DO NOT MERGE Prevent out of bounds accesses in lppTransposer()
Check validity of pSettings->noOfPatches to prevent out of bounds
access in lppTransposer(), which can also cause memSize to be
negative.
Bug: 112160868
Test: see poc in bug
Change-Id: I77bd1e1dfab3bac92b4522170bdc3c9eb56fdf82
(cherry picked from commit 2eaadebcb6036b3e1850590378c0f56ca47e4735)
diff --git a/libSBRdec/src/lpp_tran.cpp b/libSBRdec/src/lpp_tran.cpp
index 343aec3..c2ca732 100644
--- a/libSBRdec/src/lpp_tran.cpp
+++ b/libSBRdec/src/lpp_tran.cpp
@@ -96,6 +96,10 @@
\sa lppTransposer(), main_audio.cpp, sbr_scale.h, \ref documentationOverview
*/
+#ifdef __ANDROID__
+#include <cutils/log.h>
+#endif
+
#include "lpp_tran.h"
#include "sbr_ram.h"
@@ -256,7 +260,6 @@
int ovLowBandShift;
int lowBandShift;
/* int ovHighBandShift;*/
- int targetStopBand;
alphai[0] = FL2FXCONST_SGL(0.0f);
@@ -273,24 +276,32 @@
autoCorrLength = pSettings->nCols + pSettings->overlap;
- /* Set upper subbands to zero:
- This is required in case that the patches do not cover the complete highband
- (because the last patch would be too short).
- Possible optimization: Clearing bands up to usb would be sufficient here. */
- targetStopBand = patchParam[pSettings->noOfPatches-1].targetStartBand
- + patchParam[pSettings->noOfPatches-1].numBandsInPatch;
+ if (pSettings->noOfPatches > 0) {
+ /* Set upper subbands to zero:
+ This is required in case that the patches do not cover the complete highband
+ (because the last patch would be too short).
+ Possible optimization: Clearing bands up to usb would be sufficient here. */
+ int targetStopBand = patchParam[pSettings->noOfPatches-1].targetStartBand
+ + patchParam[pSettings->noOfPatches-1].numBandsInPatch;
- int memSize = ((64) - targetStopBand) * sizeof(FIXP_DBL);
+ int memSize = ((64) - targetStopBand) * sizeof(FIXP_DBL);
- if (!useLP) {
+ if (!useLP) {
+ for (i = startSample; i < stopSampleClear; i++) {
+ FDKmemclear(&qmfBufferReal[i][targetStopBand], memSize);
+ FDKmemclear(&qmfBufferImag[i][targetStopBand], memSize);
+ }
+ } else
for (i = startSample; i < stopSampleClear; i++) {
FDKmemclear(&qmfBufferReal[i][targetStopBand], memSize);
- FDKmemclear(&qmfBufferImag[i][targetStopBand], memSize);
}
- } else
- for (i = startSample; i < stopSampleClear; i++) {
- FDKmemclear(&qmfBufferReal[i][targetStopBand], memSize);
}
+#ifdef __ANDROID__
+ else {
+ // Safetynet logging
+ android_errorWriteLog(0x534e4554, "112160868");
+ }
+#endif
/* init bwIndex for each patch */
FDKmemclear(bwIndex, MAX_NUM_PATCHES*sizeof(INT));