOAT32 env_tmp[64][48]; - FLOAT32 noise_level_pvc[64][48]; - FLOAT32 nrg_est_pvc[64][48]; - FLOAT32 nrg_ref_pvc[64][48]; - FLOAT32 nrg_gain_pvc[64][48]; - FLOAT32 nrg_tone_pvc[64][48]; + FLOAT32 qmapped_pvc[MAX_QMF_SUB_BANDS][MAX_FREQ_COEFFS_SBR]; + FLOAT32 env_tmp[MAX_QMF_SUB_BANDS][MAX_FREQ_COEFFS_SBR]; + FLOAT32 noise_level_pvc[MAX_QMF_SUB_BANDS][MAX_FREQ_COEFFS_SBR]; + FLOAT32 nrg_est_pvc[MAX_QMF_SUB_BANDS][MAX_FREQ_COEFFS_SBR]; + FLOAT32 nrg_ref_pvc[MAX_QMF_SUB_BANDS][MAX_FREQ_COEFFS_SBR]; + FLOAT32 nrg_gain_pvc[MAX_QMF_SUB_BANDS][MAX_FREQ_COEFFS_SBR]; + FLOAT32 nrg_tone_pvc[MAX_QMF_SUB_BANDS][MAX_FREQ_COEFFS_SBR]; WORD32 stereo_config_idx; FLAG reset_flag; FLAG mps_sbr_flag; diff --git a/decoder/ixheaacd_esbr_envcal.c b/decoder/ixheaacd_esbr_envcal.c index c964bf6..492287d 100644 --- a/decoder/ixheaacd_esbr_envcal.c +++ b/decoder/ixheaacd_esbr_envcal.c @@ -207,12 +207,14 @@ WORD32 ixheaacd_sbr_env_calc(ia_sbr_frame_info_data_struct *frame_data, } for (i = 0; i < bs_num_env; i++) { + if (kk > MAX_NOISE_ENVELOPES) return IA_FATAL_ERROR; if (p_frame_info->border_vec[i] == p_frame_info->noise_border_vec[kk]) kk++, next++; start_pos = p_frame_info->border_vec[i]; end_pos = p_frame_info->border_vec[i + 1]; - + if ((start_pos < 0) || (end_pos > MAX_FREQ_COEFFS_SBR)) + return IA_FATAL_ERROR; for (t = start_pos; t < end_pos; t++) { band_loop_end = num_sf_bands[p_frame_info->freq_res[i]]; @@ -224,6 +226,7 @@ WORD32 ixheaacd_sbr_env_calc(ia_sbr_frame_info_data_struct *frame_data, for (k = 0; k < ui - li; k++) { o = (k + li >= ui2) ? o + 1 : o; + if (o >= MAX_NOISE_COEFFS) return IA_FATAL_ERROR; ui2 = freq_band_table_noise[o + 1]; frame_data->qmapped_pvc[c][t] = @@ -238,12 +241,14 @@ WORD32 ixheaacd_sbr_env_calc(ia_sbr_frame_info_data_struct *frame_data, next = -1; for (i = 0; i < bs_num_env; i++) { + if (kk > MAX_NOISE_ENVELOPES) return IA_FATAL_ERROR; if (p_frame_info->border_vec[i] == p_frame_info->noise_border_vec[kk]) kk++, next++; start_pos = pvc_frame_info->border_vec[i]; end_pos = pvc_frame_info->border_vec[i + 1]; - + if ((start_pos < 0) || (end_pos > MAX_FREQ_COEFFS_SBR)) + return IA_FATAL_ERROR; for (t = start_pos; t < end_pos; t++) { for (c = 0; c < 64; c++) { env_tmp[c][t] = env_out[64 * t + c]; @@ -301,6 +306,7 @@ WORD32 ixheaacd_sbr_env_calc(ia_sbr_frame_info_data_struct *frame_data, for (k = 0; k < ui - li; k++) { o = (k + li >= ui2) ? o + 1 : o; + if (o >= MAX_NOISE_COEFFS) return IA_FATAL_ERROR; ui2 = freq_band_table_noise[o + 1]; nrg_est_pvc[c][t] = (!int_mode) ? nrg : nrg_est_pvc[c][t]; nrg_tone_pvc[c][t] = 0.0f; @@ -419,6 +425,7 @@ WORD32 ixheaacd_sbr_env_calc(ia_sbr_frame_info_data_struct *frame_data, for (k = 0; k < ui - li; k++) { o = (k + li >= ui2) ? o + 1 : o; + if (o >= MAX_NOISE_COEFFS) return IA_FATAL_ERROR; ui2 = freq_band_table_noise[o + 1]; nrg_est_pvc[c][t] = (!int_mode) ? nrg : nrg_est_pvc[c][t]; nrg_tone_pvc[c][t] = 0.0f; @@ -612,6 +619,7 @@ WORD32 ixheaacd_sbr_env_calc(ia_sbr_frame_info_data_struct *frame_data, for (k = 0; k < ui - li; k++) { FLOAT64 guard = 1e-17; o = (k + li >= ui2) ? o + 1 : o; + if (o >= MAX_NOISE_COEFFS) return IA_FATAL_ERROR; ui2 = frame_data->pstr_sbr_header->pstr_freq_band_data ->freq_band_tbl_noise[o + 1]; nrg_ref[c] = sfb_nrg[m]; |