diff options
| author | Aayush Soni <aayush.soni@ittiam.com> | 2021-07-05 10:11:29 +0530 |
|---|---|---|
| committer | Android Build Coastguard Worker <android-build-coastguard-worker@google.com> | 2021-08-14 00:58:10 +0000 |
| commit | be8ae5a003449ebe7d8480a67db7a16aceb9e8b9 (patch) | |
| tree | 33faade4d6545803c13c840adef828f424678b40 | |
| parent | b67202e2673ce68051635a3d91217364a4841a1d (diff) | |
| download | sonivox-be8ae5a003449ebe7d8480a67db7a16aceb9e8b9.tar.gz | |
sonivox: Fix global buffer overflow in WT_InterpolateNoLoop
Check for loop end before accessing new samples
Bug: 190286685
Test: POC in bug description
Change-Id: I26a187d161d713c1a1b1b3009256acfd9e263fb3
(cherry picked from commit 8bfcd9c03af5170b5003712fb77f096b5c9f341b)
| -rw-r--r-- | arm-wt-22k/lib_src/eas_wtengine.c | 16 |
1 files changed, 12 insertions, 4 deletions
diff --git a/arm-wt-22k/lib_src/eas_wtengine.c b/arm-wt-22k/lib_src/eas_wtengine.c index c3012e5..950616e 100644 --- a/arm-wt-22k/lib_src/eas_wtengine.c +++ b/arm-wt-22k/lib_src/eas_wtengine.c @@ -284,6 +284,7 @@ void WT_InterpolateNoLoop (S_WT_VOICE *pWTVoice, S_WT_INT_FRAME *pWTIntFrame) EAS_I32 phaseFrac; EAS_I32 acc0; const EAS_SAMPLE *pSamples; + const EAS_SAMPLE *bufferEndP1; EAS_I32 samp1; EAS_I32 samp2; EAS_I32 numSamples; @@ -298,8 +299,9 @@ void WT_InterpolateNoLoop (S_WT_VOICE *pWTVoice, S_WT_INT_FRAME *pWTIntFrame) pOutputBuffer = pWTIntFrame->pAudioBuffer; phaseInc = pWTIntFrame->frame.phaseIncrement; + bufferEndP1 = (const EAS_SAMPLE*) pWTVoice->loopEnd + 1; pSamples = (const EAS_SAMPLE*) pWTVoice->phaseAccum; - phaseFrac = (EAS_I32)pWTVoice->phaseFrac; + phaseFrac = (EAS_I32)(pWTVoice->phaseFrac & PHASE_FRAC_MASK); /* fetch adjacent samples */ #if defined(_8_BIT_SAMPLES) @@ -314,6 +316,7 @@ void WT_InterpolateNoLoop (S_WT_VOICE *pWTVoice, S_WT_INT_FRAME *pWTIntFrame) while (numSamples--) { + EAS_I32 nextSamplePhaseInc; /* linear interpolation */ acc0 = samp2 - samp1; @@ -328,13 +331,18 @@ void WT_InterpolateNoLoop (S_WT_VOICE *pWTVoice, S_WT_INT_FRAME *pWTIntFrame) /* increment phase */ phaseFrac += phaseInc; /*lint -e{704} <avoid divide>*/ - acc0 = phaseFrac >> NUM_PHASE_FRAC_BITS; + nextSamplePhaseInc = phaseFrac >> NUM_PHASE_FRAC_BITS; /* next sample */ - if (acc0 > 0) { + if (nextSamplePhaseInc > 0) { + + /* check for loop end */ + if ( &pSamples[nextSamplePhaseInc+1] >= bufferEndP1) { + break; + } /* advance sample pointer */ - pSamples += acc0; + pSamples += nextSamplePhaseInc; phaseFrac = (EAS_I32)((EAS_U32)phaseFrac & PHASE_FRAC_MASK); /* fetch new samples */ |