diff options
| author | Ramesh Katuri <ramesh.katuri@ittiam.com> | 2018-10-31 15:50:27 +0530 |
|---|---|---|
| committer | Ray Essick <essick@google.com> | 2018-12-21 09:30:36 -0800 |
| commit | b0c549e5d8b348697cd25a3135cf7c95b98717e3 (patch) | |
| tree | 48b6cf26d791e8f5bc2e0e4f47e5ce0cda14c189 /decoder/ixheaacd_esbr_envcal.c | |
| parent | 657393883bf49820ba1ebc819670a22090e8f035 (diff) | |
| download | libxaac-b0c549e5d8b348697cd25a3135cf7c95b98717e3.tar.gz | |
Fix for crash in ixheaacd_esbr_synthesis_regrp
Inside ia_sbr_frame_info_data_struct, limit table is defined as WORD32 lim_table[4][12 + 1];
lim_table is accessed using gate_mode which is defined as WORD32 gate_mode[4];
For all these below issues one of the value of gate_mode is greater than 12, when lim_table
is accessed with more than 12 we are getting some garbage value which is causing pointer
corruption for b/118386824, Heap buffer overflow for b/118389774 and stack buffer overflow
for b/118494588.
As a fix we are returning fatal error if value in gate_mode > 12
Bug:118386824
Bug:118389774
Bug:118494588
Test: vendor
Change-Id: I713c5438f56a13f06f0f76ed22ad96ff667741a4
Diffstat (limited to 'decoder/ixheaacd_esbr_envcal.c')
| -rw-r--r-- | decoder/ixheaacd_esbr_envcal.c | 36 |
1 files changed, 19 insertions, 17 deletions
diff --git a/decoder/ixheaacd_esbr_envcal.c b/decoder/ixheaacd_esbr_envcal.c index b90df22..e1bb1c7 100644 --- a/decoder/ixheaacd_esbr_envcal.c +++ b/decoder/ixheaacd_esbr_envcal.c @@ -167,19 +167,21 @@ WORD32 ixheaacd_sbr_env_calc(ia_sbr_frame_info_data_struct *frame_data, esbr_start_up = 1; esbr_start_up_pvc = 1; phase_index = 0; - ixheaacd_createlimiterbands( - (*lim_table), (*gate_mode), - frame_data->pstr_sbr_header->pstr_freq_band_data->freq_band_tbl_lo, - num_sf_bands[LOW], x_over_qmf, frame_data->sbr_patching_mode, - upsamp_4_flag, &frame_data->patch_param); + if (ixheaacd_createlimiterbands( + (*lim_table), (*gate_mode), + frame_data->pstr_sbr_header->pstr_freq_band_data->freq_band_tbl_lo, + num_sf_bands[LOW], x_over_qmf, frame_data->sbr_patching_mode, + upsamp_4_flag, &frame_data->patch_param)) + return IA_FATAL_ERROR; } if (frame_data->sbr_patching_mode != frame_data->prev_sbr_patching_mode) { - ixheaacd_createlimiterbands( - (*lim_table), (*gate_mode), - frame_data->pstr_sbr_header->pstr_freq_band_data->freq_band_tbl_lo, - num_sf_bands[LOW], x_over_qmf, frame_data->sbr_patching_mode, - upsamp_4_flag, &frame_data->patch_param); + if (ixheaacd_createlimiterbands( + (*lim_table), (*gate_mode), + frame_data->pstr_sbr_header->pstr_freq_band_data->freq_band_tbl_lo, + num_sf_bands[LOW], x_over_qmf, frame_data->sbr_patching_mode, + upsamp_4_flag, &frame_data->patch_param)) + return IA_FATAL_ERROR; frame_data->prev_sbr_patching_mode = frame_data->sbr_patching_mode; } @@ -789,12 +791,11 @@ WORD32 ixheaacd_sbr_env_calc(ia_sbr_frame_info_data_struct *frame_data, return 0; } -VOID ixheaacd_createlimiterbands(WORD32 lim_table[4][12 + 1], - WORD32 gate_mode[4], WORD16 *freq_band_tbl, - WORD32 ixheaacd_num_bands, - WORD32 x_over_qmf[MAX_NUM_PATCHES], - WORD32 b_patching_mode, WORD32 upsamp_4_flag, - struct ixheaacd_lpp_trans_patch *patch_param) { +IA_ERRORCODE ixheaacd_createlimiterbands( + WORD32 lim_table[4][12 + 1], WORD32 gate_mode[4], WORD16 *freq_band_tbl, + WORD32 ixheaacd_num_bands, WORD32 x_over_qmf[MAX_NUM_PATCHES], + WORD32 b_patching_mode, WORD32 upsamp_4_flag, + struct ixheaacd_lpp_trans_patch *patch_param) { WORD32 i, j, k, is_patch_border[2]; WORD32 patch_borders[MAX_NUM_PATCHES + 1]; WORD32 temp_limiter_band_calc[32 + MAX_NUM_PATCHES + 1]; @@ -887,11 +888,12 @@ VOID ixheaacd_createlimiterbands(WORD32 lim_table[4][12 + 1], } } } - + if (gate_mode[i] > 12) return IA_FATAL_ERROR; for (k = 0; k <= gate_mode[i]; k++) { lim_table[i][k] = temp_limiter_band_calc[k]; } } + return IA_NO_ERROR; } VOID ixheaacd_apply_inter_tes(FLOAT32 *qmf_real1, FLOAT32 *qmf_imag1, |