From cc825aecf5ff8c2c7027f7424d7933cd80d6f3bb Mon Sep 17 00:00:00 2001 From: Fraunhofer IIS FDK Date: Fri, 9 Aug 2019 17:05:33 +0200 Subject: Restrict sampling rates parsed from bitstream to maximum of 96kHz. Bug: 131430997 Test: atest DecoderTestXheAac ; atest DecoderTestAacDrc Change-Id: I2511a7cfcdf1bae57d17c02c93867ccc4f1ea693 --- libMpegTPDec/src/tpdec_asc.cpp | 15 ++++++++++++--- 1 file changed, 12 insertions(+), 3 deletions(-) (limited to 'libMpegTPDec/src/tpdec_asc.cpp') diff --git a/libMpegTPDec/src/tpdec_asc.cpp b/libMpegTPDec/src/tpdec_asc.cpp index 28bc22d..a86c2cb 100644 --- a/libMpegTPDec/src/tpdec_asc.cpp +++ b/libMpegTPDec/src/tpdec_asc.cpp @@ -1,7 +1,7 @@ /* ----------------------------------------------------------------------------- Software License for The Fraunhofer FDK AAC Codec Library for Android -© Copyright 1995 - 2018 Fraunhofer-Gesellschaft zur Förderung der angewandten +© Copyright 1995 - 2019 Fraunhofer-Gesellschaft zur Förderung der angewandten Forschung e.V. All rights reserved. 1. INTRODUCTION @@ -1440,7 +1440,8 @@ static TRANSPORTDEC_ERROR EldSpecificConfig_Parse(CSAudioSpecificConfig *asc, UCHAR tmpDownscaleFreqIdx; esc->m_downscaledSamplingFrequency = getSampleRate(hBs, &tmpDownscaleFreqIdx, 4); - if (esc->m_downscaledSamplingFrequency == 0) { + if (esc->m_downscaledSamplingFrequency == 0 || + esc->m_downscaledSamplingFrequency > 96000) { return TRANSPORTDEC_PARSE_ERROR; } downscale_fill_nibble = FDKreadBits(hBs, 4); @@ -1948,6 +1949,9 @@ static TRANSPORTDEC_ERROR UsacConfig_Parse(CSAudioSpecificConfig *asc, INT nbits = (INT)FDKgetValidBits(hBs); usacSamplingFrequency = getSampleRate(hBs, &asc->m_samplingFrequencyIndex, 5); + if (usacSamplingFrequency == 0 || usacSamplingFrequency > 96000) { + return TRANSPORTDEC_PARSE_ERROR; + } asc->m_samplingFrequency = (UINT)usacSamplingFrequency; coreSbrFrameLengthIndex = FDKreadBits(hBs, 3); @@ -2027,7 +2031,8 @@ static TRANSPORTDEC_ERROR AudioSpecificConfig_ExtensionParse( self->m_extensionSamplingFrequency = getSampleRate( bs, &self->m_extensionSamplingFrequencyIndex, 4); - if ((INT)self->m_extensionSamplingFrequency <= 0) { + if (self->m_extensionSamplingFrequency == 0 || + self->m_extensionSamplingFrequency > 96000) { return TRANSPORTDEC_PARSE_ERROR; } } @@ -2153,6 +2158,10 @@ TRANSPORTDEC_ERROR AudioSpecificConfig_Parse( self->m_extensionSamplingFrequency = getSampleRate(bs, &self->m_extensionSamplingFrequencyIndex, 4); + if (self->m_extensionSamplingFrequency == 0 || + self->m_extensionSamplingFrequency > 96000) { + return TRANSPORTDEC_PARSE_ERROR; + } self->m_aot = getAOT(bs); switch (self->m_aot) { -- cgit v1.2.3 From 572f59359a5e71f59a09e2dbc75aa45e7eaaa360 Mon Sep 17 00:00:00 2001 From: Fraunhofer IIS FDK Date: Fri, 9 Aug 2019 17:07:39 +0200 Subject: Reject unsupported channel configuration / audio object type combinations. Bug: 131430997 Test: atest DecoderTestXheAac ; atest DecoderTestAacDrc Change-Id: I84bd355df0f690636c109695d8df64fa7bdcf63c --- libMpegTPDec/src/tpdec_asc.cpp | 18 ++++++++++++++++++ 1 file changed, 18 insertions(+) (limited to 'libMpegTPDec/src/tpdec_asc.cpp') diff --git a/libMpegTPDec/src/tpdec_asc.cpp b/libMpegTPDec/src/tpdec_asc.cpp index a86c2cb..ad13378 100644 --- a/libMpegTPDec/src/tpdec_asc.cpp +++ b/libMpegTPDec/src/tpdec_asc.cpp @@ -2144,6 +2144,24 @@ TRANSPORTDEC_ERROR AudioSpecificConfig_Parse( self->m_channelConfiguration = FDKreadBits(bs, 4); + /* MPEG-04 standard ISO/IEC 14496-3: channelConfiguration == 0 is reserved + in er_raw_data_block (table 4.19) and er_raw_data_block_eld (table 4.75) + MPEG-04 conformance ISO/IEC 14496-4: channelConfiguration == 0 is not + permitted for AOT_ER_AAC_LC, AOT_ER_AAC_LTP, AOT_ER_AAC_LD, + AOT_ER_AAC_SCAL (chapter 6.6.4.1.2.1.1) */ + if ((self->m_channelConfiguration == 0) && + ((self->m_aot == AOT_ER_AAC_LC) || (self->m_aot == AOT_ER_AAC_LTP) || + (self->m_aot == AOT_ER_AAC_LD) || (self->m_aot == AOT_ER_AAC_SCAL) || + (self->m_aot == AOT_ER_AAC_ELD))) { + return TRANSPORTDEC_UNSUPPORTED_FORMAT; + } + /* MPEG-04 conformance ISO/IEC 14496-4: channelConfiguration > 2 is not + * permitted for AOT_AAC_SCAL and AOT_ER_AAC_SCAL (chapter 6.6.4.1.2.1.1) */ + if ((self->m_channelConfiguration > 2) && + ((self->m_aot == AOT_AAC_SCAL) || (self->m_aot == AOT_ER_AAC_SCAL))) { + return TRANSPORTDEC_UNSUPPORTED_FORMAT; + } + /* SBR extension ( explicit non-backwards compatible mode ) */ self->m_sbrPresentFlag = 0; self->m_psPresentFlag = 0; -- cgit v1.2.3 From 24171ed080e447c3ed01643833ba711dcae91293 Mon Sep 17 00:00:00 2001 From: Fraunhofer IIS FDK Date: Tue, 29 Oct 2019 13:06:56 +0100 Subject: Add loop abort criterion to prevent timeout in EldSpecificConfig_Parse(). Bug: 145668344 Test: atest DecoderTestXheAac ; atest DecoderTestAacDrc Change-Id: Iea6457e8545438c7ad4d05a682ffa656ec35ead9 --- libMpegTPDec/src/tpdec_asc.cpp | 12 +++++++----- 1 file changed, 7 insertions(+), 5 deletions(-) (limited to 'libMpegTPDec/src/tpdec_asc.cpp') diff --git a/libMpegTPDec/src/tpdec_asc.cpp b/libMpegTPDec/src/tpdec_asc.cpp index ad13378..82f840e 100644 --- a/libMpegTPDec/src/tpdec_asc.cpp +++ b/libMpegTPDec/src/tpdec_asc.cpp @@ -1325,9 +1325,9 @@ static TRANSPORTDEC_ERROR EldSpecificConfig_Parse(CSAudioSpecificConfig *asc, CSTpCallBacks *cb) { TRANSPORTDEC_ERROR ErrorStatus = TRANSPORTDEC_OK; CSEldSpecificConfig *esc = &asc->m_sc.m_eldSpecificConfig; - ASC_ELD_EXT_TYPE eldExtType; + UINT eldExtType; int eldExtLen, len, cnt, ldSbrLen = 0, eldExtLenSum, numSbrHeader = 0, - sbrIndex; + sbrIndex, eldExtCnt = 0; unsigned char downscale_fill_nibble; @@ -1394,9 +1394,8 @@ static TRANSPORTDEC_ERROR EldSpecificConfig_Parse(CSAudioSpecificConfig *asc, eldExtLenSum = FDKgetValidBits(hBs); esc->m_downscaledSamplingFrequency = asc->m_samplingFrequency; /* parse ExtTypeConfigData */ - while ( - ((eldExtType = (ASC_ELD_EXT_TYPE)FDKreadBits(hBs, 4)) != ELDEXT_TERM) && - ((INT)FDKgetValidBits(hBs) >= 0)) { + while (((eldExtType = FDKreadBits(hBs, 4)) != ELDEXT_TERM) && + ((INT)FDKgetValidBits(hBs) >= 0) && (eldExtCnt++ < 15)) { eldExtLen = len = FDKreadBits(hBs, 4); if (len == 0xf) { len = FDKreadBits(hBs, 8); @@ -1455,6 +1454,9 @@ static TRANSPORTDEC_ERROR EldSpecificConfig_Parse(CSAudioSpecificConfig *asc, break; } } + if (eldExtType != ELDEXT_TERM) { + return TRANSPORTDEC_PARSE_ERROR; + } if ((INT)FDKgetValidBits(hBs) < 0) { return TRANSPORTDEC_PARSE_ERROR; -- cgit v1.2.3 From 60a11ea3efcf939f2432e739817b610e671e202f Mon Sep 17 00:00:00 2001 From: Martin Storsjo Date: Tue, 17 Nov 2020 12:53:48 +0200 Subject: Revert "Don't use an enum for a value read directly from the bitstream" This reverts commit 8439b745f65bce3fd55ffc9f9edcc04f5f447c55. This local fix doesn't seem to be needed any more after the latest upstream update. --- libMpegTPDec/src/tpdec_asc.cpp | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) (limited to 'libMpegTPDec/src/tpdec_asc.cpp') diff --git a/libMpegTPDec/src/tpdec_asc.cpp b/libMpegTPDec/src/tpdec_asc.cpp index 56de494..156f325 100644 --- a/libMpegTPDec/src/tpdec_asc.cpp +++ b/libMpegTPDec/src/tpdec_asc.cpp @@ -1549,7 +1549,8 @@ static TRANSPORTDEC_ERROR extElementConfig(CSUsacExtElementConfig *extElement, const AUDIO_OBJECT_TYPE aot) { TRANSPORTDEC_ERROR ErrorStatus = TRANSPORTDEC_OK; - int usacExtElementType = escapedValue(hBs, 4, 8, 16); + USAC_EXT_ELEMENT_TYPE usacExtElementType = + (USAC_EXT_ELEMENT_TYPE)escapedValue(hBs, 4, 8, 16); /* recurve extension elements which are invalid for USAC */ if (aot == AOT_USAC) { @@ -1566,7 +1567,7 @@ static TRANSPORTDEC_ERROR extElementConfig(CSUsacExtElementConfig *extElement, } } - extElement->usacExtElementType = (USAC_EXT_ELEMENT_TYPE) usacExtElementType; + extElement->usacExtElementType = usacExtElementType; int usacExtElementConfigLength = escapedValue(hBs, 4, 8, 16); extElement->usacExtElementConfigLength = (USHORT)usacExtElementConfigLength; INT bsAnchor; -- cgit v1.2.3 From d9a9f3b79301fea59ce3c3ee1bc36f43f47224f2 Mon Sep 17 00:00:00 2001 From: Martin Storsjo Date: Tue, 17 Nov 2020 12:54:26 +0200 Subject: Revert "Don't use an enum for a value read directly from the bitstream" This reverts commit e7d8591ff208803eee35dc289e89a0d69b707585. This local fix doesn't seem to be needed any more after the latest upstream update. --- libMpegTPDec/src/tpdec_asc.cpp | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) (limited to 'libMpegTPDec/src/tpdec_asc.cpp') diff --git a/libMpegTPDec/src/tpdec_asc.cpp b/libMpegTPDec/src/tpdec_asc.cpp index 156f325..82f840e 100644 --- a/libMpegTPDec/src/tpdec_asc.cpp +++ b/libMpegTPDec/src/tpdec_asc.cpp @@ -1631,14 +1631,14 @@ static TRANSPORTDEC_ERROR configExtension(CSUsacConfig *usc, TRANSPORTDEC_ERROR ErrorStatus = TRANSPORTDEC_OK; int numConfigExtensions; - int usacConfigExtType; + CONFIG_EXT_ID usacConfigExtType; int usacConfigExtLength; numConfigExtensions = (int)escapedValue(hBs, 2, 4, 8) + 1; for (int confExtIdx = 0; confExtIdx < numConfigExtensions; confExtIdx++) { INT nbits; int loudnessInfoSetConfigExtensionPosition = FDKgetValidBits(hBs); - usacConfigExtType = escapedValue(hBs, 4, 8, 16); + usacConfigExtType = (CONFIG_EXT_ID)escapedValue(hBs, 4, 8, 16); usacConfigExtLength = (int)escapedValue(hBs, 4, 8, 16); /* Start bit position of config extension */ -- cgit v1.2.3 From d75500444a76f6aef8a8ff35620118de84cce65f Mon Sep 17 00:00:00 2001 From: Martin Storsjo Date: Thu, 14 Jan 2021 15:36:03 +0200 Subject: Don't use enums for values read directly from the bitstream The enums don't cover all possible values read from the bitstream. This fixes undefined behaviour sanitizer errors. Fixes: 27647/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_LIBFDK_AAC_fuzzer-5654559200116736 Fixes: 28193/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_LIBFDK_AAC_fuzzer-4901213455515648 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg --- libMpegTPDec/src/tpdec_asc.cpp | 9 ++++----- 1 file changed, 4 insertions(+), 5 deletions(-) (limited to 'libMpegTPDec/src/tpdec_asc.cpp') diff --git a/libMpegTPDec/src/tpdec_asc.cpp b/libMpegTPDec/src/tpdec_asc.cpp index 82f840e..bb4094b 100644 --- a/libMpegTPDec/src/tpdec_asc.cpp +++ b/libMpegTPDec/src/tpdec_asc.cpp @@ -1549,8 +1549,7 @@ static TRANSPORTDEC_ERROR extElementConfig(CSUsacExtElementConfig *extElement, const AUDIO_OBJECT_TYPE aot) { TRANSPORTDEC_ERROR ErrorStatus = TRANSPORTDEC_OK; - USAC_EXT_ELEMENT_TYPE usacExtElementType = - (USAC_EXT_ELEMENT_TYPE)escapedValue(hBs, 4, 8, 16); + int usacExtElementType = escapedValue(hBs, 4, 8, 16); /* recurve extension elements which are invalid for USAC */ if (aot == AOT_USAC) { @@ -1567,7 +1566,7 @@ static TRANSPORTDEC_ERROR extElementConfig(CSUsacExtElementConfig *extElement, } } - extElement->usacExtElementType = usacExtElementType; + extElement->usacExtElementType = (USAC_EXT_ELEMENT_TYPE)usacExtElementType; int usacExtElementConfigLength = escapedValue(hBs, 4, 8, 16); extElement->usacExtElementConfigLength = (USHORT)usacExtElementConfigLength; INT bsAnchor; @@ -1631,14 +1630,14 @@ static TRANSPORTDEC_ERROR configExtension(CSUsacConfig *usc, TRANSPORTDEC_ERROR ErrorStatus = TRANSPORTDEC_OK; int numConfigExtensions; - CONFIG_EXT_ID usacConfigExtType; + int usacConfigExtType; int usacConfigExtLength; numConfigExtensions = (int)escapedValue(hBs, 2, 4, 8) + 1; for (int confExtIdx = 0; confExtIdx < numConfigExtensions; confExtIdx++) { INT nbits; int loudnessInfoSetConfigExtensionPosition = FDKgetValidBits(hBs); - usacConfigExtType = (CONFIG_EXT_ID)escapedValue(hBs, 4, 8, 16); + usacConfigExtType = escapedValue(hBs, 4, 8, 16); usacConfigExtLength = (int)escapedValue(hBs, 4, 8, 16); /* Start bit position of config extension */ -- cgit v1.2.3