From c2e0dfe237e2a3bd8a43e8a8025631d6fec4590d Mon Sep 17 00:00:00 2001 From: Fraunhofer IIS FDK Date: Thu, 20 Dec 2018 15:52:46 +0100 Subject: Clear config in case of parsing error in drcDec_readUniDrc() Test: atest DecoderTestXheAac ; atest DecoderTestAacDrc Change-Id: Ic1a12cbd31aa51d8a89bc4d6a67f9b0289265b6c --- libDRCdec/src/drcDec_reader.cpp | 12 ++++++++++-- 1 file changed, 10 insertions(+), 2 deletions(-) (limited to 'libDRCdec/src/drcDec_reader.cpp') diff --git a/libDRCdec/src/drcDec_reader.cpp b/libDRCdec/src/drcDec_reader.cpp index 6fe7a04..469203e 100644 --- a/libDRCdec/src/drcDec_reader.cpp +++ b/libDRCdec/src/drcDec_reader.cpp @@ -185,10 +185,18 @@ drcDec_readUniDrc(HANDLE_FDK_BITSTREAM hBs, HANDLE_UNI_DRC_CONFIG hUniDrcConfig, uniDrcConfigPresent = FDKreadBits(hBs, 1); if (uniDrcConfigPresent) { err = drcDec_readUniDrcConfig(hBs, hUniDrcConfig); - if (err) return err; + if (err) { + /* clear config, if parsing error occured */ + FDKmemclear(hUniDrcConfig, sizeof(UNI_DRC_CONFIG)); + hUniDrcConfig->diff = 1; + } } err = drcDec_readLoudnessInfoSet(hBs, hLoudnessInfoSet); - if (err) return err; + if (err) { + /* clear config, if parsing error occured */ + FDKmemclear(hLoudnessInfoSet, sizeof(LOUDNESS_INFO_SET)); + hLoudnessInfoSet->diff = 1; + } } if (hUniDrcGain != NULL) { -- cgit v1.2.3 From 1f908ac9b0bf42e6485a82a5b0d7d5247fd67f99 Mon Sep 17 00:00:00 2001 From: Fraunhofer IIS FDK Date: Thu, 20 Dec 2018 15:52:46 +0100 Subject: Add MPEG-D DRC sanity checks Test: atest DecoderTestXheAac ; atest DecoderTestAacDrc Change-Id: I5413e43d5cfc895b8c3171f8857ca6feab6c269e --- libDRCdec/src/drcDec_reader.cpp | 4 ++-- libDRCdec/src/drcDec_selectionProcess.cpp | 5 +++++ libDRCdec/src/drcDec_types.h | 8 ++++---- libDRCdec/src/drcGainDec_init.cpp | 6 ++++-- 4 files changed, 15 insertions(+), 8 deletions(-) (limited to 'libDRCdec/src/drcDec_reader.cpp') diff --git a/libDRCdec/src/drcDec_reader.cpp b/libDRCdec/src/drcDec_reader.cpp index 6fe7a04..e7b3360 100644 --- a/libDRCdec/src/drcDec_reader.cpp +++ b/libDRCdec/src/drcDec_reader.cpp @@ -1130,7 +1130,7 @@ static DRC_ERROR _readDrcCoefficientsUniDrc(HANDLE_FDK_BITSTREAM hBs, drcCharacteristicLeftPresent = FDKreadBits(hBs, 1); if (drcCharacteristicLeftPresent) { pCoef->characteristicLeftCount = FDKreadBits(hBs, 4); - if ((pCoef->characteristicLeftCount + 1) > 8) return DE_MEMORY_ERROR; + if ((pCoef->characteristicLeftCount + 1) > 16) return DE_MEMORY_ERROR; for (i = 0; i < pCoef->characteristicLeftCount; i++) { err = _readCustomDrcCharacteristic( hBs, CS_LEFT, &(pCoef->characteristicLeftFormat[i + 1]), @@ -1141,7 +1141,7 @@ static DRC_ERROR _readDrcCoefficientsUniDrc(HANDLE_FDK_BITSTREAM hBs, drcCharacteristicRightPresent = FDKreadBits(hBs, 1); if (drcCharacteristicRightPresent) { pCoef->characteristicRightCount = FDKreadBits(hBs, 4); - if ((pCoef->characteristicRightCount + 1) > 8) return DE_MEMORY_ERROR; + if ((pCoef->characteristicRightCount + 1) > 16) return DE_MEMORY_ERROR; for (i = 0; i < pCoef->characteristicRightCount; i++) { err = _readCustomDrcCharacteristic( hBs, CS_RIGHT, &(pCoef->characteristicRightFormat[i + 1]), diff --git a/libDRCdec/src/drcDec_selectionProcess.cpp b/libDRCdec/src/drcDec_selectionProcess.cpp index 9228197..5653e22 100644 --- a/libDRCdec/src/drcDec_selectionProcess.cpp +++ b/libDRCdec/src/drcDec_selectionProcess.cpp @@ -2173,6 +2173,9 @@ static DRCDEC_SELECTION_PROCESS_RETURN _selectDownmixMatrix( if (hSelProcOutput->activeDownmixId != 0) { for (i = 0; i < hUniDrcConfig->downmixInstructionsCount; i++) { DOWNMIX_INSTRUCTIONS* pDown = &(hUniDrcConfig->downmixInstructions[i]); + if (pDown->targetChannelCount > 8) { + continue; + } if (hSelProcOutput->activeDownmixId == pDown->downmixId) { hSelProcOutput->targetChannelCount = pDown->targetChannelCount; @@ -2825,6 +2828,8 @@ static int _downmixCoefficientsArePresent(HANDLE_UNI_DRC_CONFIG hUniDrcConfig, for (i = 0; i < hUniDrcConfig->downmixInstructionsCount; i++) { if (hUniDrcConfig->downmixInstructions[i].downmixId == downmixId) { if (hUniDrcConfig->downmixInstructions[i].downmixCoefficientsPresent) { + if (hUniDrcConfig->downmixInstructions[i].targetChannelCount > 8) + return 0; *pIndex = i; return 1; } diff --git a/libDRCdec/src/drcDec_types.h b/libDRCdec/src/drcDec_types.h index 28c17f3..6b99018 100644 --- a/libDRCdec/src/drcDec_types.h +++ b/libDRCdec/src/drcDec_types.h @@ -249,11 +249,11 @@ typedef struct { UCHAR drcFrameSizePresent; USHORT drcFrameSize; UCHAR characteristicLeftCount; - UCHAR characteristicLeftFormat[8]; - CUSTOM_DRC_CHAR customCharacteristicLeft[8]; + UCHAR characteristicLeftFormat[16]; + CUSTOM_DRC_CHAR customCharacteristicLeft[16]; UCHAR characteristicRightCount; - UCHAR characteristicRightFormat[8]; - CUSTOM_DRC_CHAR customCharacteristicRight[8]; + UCHAR characteristicRightFormat[16]; + CUSTOM_DRC_CHAR customCharacteristicRight[16]; UCHAR gainSequenceCount; /* unsaturated value, i.e. as provided in bitstream */ UCHAR gainSetCount; /* saturated to 12 */ diff --git a/libDRCdec/src/drcGainDec_init.cpp b/libDRCdec/src/drcGainDec_init.cpp index 38f3243..c9f87d7 100644 --- a/libDRCdec/src/drcGainDec_init.cpp +++ b/libDRCdec/src/drcGainDec_init.cpp @@ -336,9 +336,11 @@ initActiveDrcOffset(HANDLE_DRC_GAIN_DECODER hGainDec) { for (a = 0; a < hGainDec->nActiveDrcs; a++) { hGainDec->activeDrc[a].activeDrcOffset = accGainElementCount; accGainElementCount += hGainDec->activeDrc[a].gainElementCount; + if (accGainElementCount > 12) { + hGainDec->nActiveDrcs = a; + return DE_NOT_OK; + } } - if (accGainElementCount > 12) return DE_NOT_OK; - return DE_OK; } -- cgit v1.2.3 From 28fcbe9faed794a9d74aef529beb83386da1f4aa Mon Sep 17 00:00:00 2001 From: Martin Storsjo Date: Thu, 9 Jan 2020 10:21:19 +0200 Subject: Don't use an enum for a value read directly from the bitstream The enum only defined values 1-7, while the variable can be set to any value between 0 and 15 that is read from the bitstream by FDKreadBits(hBs, 4). This fixes undefined behaviour sanitizer errors. Fixes: 19500/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_LIBFDK_AAC_fuzzer-5730449188192256 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg --- libDRCdec/src/drcDec_reader.cpp | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) (limited to 'libDRCdec/src/drcDec_reader.cpp') diff --git a/libDRCdec/src/drcDec_reader.cpp b/libDRCdec/src/drcDec_reader.cpp index a784457..9b5403a 100644 --- a/libDRCdec/src/drcDec_reader.cpp +++ b/libDRCdec/src/drcDec_reader.cpp @@ -911,7 +911,7 @@ static void _skipEqCoefficients(HANDLE_FDK_BITSTREAM hBs) { firFilterOrder; int uniqueEqSubbandGainsCount, eqSubbandGainRepresentation, eqSubbandGainCount; - EQ_SUBBAND_GAIN_FORMAT eqSubbandGainFormat; + int eqSubbandGainFormat; eqDelayMaxPresent = FDKreadBits(hBs, 1); if (eqDelayMaxPresent) { @@ -952,7 +952,7 @@ static void _skipEqCoefficients(HANDLE_FDK_BITSTREAM hBs) { uniqueEqSubbandGainsCount = FDKreadBits(hBs, 6); if (uniqueEqSubbandGainsCount > 0) { eqSubbandGainRepresentation = FDKreadBits(hBs, 1); - eqSubbandGainFormat = (EQ_SUBBAND_GAIN_FORMAT)FDKreadBits(hBs, 4); + eqSubbandGainFormat = FDKreadBits(hBs, 4); switch (eqSubbandGainFormat) { case GF_QMF32: eqSubbandGainCount = 32; -- cgit v1.2.3