From 2504f6043487ec9c4664efea0229c07c867a53f4 Mon Sep 17 00:00:00 2001 From: Glenn Kasten Date: Wed, 6 Apr 2016 08:53:36 -0700 Subject: [PATCH 01/35] Remove redundant parentheses around == comparison operator Bug: 28026175 Change-Id: I61be1ab98d7279d09250ea4b810c5f31886da048 --- libSBRenc/src/sbr_encoder.cpp | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libSBRenc/src/sbr_encoder.cpp b/libSBRenc/src/sbr_encoder.cpp index 86a3f91fc..71aab7872 100644 --- a/libSBRenc/src/sbr_encoder.cpp +++ b/libSBRenc/src/sbr_encoder.cpp @@ -1939,7 +1939,7 @@ INT sbrEncoder_Init( - if ( (aot==AOT_PS) ) { + if ( aot==AOT_PS ) { usePs = 1; } if ( aot==AOT_ER_AAC_ELD ) { From 2fc642731f78c042c4b67f4cd877619994fe3c65 Mon Sep 17 00:00:00 2001 From: Glenn Kasten Date: Tue, 23 Aug 2016 10:25:28 -0700 Subject: [PATCH 02/35] Fix build warning Bug: 28026175 Change-Id: Ie8d84f694fcb788e5fb8780b11fa07bb98097ce0 --- libAACenc/src/adj_thr.cpp | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libAACenc/src/adj_thr.cpp b/libAACenc/src/adj_thr.cpp index a79a9aeef..09584f409 100644 --- a/libAACenc/src/adj_thr.cpp +++ b/libAACenc/src/adj_thr.cpp @@ -958,7 +958,7 @@ static FIXP_DBL FDKaacEnc_calcChaosMeasure(PSY_OUT_CHANNEL *psyOutChannel, CalcInvLdData( (((CalcLdData(frameFormFactor)>>1) - (CalcLdData(frameEnergy)>>(2+1))) - (fMultDiv2(FL2FXCONST_DBL(0.75f),CalcLdData((FIXP_DBL)frameNLines<<(DFRACT_BITS-1-SCALE_NLINES))) - - (((FIXP_DBL)(SCALE_FORM_FAC-SCALE_NRGS_SQRT4+FORM_FAC_SHIFT-(SCALE_NLINES_P34))<<(DFRACT_BITS-1-LD_DATA_SHIFT))>>1)) + (((FIXP_DBL)(-((-SCALE_FORM_FAC+SCALE_NRGS_SQRT4-FORM_FAC_SHIFT+SCALE_NLINES_P34) << (DFRACT_BITS-1-LD_DATA_SHIFT))))>>1)) )<<1 ); } else { From 6cc0003b74222dddd54ae985a3446b2c478ff353 Mon Sep 17 00:00:00 2001 From: Pavlin Radoslavov Date: Thu, 19 Jan 2017 12:03:23 -0800 Subject: [PATCH 03/35] Change build config of aac from Android.mk to Android.bp * In an effort to modernize build configurations to the new Soong system, we need to upgrade existing Android.mk files to Android.bp * This file is done by using the following steps: 1. Manually removing all *_sources from Android.mk, because of the unusual make logic they use 2. Running the auto-conversion tool: androidmk Android.mk > Android.bp 3. Editing the result Android.bp: 3.1. Writing the "srcs" list 3.2. Removing the escaping around -Wno-#warnings in cflags, because those are not needed anymore 3.3. Renamed local_include_dirs to export_include_dirs to facilititate the inclusion of header files. It appears users of libFraunhoferAAC are using header files from all include directories, hence the renaming. Test: Code compilation ("mm" in external/aac, and "make" in top-directory) Bug: b/32958753 b/34454142 Change-Id: Ie89f73722908e8734f4b88f1407952311ec064af --- Android.bp | 32 +++++++++++++++++++++++++++++ Android.mk | 59 ------------------------------------------------------ 2 files changed, 32 insertions(+), 59 deletions(-) create mode 100644 Android.bp delete mode 100644 Android.mk diff --git a/Android.bp b/Android.bp new file mode 100644 index 000000000..75fe8af51 --- /dev/null +++ b/Android.bp @@ -0,0 +1,32 @@ +cc_library_static { + name: "libFraunhoferAAC", + srcs: [ + "libAACdec/src/*.cpp", + "libAACenc/src/*.cpp", + "libPCMutils/src/*.cpp", + "libFDK/src/*.cpp", + "libSYS/src/*.cpp", + "libMpegTPDec/src/*.cpp", + "libMpegTPEnc/src/*.cpp", + "libSBRdec/src/*.cpp", + "libSBRenc/src/*.cpp", + ], + cflags: [ + "-Wno-sequence-point", + "-Wno-extra", + "-Wno-#warnings", + "-Wno-constant-logical-operand", + "-Wno-self-assign", + ], + export_include_dirs: [ + "libAACdec/include", + "libAACenc/include", + "libPCMutils/include", + "libFDK/include", + "libSYS/include", + "libMpegTPDec/include", + "libMpegTPEnc/include", + "libSBRdec/include", + "libSBRenc/include", + ], +} diff --git a/Android.mk b/Android.mk deleted file mode 100644 index 18bda2306..000000000 --- a/Android.mk +++ /dev/null @@ -1,59 +0,0 @@ -LOCAL_PATH:= $(call my-dir) -include $(CLEAR_VARS) - -aacdec_sources := $(sort $(wildcard $(LOCAL_PATH)/libAACdec/src/*.cpp)) -aacdec_sources := $(aacdec_sources:$(LOCAL_PATH)/libAACdec/src/%=%) - -aacenc_sources := $(sort $(wildcard $(LOCAL_PATH)/libAACenc/src/*.cpp)) -aacenc_sources := $(aacenc_sources:$(LOCAL_PATH)/libAACenc/src/%=%) - -pcmutils_sources := $(sort $(wildcard $(LOCAL_PATH)/libPCMutils/src/*.cpp)) -pcmutils_sources := $(pcmutils_sources:$(LOCAL_PATH)/libPCMutils/src/%=%) - -fdk_sources := $(sort $(wildcard $(LOCAL_PATH)/libFDK/src/*.cpp)) -fdk_sources := $(fdk_sources:$(LOCAL_PATH)/libFDK/src/%=%) - -sys_sources := $(sort $(wildcard $(LOCAL_PATH)/libSYS/src/*.cpp)) -sys_sources := $(sys_sources:$(LOCAL_PATH)/libSYS/src/%=%) - -mpegtpdec_sources := $(sort $(wildcard $(LOCAL_PATH)/libMpegTPDec/src/*.cpp)) -mpegtpdec_sources := $(mpegtpdec_sources:$(LOCAL_PATH)/libMpegTPDec/src/%=%) - -mpegtpenc_sources := $(sort $(wildcard $(LOCAL_PATH)/libMpegTPEnc/src/*.cpp)) -mpegtpenc_sources := $(mpegtpenc_sources:$(LOCAL_PATH)/libMpegTPEnc/src/%=%) - -sbrdec_sources := $(sort $(wildcard $(LOCAL_PATH)/libSBRdec/src/*.cpp)) -sbrdec_sources := $(sbrdec_sources:$(LOCAL_PATH)/libSBRdec/src/%=%) - -sbrenc_sources := $(sort $(wildcard $(LOCAL_PATH)/libSBRenc/src/*.cpp)) -sbrenc_sources := $(sbrenc_sources:$(LOCAL_PATH)/libSBRenc/src/%=%) - -LOCAL_SRC_FILES := \ - $(aacdec_sources:%=libAACdec/src/%) \ - $(aacenc_sources:%=libAACenc/src/%) \ - $(pcmutils_sources:%=libPCMutils/src/%) \ - $(fdk_sources:%=libFDK/src/%) \ - $(sys_sources:%=libSYS/src/%) \ - $(mpegtpdec_sources:%=libMpegTPDec/src/%) \ - $(mpegtpenc_sources:%=libMpegTPEnc/src/%) \ - $(sbrdec_sources:%=libSBRdec/src/%) \ - $(sbrenc_sources:%=libSBRenc/src/%) - -LOCAL_CFLAGS += -Wno-sequence-point -Wno-extra -LOCAL_CFLAGS += "-Wno-\#warnings" -Wno-constant-logical-operand -Wno-self-assign - -LOCAL_C_INCLUDES := \ - $(LOCAL_PATH)/libAACdec/include \ - $(LOCAL_PATH)/libAACenc/include \ - $(LOCAL_PATH)/libPCMutils/include \ - $(LOCAL_PATH)/libFDK/include \ - $(LOCAL_PATH)/libSYS/include \ - $(LOCAL_PATH)/libMpegTPDec/include \ - $(LOCAL_PATH)/libMpegTPEnc/include \ - $(LOCAL_PATH)/libSBRdec/include \ - $(LOCAL_PATH)/libSBRenc/include - - -LOCAL_MODULE:= libFraunhoferAAC - -include $(BUILD_STATIC_LIBRARY) From 2cd9fe39642bf3a4b8ef36ccff307a3e24bdb196 Mon Sep 17 00:00:00 2001 From: Jakub Pawlowski Date: Tue, 21 Feb 2017 10:29:53 -0800 Subject: [PATCH 04/35] Linux compilation fix Test: manual Change-Id: Ie374e47b93e8fa3a44c731cb73f7e151d265c74c --- libPCMutils/src/pcmutils_lib.cpp | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/libPCMutils/src/pcmutils_lib.cpp b/libPCMutils/src/pcmutils_lib.cpp index e6ac3ff92..9303d169a 100644 --- a/libPCMutils/src/pcmutils_lib.cpp +++ b/libPCMutils/src/pcmutils_lib.cpp @@ -88,7 +88,9 @@ amm-info@iis.fraunhofer.de expansion in the PCM time domain. *******************************************************************************/ +#ifndef __linux__ #include +#endif #include "pcmutils_lib.h" #include "genericStds.h" @@ -2079,7 +2081,9 @@ PCMDMX_ERROR pcmDmx_ApplyFrame ( } } if (ch != numInChannels) { +#ifndef __linux__ ALOGE("b/23876444"); +#endif return PCMDMX_INVALID_ARGUMENT; } From 64bd48e21b42107fe93ac8bc0fb8cc24bb8643df Mon Sep 17 00:00:00 2001 From: liuchao Date: Thu, 23 Feb 2017 12:05:54 +0800 Subject: [PATCH 05/35] Fix not properly handled NULL-pointer access before check in aac lib 1) Fixes some potential NULL-pointer access in case input pointer is passed NULL 2) Modified some for lazy init Test: mm -j 8 Change-Id: I7fca97e1d9f70d8e8c1533b519181af35a5468f7 --- libAACdec/src/aacdecoder_lib.cpp | 19 ++++++------------- libAACenc/src/metadata_main.cpp | 10 ++++------ 2 files changed, 10 insertions(+), 19 deletions(-) diff --git a/libAACdec/src/aacdecoder_lib.cpp b/libAACdec/src/aacdecoder_lib.cpp index 8863da592..50efb0fd4 100644 --- a/libAACdec/src/aacdecoder_lib.cpp +++ b/libAACdec/src/aacdecoder_lib.cpp @@ -791,36 +791,29 @@ LINKSPEC_CPP AAC_DECODER_ERROR aacDecoder_DecodeFrame( const UINT flags) { AAC_DECODER_ERROR ErrorStatus; - INT layer; - INT nBits; - INT interleaved = self->outputInterleaved; - HANDLE_FDK_BITSTREAM hBs; int fTpInterruption = 0; /* Transport originated interruption detection. */ int fTpConceal = 0; /* Transport originated concealment. */ - INT_PCM *pTimeData = NULL; - INT timeDataSize = 0; - if (self == NULL) { return AAC_DEC_INVALID_HANDLE; } - - pTimeData = self->pcmOutputBuffer; - timeDataSize = sizeof(self->pcmOutputBuffer)/sizeof(*self->pcmOutputBuffer); + INT interleaved = self->outputInterleaved; + INT_PCM *pTimeData = self->pcmOutputBuffer; + INT timeDataSize = sizeof(self->pcmOutputBuffer)/sizeof(*self->pcmOutputBuffer); if (flags & AACDEC_INTR) { self->streamInfo.numLostAccessUnits = 0; } - hBs = transportDec_GetBitstream(self->hInput, 0); + HANDLE_FDK_BITSTREAM hBs = transportDec_GetBitstream(self->hInput, 0); /* Get current bits position for bitrate calculation. */ - nBits = FDKgetValidBits(hBs); + INT nBits = FDKgetValidBits(hBs); if (! (flags & (AACDEC_CONCEAL | AACDEC_FLUSH) ) ) { TRANSPORTDEC_ERROR err; - for(layer = 0; layer < self->nrOfLayers; layer++) + for(INT layer = 0; layer < self->nrOfLayers; layer++) { err = transportDec_ReadAccessUnit(self->hInput, layer); if (err != TRANSPORTDEC_OK) { diff --git a/libAACenc/src/metadata_main.cpp b/libAACenc/src/metadata_main.cpp index e92079387..90f8f4e6d 100644 --- a/libAACenc/src/metadata_main.cpp +++ b/libAACenc/src/metadata_main.cpp @@ -488,14 +488,12 @@ static FDK_METADATA_ERROR ProcessCompressor( { FDK_METADATA_ERROR err = METADATA_OK; - INT dynrng, compr; - DRC_PROFILE profileDrc = convertProfile(pMetadata->mpegDrc.drc_profile); - DRC_PROFILE profileComp = convertProfile(pMetadata->etsiAncData.comp_profile); - if ( (pMetadata==NULL) || (hDrcComp==NULL) ) { err = METADATA_INVALID_HANDLE; return err; } + DRC_PROFILE profileDrc = convertProfile(pMetadata->mpegDrc.drc_profile); + DRC_PROFILE profileComp = convertProfile(pMetadata->etsiAncData.comp_profile); /* first, check if profile is same as last frame * otherwise, update setup */ @@ -511,8 +509,8 @@ static FDK_METADATA_ERROR ProcessCompressor( } /* in case of embedding external values, copy this now (limiter may overwrite them) */ - dynrng = decodeDynrng(pMetadata->mpegDrc.dyn_rng_ctl[0], pMetadata->mpegDrc.dyn_rng_sgn[0]); - compr = decodeCompr(pMetadata->etsiAncData.compression_value); + INT dynrng = decodeDynrng(pMetadata->mpegDrc.dyn_rng_ctl[0], pMetadata->mpegDrc.dyn_rng_sgn[0]); + INT compr = decodeCompr(pMetadata->etsiAncData.compression_value); /* Call compressor */ if (FDK_DRC_Generator_Calc(hDrcComp, From 5eb6f0db8cc1ecc00af2ef534078e4c65fdf978f Mon Sep 17 00:00:00 2001 From: Martin Storsjo Date: Tue, 14 Mar 2017 14:29:20 +0200 Subject: [PATCH 06/35] Saturate additions in spectralChange This fixes a crash. --- libSBRenc/src/tran_det.cpp | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/libSBRenc/src/tran_det.cpp b/libSBRenc/src/tran_det.cpp index 33ea60e23..0e35ec341 100644 --- a/libSBRenc/src/tran_det.cpp +++ b/libSBRenc/src/tran_det.cpp @@ -187,12 +187,12 @@ static FIXP_DBL spectralChange(FIXP_DBL Energies[NUMBER_TIME_SLOTS_2304][MAX_FRE /* Sum up energies in first half */ for (i=start; i Date: Sun, 23 Apr 2017 21:31:36 +0200 Subject: [PATCH 07/35] Add checks to avoid overreading supplied buffers and fix issue #61. --- libFDK/include/FDK_bitstream.h | 47 ++++++++++++++++++++++++++-------- libFDK/src/FDK_bitbuffer.cpp | 18 ++++++------- 2 files changed, 45 insertions(+), 20 deletions(-) diff --git a/libFDK/include/FDK_bitstream.h b/libFDK/include/FDK_bitstream.h index fc8d7de60..d2a7e7dba 100644 --- a/libFDK/include/FDK_bitstream.h +++ b/libFDK/include/FDK_bitstream.h @@ -212,9 +212,20 @@ FDK_INLINE UINT FDKreadBits(HANDLE_FDK_BITSTREAM hBitStream, INT missingBits = numberOfBits - hBitStream->BitsInCache; if (missingBits > 0) { - UINT bits = hBitStream->CacheWord << missingBits; - hBitStream->CacheWord = FDK_get32 (&hBitStream->hBitBuf) ; - hBitStream->BitsInCache = CACHE_BITS - missingBits; + const UINT bits = hBitStream->CacheWord << missingBits; + const UINT validBits = FDK_getValidBits (&hBitStream->hBitBuf); + + if (validBits >= 32) + { + hBitStream->CacheWord = FDK_get32 (&hBitStream->hBitBuf) ; + hBitStream->BitsInCache = CACHE_BITS - missingBits; + } + else + { + hBitStream->CacheWord = FDK_get (&hBitStream->hBitBuf,validBits) ; + hBitStream->BitsInCache = validBits - missingBits; + } + return ( bits | (hBitStream->CacheWord >> hBitStream->BitsInCache)) & BitMask[numberOfBits]; } @@ -226,10 +237,12 @@ FDK_INLINE UINT FDKreadBits(HANDLE_FDK_BITSTREAM hBitStream, if (hBitStream->BitsInCache <= numberOfBits) { - const INT freeBits = (CACHE_BITS-1) - hBitStream->BitsInCache ; + const UINT validBits = FDK_getValidBits (&hBitStream->hBitBuf) ; + const INT freeBits = (CACHE_BITS-1) - hBitStream->BitsInCache ; + const INT bitsToRead = (freeBits <= validBits) ? freeBits : validBits ; - hBitStream->CacheWord = (hBitStream->CacheWord << freeBits) | FDK_get (&hBitStream->hBitBuf,freeBits) ; - hBitStream->BitsInCache += freeBits ; + hBitStream->CacheWord = (hBitStream->CacheWord << bitsToRead) | FDK_get (&hBitStream->hBitBuf,bitsToRead) ; + hBitStream->BitsInCache += bitsToRead ; } hBitStream->BitsInCache -= numberOfBits ; @@ -243,8 +256,18 @@ FDK_INLINE UINT FDKreadBit(HANDLE_FDK_BITSTREAM hBitStream) #ifdef OPTIMIZE_FDKREADBITS if (!hBitStream->BitsInCache) { - hBitStream->CacheWord = FDK_get32 (&hBitStream->hBitBuf); - hBitStream->BitsInCache = CACHE_BITS; + const UINT validBits = FDK_getValidBits (&hBitStream->hBitBuf); + + if (validBits >= 32) + { + hBitStream->CacheWord = FDK_get32 (&hBitStream->hBitBuf); + hBitStream->BitsInCache = CACHE_BITS; + } + else + { + hBitStream->CacheWord = FDK_get (&hBitStream->hBitBuf,validBits); + hBitStream->BitsInCache = validBits; + } } hBitStream->BitsInCache--; @@ -268,10 +291,12 @@ inline UINT FDKread2Bits(HANDLE_FDK_BITSTREAM hBitStream) UINT BitsInCache = hBitStream->BitsInCache; if (BitsInCache < 2) /* Comparison changed from 'less-equal' to 'less' */ { - const INT freeBits = (CACHE_BITS-1) - BitsInCache ; + const UINT validBits = FDK_getValidBits (&hBitStream->hBitBuf) ; + const INT freeBits = (CACHE_BITS-1) - BitsInCache ; + const INT bitsToRead = (freeBits <= validBits) ? freeBits : validBits ; - hBitStream->CacheWord = (hBitStream->CacheWord << freeBits) | FDK_get (&hBitStream->hBitBuf,freeBits) ; - BitsInCache += freeBits; + hBitStream->CacheWord = (hBitStream->CacheWord << bitsToRead) | FDK_get (&hBitStream->hBitBuf,bitsToRead) ; + BitsInCache += bitsToRead; } hBitStream->BitsInCache = BitsInCache - 2; return (hBitStream->CacheWord >> hBitStream->BitsInCache) & 0x3; diff --git a/libFDK/src/FDK_bitbuffer.cpp b/libFDK/src/FDK_bitbuffer.cpp index 680ceaea5..9076d846c 100644 --- a/libFDK/src/FDK_bitbuffer.cpp +++ b/libFDK/src/FDK_bitbuffer.cpp @@ -157,6 +157,8 @@ void FDK_ResetBitBuffer ( HANDLE_FDK_BITBUF hBitBuf ) INT FDK_get (HANDLE_FDK_BITBUF hBitBuf, const UINT numberOfBits) { + if (numberOfBits == 0 || numberOfBits > hBitBuf->ValidBits) return 0; + UINT byteOffset = hBitBuf->BitNdx >> 3 ; UINT bitOffset = hBitBuf->BitNdx & 0x07 ; @@ -166,22 +168,20 @@ INT FDK_get (HANDLE_FDK_BITBUF hBitBuf, const UINT numberOfBits) UINT byteMask = hBitBuf->bufSize - 1 ; - UINT tx = (hBitBuf->Buffer [ byteOffset & byteMask] << 24) | - (hBitBuf->Buffer [(byteOffset+1) & byteMask] << 16) | - (hBitBuf->Buffer [(byteOffset+2) & byteMask] << 8) | - hBitBuf->Buffer [(byteOffset+3) & byteMask]; + UINT tx = hBitBuf->Buffer [ byteOffset & byteMask] << 24 << bitOffset; - if (bitOffset) - { - tx <<= bitOffset; - tx |= hBitBuf->Buffer [(byteOffset+4) & byteMask] >> (8-bitOffset); - } + if (numberOfBits + bitOffset > 8) tx |= hBitBuf->Buffer [(byteOffset+1) & byteMask] << 16 << bitOffset; + if (numberOfBits + bitOffset > 16) tx |= hBitBuf->Buffer [(byteOffset+2) & byteMask] << 8 << bitOffset; + if (numberOfBits + bitOffset > 24) tx |= hBitBuf->Buffer [(byteOffset+3) & byteMask] << bitOffset; + if (numberOfBits + bitOffset > 32) tx |= hBitBuf->Buffer [(byteOffset+4) & byteMask] >> (8 - bitOffset); return (tx >> (32 - numberOfBits)) ; } INT FDK_get32 (HANDLE_FDK_BITBUF hBitBuf) { + if (hBitBuf->ValidBits < 32) return 0; + UINT BitNdx = hBitBuf->BitNdx + 32; if (BitNdx <= hBitBuf->bufBits) { From 50922e3dbd5d099a67d879c4ec1d7535ebfa30a8 Mon Sep 17 00:00:00 2001 From: Martin Storsjo Date: Wed, 26 Apr 2017 23:37:11 +0300 Subject: [PATCH 08/35] Try to properly handle the case when the bitstream reader runs out of bits to read --- libFDK/include/FDK_bitstream.h | 16 +++++++++++++++- 1 file changed, 15 insertions(+), 1 deletion(-) diff --git a/libFDK/include/FDK_bitstream.h b/libFDK/include/FDK_bitstream.h index d2a7e7dba..d47a750e2 100644 --- a/libFDK/include/FDK_bitstream.h +++ b/libFDK/include/FDK_bitstream.h @@ -223,7 +223,15 @@ FDK_INLINE UINT FDKreadBits(HANDLE_FDK_BITSTREAM hBitStream, else { hBitStream->CacheWord = FDK_get (&hBitStream->hBitBuf,validBits) ; - hBitStream->BitsInCache = validBits - missingBits; + if (validBits >= missingBits) + { + hBitStream->BitsInCache = validBits - missingBits; + } + else + { + hBitStream->BitsInCache = 0; + hBitStream->CacheWord <<= missingBits - validBits; + } } return ( bits | (hBitStream->CacheWord >> hBitStream->BitsInCache)) & BitMask[numberOfBits]; @@ -243,6 +251,12 @@ FDK_INLINE UINT FDKreadBits(HANDLE_FDK_BITSTREAM hBitStream, hBitStream->CacheWord = (hBitStream->CacheWord << bitsToRead) | FDK_get (&hBitStream->hBitBuf,bitsToRead) ; hBitStream->BitsInCache += bitsToRead ; + if (hBitStream->BitsInCache < numberOfBits) + { + hBitStream->CacheWord <<= numberOfBits - hBitStream->BitsInCache; + hBitStream->BitsInCache = 0; + return (hBitStream->CacheWord >> hBitStream->BitsInCache) & validMask ; + } } hBitStream->BitsInCache -= numberOfBits ; From 86e949c0768dc49b7215d41062be8274f7c9dca6 Mon Sep 17 00:00:00 2001 From: Chih-Hung Hsieh Date: Mon, 5 Jun 2017 10:09:41 -0700 Subject: [PATCH 09/35] Add OWNERS in external/aac Owners are selected from top CL approvals or owners. They will be suggested to review/approve future CLs. Test: build/make/tools/checkowners.py -c -v OWNERS Change-Id: Iacb2e068189b39030a218b6496ca41a0bd4ce7d2 --- OWNERS | 2 ++ 1 file changed, 2 insertions(+) create mode 100644 OWNERS diff --git a/OWNERS b/OWNERS new file mode 100644 index 000000000..ffd753efe --- /dev/null +++ b/OWNERS @@ -0,0 +1,2 @@ +jmtrivi@google.com +gkasten@android.com From 4c4da0e39a1f8e7b265110996bceccd145f5bb9c Mon Sep 17 00:00:00 2001 From: Martin Storsjo Date: Wed, 7 Jun 2017 15:54:02 +0300 Subject: [PATCH 10/35] Avoid infinite loops in block decoding Fixes: 1921/clusterfuzz-testcase-minimized-5480510065213440 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg --- libAACdec/src/block.cpp | 3 +++ 1 file changed, 3 insertions(+) diff --git a/libAACdec/src/block.cpp b/libAACdec/src/block.cpp index a19284e49..bda565c5b 100644 --- a/libAACdec/src/block.cpp +++ b/libAACdec/src/block.cpp @@ -318,6 +318,9 @@ AAC_DECODER_ERROR CBlock_ReadSectionData(HANDLE_FDK_BITSTREAM bs, } sect_len += sect_len_incr; + if (sect_len <= 0) { + return AAC_DEC_PARSE_ERROR; + } top = band + sect_len; From 21cb19455c08555431eb7b4a942df6a9f64c0941 Mon Sep 17 00:00:00 2001 From: Martin Storsjo Date: Wed, 7 Jun 2017 16:17:59 +0300 Subject: [PATCH 11/35] Don't try to read a negative number of bits Fixes: 1919/clusterfuzz-testcase-minimized-5021082513833984 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg --- libSBRdec/src/psbitdec.cpp | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libSBRdec/src/psbitdec.cpp b/libSBRdec/src/psbitdec.cpp index 29bddf710..ec6e4843b 100644 --- a/libSBRdec/src/psbitdec.cpp +++ b/libSBRdec/src/psbitdec.cpp @@ -498,7 +498,7 @@ ReadPsData (HANDLE_PS_DEC h_ps_d, /*!< handle to struct PS_DEC */ h_ps_d->bPsDataAvail[h_ps_d->bsReadSlot] = ppt_none; /* discard all remaining bits */ nBitsLeft -= startbits - FDKgetValidBits(hBitBuf); - while (nBitsLeft) { + while (nBitsLeft > 0) { int i = nBitsLeft; if (i>8) { i = 8; From d2fa9750d5f5cc5099ed616f762aad36cf2d3e9a Mon Sep 17 00:00:00 2001 From: Martin Storsjo Date: Sun, 11 Jun 2017 22:59:38 +0300 Subject: [PATCH 12/35] Make sure to end all CRC regions in the right order This fixes assert failures, when a (corrupt/fuzzed) bitstream doesn't trigger starting/ending CRCs properly (or when decoding is aborted halfway when an error is encountered). Skipping ending a CRC region doesn't trigger an assert failure, but when a later CRC region is started and ended, an assert fails when the end doesn't match the expected CRC region. Fixes: 1928/clusterfuzz-testcase-minimized-6480505958563840 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg --- libAACdec/src/channel.cpp | 17 ++++++++++++++++- 1 file changed, 16 insertions(+), 1 deletion(-) diff --git a/libAACdec/src/channel.cpp b/libAACdec/src/channel.cpp index 54750792e..4b182e00c 100644 --- a/libAACdec/src/channel.cpp +++ b/libAACdec/src/channel.cpp @@ -411,11 +411,15 @@ AAC_DECODER_ERROR CChannelElement_Read(HANDLE_FDK_BITSTREAM hBs, case drmcrc_end_reg: if (pTpDec != NULL) { transportDec_CrcEndReg(pTpDec, crcReg1); + crcReg1 = -1; } break; case adtscrc_end_reg2: - if (pTpDec != NULL) { + if (crcReg1 != -1) { + error = AAC_DEC_DECODE_FRAME_ERROR; + } else if (pTpDec != NULL) { transportDec_CrcEndReg(pTpDec, crcReg2); + crcReg2 = -1; } break; case drmcrc_start_reg: @@ -447,5 +451,16 @@ AAC_DECODER_ERROR CChannelElement_Read(HANDLE_FDK_BITSTREAM hBs, } while (list->id[i] != end_of_sequence); bail: + if (crcReg1 != -1 || crcReg2 != -1) { + if (error == AAC_DEC_OK) { + error = AAC_DEC_DECODE_FRAME_ERROR; + } + if (crcReg1 != -1) { + transportDec_CrcEndReg(pTpDec, crcReg1); + } + if (crcReg2 != -1) { + transportDec_CrcEndReg(pTpDec, crcReg2); + } + } return error; } From 39e13c1acbca94f562f9776e1555ced50dd0dfcd Mon Sep 17 00:00:00 2001 From: Martin Storsjo Date: Wed, 7 Jun 2017 15:29:59 +0300 Subject: [PATCH 13/35] Fix "Stack-buffer-overflow in FDKmemset" This probably doesn't fix the root cause, but at least fixes the issues found in this particular fuzzed sample. Fixes: 1973/clusterfuzz-testcase-minimized-6319232084082688 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg --- libFDK/src/qmf.cpp | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/libFDK/src/qmf.cpp b/libFDK/src/qmf.cpp index 54526ddff..13e6ff294 100644 --- a/libFDK/src/qmf.cpp +++ b/libFDK/src/qmf.cpp @@ -791,6 +791,10 @@ qmfInverseModulationHQ( HANDLE_QMF_FILTER_BANK synQmf, /*!< Handle of Qmf Synth scaleValues(&tImag[0+synQmf->lsb], &qmfImag[0+synQmf->lsb], synQmf->usb-synQmf->lsb, scaleFactorHighBand); } + if (synQmf->usb >= synQmf->no_channels) { + return; + } + FDKmemclear(&tReal[synQmf->usb], (synQmf->no_channels-synQmf->usb)*sizeof(FIXP_QMF)); FDKmemclear(&tImag[synQmf->usb], (synQmf->no_channels-synQmf->usb)*sizeof(FIXP_QMF)); From e7f36eed224b9530cf0eb7e56d6c43d3de14429e Mon Sep 17 00:00:00 2001 From: Martin Storsjo Date: Sat, 10 Jun 2017 13:58:13 +0300 Subject: [PATCH 14/35] Check that the SBR decoder has been properly initialized This probably doesn't fix the root cause, but at least fixes the issues found in this particular fuzzed sample. Fixes: 1994/clusterfuzz-testcase-minimized-6368089497141248 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg --- libSBRdec/src/sbr_dec.cpp | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/libSBRdec/src/sbr_dec.cpp b/libSBRdec/src/sbr_dec.cpp index 08643484e..76009ba24 100644 --- a/libSBRdec/src/sbr_dec.cpp +++ b/libSBRdec/src/sbr_dec.cpp @@ -940,6 +940,10 @@ resetSbrDec (HANDLE_SBR_DEC hSbrDec, FIXP_DBL **OverlapBufferReal = hSbrDec->QmfBufferReal; FIXP_DBL **OverlapBufferImag = hSbrDec->QmfBufferImag; + if (!hSbrDec->LppTrans.pSettings) { + return SBRDEC_NOT_INITIALIZED; + } + /* assign qmf time slots */ assignTimeSlots( hSbrDec, hHeaderData->numberTimeSlots * hHeaderData->timeStep, useLP); From a9c8cb2cf64004a8d4089aef953734c6e98f7c52 Mon Sep 17 00:00:00 2001 From: Martin Storsjo Date: Thu, 22 Jun 2017 11:52:08 +0300 Subject: [PATCH 15/35] Revert "Fix "Stack-buffer-overflow in FDKmemset"" This reverts commit 39e13c1acbca94f562f9776e1555ced50dd0dfcd. This turned out to break HE-AACv2 encoding. Will look for a better fix for the issue found by the fuzzed sample. This fixes issue #69. --- libFDK/src/qmf.cpp | 4 ---- 1 file changed, 4 deletions(-) diff --git a/libFDK/src/qmf.cpp b/libFDK/src/qmf.cpp index 13e6ff294..54526ddff 100644 --- a/libFDK/src/qmf.cpp +++ b/libFDK/src/qmf.cpp @@ -791,10 +791,6 @@ qmfInverseModulationHQ( HANDLE_QMF_FILTER_BANK synQmf, /*!< Handle of Qmf Synth scaleValues(&tImag[0+synQmf->lsb], &qmfImag[0+synQmf->lsb], synQmf->usb-synQmf->lsb, scaleFactorHighBand); } - if (synQmf->usb >= synQmf->no_channels) { - return; - } - FDKmemclear(&tReal[synQmf->usb], (synQmf->no_channels-synQmf->usb)*sizeof(FIXP_QMF)); FDKmemclear(&tImag[synQmf->usb], (synQmf->no_channels-synQmf->usb)*sizeof(FIXP_QMF)); From af5863a78efdfccd003dd6bea68c4a2cd2ad9f37 Mon Sep 17 00:00:00 2001 From: Martin Storsjo Date: Wed, 7 Jun 2017 15:29:59 +0300 Subject: [PATCH 16/35] Re-fix "Stack-buffer-overflow in FDKmemset" This probably doesn't fix the root cause, but at least fixes the issues found in this particular fuzzed sample. Compared to the previous fix in 39e13c1acbca94f562f9776e1555ced50dd0dfcd, this doesn't break HE-AACv2 encoding, by allowing the case with usb==no_channels. Fixes: 1973/clusterfuzz-testcase-minimized-6319232084082688 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg --- libFDK/src/qmf.cpp | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/libFDK/src/qmf.cpp b/libFDK/src/qmf.cpp index 54526ddff..595fe941a 100644 --- a/libFDK/src/qmf.cpp +++ b/libFDK/src/qmf.cpp @@ -791,6 +791,10 @@ qmfInverseModulationHQ( HANDLE_QMF_FILTER_BANK synQmf, /*!< Handle of Qmf Synth scaleValues(&tImag[0+synQmf->lsb], &qmfImag[0+synQmf->lsb], synQmf->usb-synQmf->lsb, scaleFactorHighBand); } + if (synQmf->usb > synQmf->no_channels) { + return; + } + FDKmemclear(&tReal[synQmf->usb], (synQmf->no_channels-synQmf->usb)*sizeof(FIXP_QMF)); FDKmemclear(&tImag[synQmf->usb], (synQmf->no_channels-synQmf->usb)*sizeof(FIXP_QMF)); From ecb2ad9a7b72b9fe96720c59289e5ccd9bf0f433 Mon Sep 17 00:00:00 2001 From: Martin Storsjo Date: Thu, 3 Aug 2017 12:51:43 +0300 Subject: [PATCH 17/35] Check that all channel mapping entries used are valid If channel numbers are changed on the fly (in invalid bitstreams), we can end up with a channel mapping with fewer channels mapped than we actually try to output. Ideally, this condition should probably be checked somewhere closer to where it enters such a state, not when using the channel mapping though. Fixes: 2808/clusterfuzz-testcase-minimized-4694952892170240 Fixes: 2275/clusterfuzz-testcase-minimized-6205444085252096 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg --- libSBRdec/src/sbrdecoder.cpp | 3 +++ 1 file changed, 3 insertions(+) diff --git a/libSBRdec/src/sbrdecoder.cpp b/libSBRdec/src/sbrdecoder.cpp index f9ded5416..766d7e9f9 100644 --- a/libSBRdec/src/sbrdecoder.cpp +++ b/libSBRdec/src/sbrdecoder.cpp @@ -1444,6 +1444,9 @@ sbrDecoder_DecodeElement ( self->flags |= (applyPs) ? SBRDEC_PS_DECODED : 0; } + if (channelMapping[0] == 255 || channelMapping[1] == 255) + return SBRDEC_UNSUPPORTED_CONFIG; + /* Set strides for reading and writing */ if (interleaved) { strideIn = numInChannels; From 52c2660c26beaaccf903759c18bb758e9f18a470 Mon Sep 17 00:00:00 2001 From: Martin Storsjo Date: Thu, 3 Aug 2017 13:47:15 +0300 Subject: [PATCH 18/35] Make sure at least one bit exists before reading further in FDKreadBit Fixes: 2709/clusterfuzz-testcase-minimized-6160249369133056 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg --- libFDK/include/FDK_bitstream.h | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/libFDK/include/FDK_bitstream.h b/libFDK/include/FDK_bitstream.h index d47a750e2..19bc8644b 100644 --- a/libFDK/include/FDK_bitstream.h +++ b/libFDK/include/FDK_bitstream.h @@ -277,11 +277,15 @@ FDK_INLINE UINT FDKreadBit(HANDLE_FDK_BITSTREAM hBitStream) hBitStream->CacheWord = FDK_get32 (&hBitStream->hBitBuf); hBitStream->BitsInCache = CACHE_BITS; } - else + else if (validBits > 0) { hBitStream->CacheWord = FDK_get (&hBitStream->hBitBuf,validBits); hBitStream->BitsInCache = validBits; } + else + { + return 0; + } } hBitStream->BitsInCache--; From ee6d9476a656195460c903bde741e96be4220660 Mon Sep 17 00:00:00 2001 From: Martin Storsjo Date: Thu, 3 Aug 2017 13:59:22 +0300 Subject: [PATCH 19/35] Check for heightLayer out of range Alternatively, the bits read in CProgramConfig_ReadHeightExt could be checked right there instead. Fixes: 2802/clusterfuzz-testcase-minimized-6752357788418048 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg --- libMpegTPDec/src/tpdec_asc.cpp | 12 ++++++++++++ 1 file changed, 12 insertions(+) diff --git a/libMpegTPDec/src/tpdec_asc.cpp b/libMpegTPDec/src/tpdec_asc.cpp index 96a1b353f..a292bcb5b 100644 --- a/libMpegTPDec/src/tpdec_asc.cpp +++ b/libMpegTPDec/src/tpdec_asc.cpp @@ -650,6 +650,8 @@ int CProgramConfig_LookupElement( /* search in front channels */ for (i = 0; i < pPce->NumFrontChannelElements; i++) { int heightLayer = pPce->FrontElementHeightInfo[i]; + if (heightLayer >= PC_NUM_HEIGHT_LAYER) + return 0; if (isCpe == pPce->FrontElementIsCpe[i] && pPce->FrontElementTagSelect[i] == tag) { int h, elIdx = ec[heightLayer], chIdx = cc[heightLayer]; AUDIO_CHANNEL_TYPE aChType = (AUDIO_CHANNEL_TYPE)((heightLayer<<4) | ACT_FRONT); @@ -704,6 +706,8 @@ int CProgramConfig_LookupElement( /* search in side channels */ for (i = 0; i < pPce->NumSideChannelElements; i++) { int heightLayer = pPce->SideElementHeightInfo[i]; + if (heightLayer >= PC_NUM_HEIGHT_LAYER) + return 0; if (isCpe == pPce->SideElementIsCpe[i] && pPce->SideElementTagSelect[i] == tag) { int h, elIdx = ec[heightLayer], chIdx = cc[heightLayer]; AUDIO_CHANNEL_TYPE aChType = (AUDIO_CHANNEL_TYPE)((heightLayer<<4) | ACT_SIDE); @@ -758,6 +762,8 @@ int CProgramConfig_LookupElement( /* search in back channels */ for (i = 0; i < pPce->NumBackChannelElements; i++) { int heightLayer = pPce->BackElementHeightInfo[i]; + if (heightLayer >= PC_NUM_HEIGHT_LAYER) + return 0; if (isCpe == pPce->BackElementIsCpe[i] && pPce->BackElementTagSelect[i] == tag) { int h, elIdx = ec[heightLayer], chIdx = cc[heightLayer]; AUDIO_CHANNEL_TYPE aChType = (AUDIO_CHANNEL_TYPE)((heightLayer<<4) | ACT_BACK); @@ -817,18 +823,24 @@ int CProgramConfig_LookupElement( Start with counting the front channels/elements at normal height */ for (i = 0; i < pPce->NumFrontChannelElements; i+=1) { int heightLayer = pPce->FrontElementHeightInfo[i]; + if (heightLayer >= PC_NUM_HEIGHT_LAYER) + return 0; ec[heightLayer] += 1; cc[heightLayer] += (pPce->FrontElementIsCpe[i]) ? 2 : 1; } /* Count side channels/elements at normal height */ for (i = 0; i < pPce->NumSideChannelElements; i+=1) { int heightLayer = pPce->SideElementHeightInfo[i]; + if (heightLayer >= PC_NUM_HEIGHT_LAYER) + return 0; ec[heightLayer] += 1; cc[heightLayer] += (pPce->SideElementIsCpe[i]) ? 2 : 1; } /* Count back channels/elements at normal height */ for (i = 0; i < pPce->NumBackChannelElements; i+=1) { int heightLayer = pPce->BackElementHeightInfo[i]; + if (heightLayer >= PC_NUM_HEIGHT_LAYER) + return 0; ec[heightLayer] += 1; cc[heightLayer] += (pPce->BackElementIsCpe[i]) ? 2 : 1; } From a4aa860efb3b3ff2d535a4af45457e888aefa85e Mon Sep 17 00:00:00 2001 From: Jiyong Park Date: Mon, 7 Aug 2017 13:12:02 +0900 Subject: [PATCH 20/35] Make software codecs as VNDK Software codecs and their dependencies are marked as VNDK (or just vendor_available:true for static/header libs). Bug: 37343418 Test: build the software codecs with BOARD_VNDK_VERSION=current Change-Id: I9ecedb5a95abc9978ff7ed3538bd2dedec750c7d --- Android.bp | 1 + 1 file changed, 1 insertion(+) diff --git a/Android.bp b/Android.bp index 75fe8af51..daad82c3a 100644 --- a/Android.bp +++ b/Android.bp @@ -1,5 +1,6 @@ cc_library_static { name: "libFraunhoferAAC", + vendor_available: true, srcs: [ "libAACdec/src/*.cpp", "libAACenc/src/*.cpp", From 393a86c0dbffdf741e44b84e6a88eb1c2138073d Mon Sep 17 00:00:00 2001 From: Martin Storsjo Date: Tue, 15 Aug 2017 14:57:37 +0300 Subject: [PATCH 21/35] Check that pSettings is initialized Fixes: 2872/clusterfuzz-testcminimized-4529959869612032 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg --- libSBRdec/src/sbrdecoder.cpp | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/libSBRdec/src/sbrdecoder.cpp b/libSBRdec/src/sbrdecoder.cpp index 766d7e9f9..7d9468ca0 100644 --- a/libSBRdec/src/sbrdecoder.cpp +++ b/libSBRdec/src/sbrdecoder.cpp @@ -1446,6 +1446,10 @@ sbrDecoder_DecodeElement ( if (channelMapping[0] == 255 || channelMapping[1] == 255) return SBRDEC_UNSUPPORTED_CONFIG; + if (!pSbrChannel[0]->SbrDec.LppTrans.pSettings) + return SBRDEC_UNSUPPORTED_CONFIG; + if (stereo && !pSbrChannel[1]->SbrDec.LppTrans.pSettings) + return SBRDEC_UNSUPPORTED_CONFIG; /* Set strides for reading and writing */ if (interleaved) { From 1244b257ee7ec7d56f021a5c2e39e2c04881a148 Mon Sep 17 00:00:00 2001 From: Martin Storsjo Date: Tue, 15 Aug 2017 16:36:05 +0300 Subject: [PATCH 22/35] Always feed more input data when possible for ADTS This fixes cases where an ADTS header could set numberOfRawDataBlocks to a number larger than 1, which would lead to transportDec_FillData not feeding any more data, even though the input buffer was depleted. Fixes: 3014/clusterfuzz-testcase-5425740193464320 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg --- libMpegTPDec/src/tpdec_lib.cpp | 4 +--- 1 file changed, 1 insertion(+), 3 deletions(-) diff --git a/libMpegTPDec/src/tpdec_lib.cpp b/libMpegTPDec/src/tpdec_lib.cpp index 24f755b7e..09f070366 100644 --- a/libMpegTPDec/src/tpdec_lib.cpp +++ b/libMpegTPDec/src/tpdec_lib.cpp @@ -342,9 +342,7 @@ TRANSPORTDEC_ERROR transportDec_FillData( } } else { /* ... else feed bitbuffer with new stream data (append). */ - if (hTp->numberOfRawDataBlocks <= 0) { - FDKfeedBuffer (hBs, pBuffer, bufferSize, pBytesValid) ; - } + FDKfeedBuffer (hBs, pBuffer, bufferSize, pBytesValid); } return TRANSPORTDEC_OK; From 963b1891562e930a7d997215e700ef5ec5b4461e Mon Sep 17 00:00:00 2001 From: Martin Storsjo Date: Fri, 18 Aug 2017 22:33:37 +0300 Subject: [PATCH 23/35] Enhance TNS tuning for 8 kHz audio sampling rate This tuning has been suggested by Fraunhofer, fixing overflows in encoding certain sequences. --- libAACenc/src/aacenc_tns.cpp | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libAACenc/src/aacenc_tns.cpp b/libAACenc/src/aacenc_tns.cpp index 9a07e8f29..5fcd309db 100644 --- a/libAACenc/src/aacenc_tns.cpp +++ b/libAACenc/src/aacenc_tns.cpp @@ -388,7 +388,7 @@ AAC_ENCODER_ERROR FDKaacEnc_InitTnsConfiguration(INT bitRate, switch (granuleLength) { case 1024: /* TNS start line: skip lower MDCT lines to prevent artifacts due to filter mismatch */ - tC->lpcStartBand[LOFILT] = (blockType == SHORT_WINDOW) ? 0 : ((sampleRate < 18783) ? 4 : 8); + tC->lpcStartBand[LOFILT] = (blockType == SHORT_WINDOW) ? 0 : ((sampleRate <= 8000) ? 2 : ((sampleRate < 18783) ? 4 : 8)); tC->lpcStartLine[LOFILT] = pC->sfbOffset[tC->lpcStartBand[LOFILT]]; i = tC->lpcStopBand; From a3d11689433a046ad57add8ea22dedceb2fe722d Mon Sep 17 00:00:00 2001 From: Martin Storsjo Date: Fri, 18 Aug 2017 22:37:30 +0300 Subject: [PATCH 24/35] Adjust the fix for infinite loops with a drained ADTS stream This should have less risk of causing other issues. --- libMpegTPDec/src/tpdec_lib.cpp | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/libMpegTPDec/src/tpdec_lib.cpp b/libMpegTPDec/src/tpdec_lib.cpp index 09f070366..5760752e8 100644 --- a/libMpegTPDec/src/tpdec_lib.cpp +++ b/libMpegTPDec/src/tpdec_lib.cpp @@ -342,7 +342,9 @@ TRANSPORTDEC_ERROR transportDec_FillData( } } else { /* ... else feed bitbuffer with new stream data (append). */ - FDKfeedBuffer (hBs, pBuffer, bufferSize, pBytesValid); + if ((hTp->numberOfRawDataBlocks <= 0) || (FDKgetValidBits(hBs)==0)) { + FDKfeedBuffer (hBs, pBuffer, bufferSize, pBytesValid) ; + } } return TRANSPORTDEC_OK; From e2e35b82738dc9d5e5229477d49d557cadad4dc7 Mon Sep 17 00:00:00 2001 From: Doug Benedict Date: Wed, 20 Sep 2017 14:30:42 -0700 Subject: [PATCH 25/35] Make sure there are enough bits when reading ADTS header. --- libMpegTPDec/src/tpdec_adts.cpp | 3 +++ 1 file changed, 3 insertions(+) diff --git a/libMpegTPDec/src/tpdec_adts.cpp b/libMpegTPDec/src/tpdec_adts.cpp index c45568165..934fbc8de 100644 --- a/libMpegTPDec/src/tpdec_adts.cpp +++ b/libMpegTPDec/src/tpdec_adts.cpp @@ -185,6 +185,9 @@ TRANSPORTDEC_ERROR adtsRead_DecodeHeader( #endif valBits = FDKgetValidBits(hBs); + if (valBits < ADTS_HEADERLENGTH) { + return TRANSPORTDEC_NOT_ENOUGH_BITS; + } /* adts_fixed_header */ bs.mpeg_id = FDKreadBits(hBs, Adts_Length_Id); From 3e8a17c1c1a7bed415b033734e9ac4a5dd7673d1 Mon Sep 17 00:00:00 2001 From: Chih-Hung Hsieh Date: Wed, 27 Sep 2017 10:17:29 -0700 Subject: [PATCH 26/35] Use -Werror in external/aac Bug: 66996870 Test: build with WITH_TIDY=1 Exempt-From-Owner-Approval: Colin +2 should be the owner approval Change-Id: I167f73ee9dc5e977fd6976f48732ae1e1fe13c8b --- Android.bp | 2 ++ 1 file changed, 2 insertions(+) diff --git a/Android.bp b/Android.bp index 75fe8af51..0ae0b8493 100644 --- a/Android.bp +++ b/Android.bp @@ -12,6 +12,8 @@ cc_library_static { "libSBRenc/src/*.cpp", ], cflags: [ + "-Werror", + "-Wno-constant-conversion", "-Wno-sequence-point", "-Wno-extra", "-Wno-#warnings", From c366b3db8fd78013edc5968df8507473b6fa71e6 Mon Sep 17 00:00:00 2001 From: Martin Storsjo Date: Fri, 20 Oct 2017 15:36:53 +0300 Subject: [PATCH 27/35] Add tighter sanity checks in CBlock_GetEscape We can't read 31 bits of value here, since that would place the topmost bit in the sign bit. Fixes: 3480/clusterfuzz-testcase-4573445423628288 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg --- libAACdec/src/block.cpp | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libAACdec/src/block.cpp b/libAACdec/src/block.cpp index bda565c5b..8bee2d41e 100644 --- a/libAACdec/src/block.cpp +++ b/libAACdec/src/block.cpp @@ -138,7 +138,7 @@ LONG CBlock_GetEscape(HANDLE_FDK_BITSTREAM bs, /*!< pointer to bitstream */ if (i > 16) { - if (i - 16 > CACHE_BITS) { /* cannot read more than "CACHE_BITS" bits at once in the function FDKreadBits() */ + if (i >= 31) { /* (1 << i) will shift into the sign bit if i >= 31 */ return (MAX_QUANTIZED_VALUE + 1); /* returning invalid value that will be captured later */ } From cf697df5ad1495f167181dec0976ee228bec6378 Mon Sep 17 00:00:00 2001 From: Martin Storsjo Date: Fri, 20 Oct 2017 16:05:02 +0300 Subject: [PATCH 28/35] Avoid reading out of bounds due to negative aaIccIndexMapped Fixes: 3452/clusterfuzz-testcase-4898065225875456 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg --- libSBRdec/src/psdec.cpp | 9 ++++++--- 1 file changed, 6 insertions(+), 3 deletions(-) diff --git a/libSBRdec/src/psdec.cpp b/libSBRdec/src/psdec.cpp index 965917af1..88a79a4fc 100644 --- a/libSBRdec/src/psdec.cpp +++ b/libSBRdec/src/psdec.cpp @@ -944,7 +944,7 @@ void initSlotBasedRotation( HANDLE_PS_DEC h_ps_d, /*!< pointer to the module sta FIXP_SGL invL; FIXP_DBL ScaleL, ScaleR; - FIXP_DBL Alpha, Beta; + FIXP_DBL Alpha, Beta, AlphasValue; FIXP_DBL h11r, h12r, h21r, h22r; const FIXP_DBL *PScaleFactors; @@ -1015,8 +1015,11 @@ void initSlotBasedRotation( HANDLE_PS_DEC h_ps_d, /*!< pointer to the module sta ScaleR = PScaleFactors[noIidSteps + h_ps_d->specificTo.mpeg.coef.aaIidIndexMapped[env][bin]]; ScaleL = PScaleFactors[noIidSteps - h_ps_d->specificTo.mpeg.coef.aaIidIndexMapped[env][bin]]; - Beta = fMult (fMult( Alphas[h_ps_d->specificTo.mpeg.coef.aaIccIndexMapped[env][bin]], ( ScaleR - ScaleL )), FIXP_SQRT05); - Alpha = Alphas[h_ps_d->specificTo.mpeg.coef.aaIccIndexMapped[env][bin]]>>1; + AlphasValue = 0; + if (h_ps_d->specificTo.mpeg.coef.aaIccIndexMapped[env][bin] >= 0) + AlphasValue = Alphas[h_ps_d->specificTo.mpeg.coef.aaIccIndexMapped[env][bin]]; + Beta = fMult (fMult( AlphasValue, ( ScaleR - ScaleL )), FIXP_SQRT05); + Alpha = AlphasValue>>1; /* Alpha and Beta are now both scaled by 2 shifts right */ From 1e3515e03e2dbdbd48dacc31ef75d25c201a4c51 Mon Sep 17 00:00:00 2001 From: Martin Storsjo Date: Mon, 30 Oct 2017 23:06:44 +0200 Subject: [PATCH 29/35] Fix an assertion failure (avoid division by zero) when encoding a particular input --- libAACenc/src/aacenc_tns.cpp | 3 +++ 1 file changed, 3 insertions(+) diff --git a/libAACenc/src/aacenc_tns.cpp b/libAACenc/src/aacenc_tns.cpp index 5fcd309db..3026d693f 100644 --- a/libAACenc/src/aacenc_tns.cpp +++ b/libAACenc/src/aacenc_tns.cpp @@ -1147,6 +1147,9 @@ static INT FDKaacEnc_AutoToParcor( workBuffer++; } + if (input[0] == 0) + input[0] = 1; + tmp = fMult((FIXP_DBL)((LONG)TNS_PREDGAIN_SCALE<<21), fDivNorm(fAbs(autoCorr_0), fAbs(input[0]), &scale)); if ( fMultDiv2(autoCorr_0, input[0]) Date: Mon, 20 Nov 2017 12:35:32 +0200 Subject: [PATCH 30/35] Avoid reading out of bounds due to too large aaIidIndexMapped Fixes: 4151/clusterfuzz-testcase-4854089193095168 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg --- libSBRdec/src/psdec.cpp | 11 ++++++++--- 1 file changed, 8 insertions(+), 3 deletions(-) diff --git a/libSBRdec/src/psdec.cpp b/libSBRdec/src/psdec.cpp index 88a79a4fc..1729f90a6 100644 --- a/libSBRdec/src/psdec.cpp +++ b/libSBRdec/src/psdec.cpp @@ -938,7 +938,7 @@ void initSlotBasedRotation( HANDLE_PS_DEC h_ps_d, /*!< pointer to the module sta INT group = 0; INT bin = 0; - INT noIidSteps; + INT noIidSteps, noFactors; /* const UCHAR *pQuantizedIIDs;*/ @@ -984,6 +984,7 @@ void initSlotBasedRotation( HANDLE_PS_DEC h_ps_d, /*!< pointer to the module sta { PScaleFactors = ScaleFactorsFine; /* values are shiftet right by one */ noIidSteps = NO_IID_STEPS_FINE; + noFactors = NO_IID_LEVELS_FINE; /*pQuantizedIIDs = quantizedIIDsFine;*/ } @@ -991,6 +992,7 @@ void initSlotBasedRotation( HANDLE_PS_DEC h_ps_d, /*!< pointer to the module sta { PScaleFactors = ScaleFactors; /* values are shiftet right by one */ noIidSteps = NO_IID_STEPS; + noFactors = NO_IID_LEVELS; /*pQuantizedIIDs = quantizedIIDs;*/ } @@ -1012,8 +1014,11 @@ void initSlotBasedRotation( HANDLE_PS_DEC h_ps_d, /*!< pointer to the module sta /* ScaleR and ScaleL are scaled by 1 shift right */ - ScaleR = PScaleFactors[noIidSteps + h_ps_d->specificTo.mpeg.coef.aaIidIndexMapped[env][bin]]; - ScaleL = PScaleFactors[noIidSteps - h_ps_d->specificTo.mpeg.coef.aaIidIndexMapped[env][bin]]; + ScaleL = ScaleR = 0; + if (noIidSteps + h_ps_d->specificTo.mpeg.coef.aaIidIndexMapped[env][bin] >= 0 && noIidSteps + h_ps_d->specificTo.mpeg.coef.aaIidIndexMapped[env][bin] < noFactors) + ScaleR = PScaleFactors[noIidSteps + h_ps_d->specificTo.mpeg.coef.aaIidIndexMapped[env][bin]]; + if (noIidSteps - h_ps_d->specificTo.mpeg.coef.aaIidIndexMapped[env][bin] >= 0 && noIidSteps - h_ps_d->specificTo.mpeg.coef.aaIidIndexMapped[env][bin] < noFactors) + ScaleL = PScaleFactors[noIidSteps - h_ps_d->specificTo.mpeg.coef.aaIidIndexMapped[env][bin]]; AlphasValue = 0; if (h_ps_d->specificTo.mpeg.coef.aaIccIndexMapped[env][bin] >= 0) From 1b0cec288c5a0867ee0c008cd5a846facb72a524 Mon Sep 17 00:00:00 2001 From: Martin Storsjo Date: Wed, 20 Dec 2017 10:21:34 +0200 Subject: [PATCH 31/35] Fix an assertion failure when encoding a particular input at specific bitrates --- libAACenc/src/sf_estim.cpp | 1 + 1 file changed, 1 insertion(+) diff --git a/libAACenc/src/sf_estim.cpp b/libAACenc/src/sf_estim.cpp index 1cb243b98..75b8d4245 100644 --- a/libAACenc/src/sf_estim.cpp +++ b/libAACenc/src/sf_estim.cpp @@ -533,6 +533,7 @@ static void FDKaacEnc_assimilateSingleScf(PSY_OUT_CHANNEL *psyOutChan, (scfAct > scfMin) && (scfAct <= scfMin+MAX_SCF_DELTA) && (scfAct >= scfMax-MAX_SCF_DELTA) && + (scfAct <= fixMin(scfMin,fixMin(*scfLast, *scfNext))+MAX_SCF_DELTA) && (*scfLast != prevScfLast[sfbAct] || *scfNext != prevScfNext[sfbAct] || deltaPe < deltaPeLast[sfbAct])) { From 89aeea5f292306c429550e4c9fe55d865c903600 Mon Sep 17 00:00:00 2001 From: ezicomezigo Date: Wed, 20 Dec 2017 18:25:56 +0900 Subject: [PATCH 32/35] Fix SBR multichannel noise for 5.1 ch, the channel elements are as follows: SCE - CPE - CPE - LFE and the channel-mapping table for 5.1 ch is : { 2, 0, 1, 4, 5, 3,255,255}, /* 5.1ch */ For the last LFE channel, sbr decoder returns error, SBRDEC_UNSUPPORTED_CONFIG; --- libSBRdec/src/sbrdecoder.cpp | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libSBRdec/src/sbrdecoder.cpp b/libSBRdec/src/sbrdecoder.cpp index 7d9468ca0..a34174627 100644 --- a/libSBRdec/src/sbrdecoder.cpp +++ b/libSBRdec/src/sbrdecoder.cpp @@ -1444,7 +1444,7 @@ sbrDecoder_DecodeElement ( self->flags |= (applyPs) ? SBRDEC_PS_DECODED : 0; } - if (channelMapping[0] == 255 || channelMapping[1] == 255) + if (channelMapping[0] == 255 || ((*numOutChannels == 2) && channelMapping[1] == 255)) return SBRDEC_UNSUPPORTED_CONFIG; if (!pSbrChannel[0]->SbrDec.LppTrans.pSettings) return SBRDEC_UNSUPPORTED_CONFIG; From 54da05eb397725f93754094392f2772892a847db Mon Sep 17 00:00:00 2001 From: Martin Storsjo Date: Tue, 6 Mar 2018 12:29:40 +0200 Subject: [PATCH 33/35] Update the list of extra files for "make dist" --- Makefile.am | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/Makefile.am b/Makefile.am index 5b2c65b5c..1ee2dfc6b 100644 --- a/Makefile.am +++ b/Makefile.am @@ -188,7 +188,8 @@ EXTRA_DIST = \ $(top_srcdir)/autogen.sh \ $(top_srcdir)/MODULE_LICENSE_FRAUNHOFER \ $(top_srcdir)/NOTICE \ - $(top_srcdir)/Android.mk \ + $(top_srcdir)/OWNERS \ + $(top_srcdir)/Android.bp \ $(top_srcdir)/fdk-aac.sym \ $(top_srcdir)/Makefile.vc \ $(top_srcdir)/documentation/*.pdf \ From 5891b75b311c8fb27706cc2128a49d10dc477dca Mon Sep 17 00:00:00 2001 From: Martin Storsjo Date: Tue, 6 Mar 2018 12:35:43 +0200 Subject: [PATCH 34/35] Fix warnings with MSVC about mismatch between signed and unsigned in a header --- libFDK/include/FDK_bitstream.h | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/libFDK/include/FDK_bitstream.h b/libFDK/include/FDK_bitstream.h index 19bc8644b..e75e57036 100644 --- a/libFDK/include/FDK_bitstream.h +++ b/libFDK/include/FDK_bitstream.h @@ -245,7 +245,7 @@ FDK_INLINE UINT FDKreadBits(HANDLE_FDK_BITSTREAM hBitStream, if (hBitStream->BitsInCache <= numberOfBits) { - const UINT validBits = FDK_getValidBits (&hBitStream->hBitBuf) ; + const INT validBits = FDK_getValidBits (&hBitStream->hBitBuf) ; const INT freeBits = (CACHE_BITS-1) - hBitStream->BitsInCache ; const INT bitsToRead = (freeBits <= validBits) ? freeBits : validBits ; @@ -309,7 +309,7 @@ inline UINT FDKread2Bits(HANDLE_FDK_BITSTREAM hBitStream) UINT BitsInCache = hBitStream->BitsInCache; if (BitsInCache < 2) /* Comparison changed from 'less-equal' to 'less' */ { - const UINT validBits = FDK_getValidBits (&hBitStream->hBitBuf) ; + const INT validBits = FDK_getValidBits (&hBitStream->hBitBuf) ; const INT freeBits = (CACHE_BITS-1) - BitsInCache ; const INT bitsToRead = (freeBits <= validBits) ? freeBits : validBits ; From a30bfced6b6d6d976c728552d247cb30dd86e238 Mon Sep 17 00:00:00 2001 From: Martin Storsjo Date: Tue, 6 Mar 2018 12:22:48 +0200 Subject: [PATCH 35/35] Bump the versions and add a changelog entry for v0.1.6 --- ChangeLog | 4 ++++ configure.ac | 4 ++-- 2 files changed, 6 insertions(+), 2 deletions(-) diff --git a/ChangeLog b/ChangeLog index b544ece67..a36902f4f 100644 --- a/ChangeLog +++ b/ChangeLog @@ -1,3 +1,7 @@ +0.1.6 + - Lots of minor assorted crash/fuzz fixes, mostly for the decoder but + also some for the encoder + 0.1.5 - Updated upstream sources - Fixed building with GCC 3.3 and 3.4 diff --git a/configure.ac b/configure.ac index 1485ff721..86a9102a3 100644 --- a/configure.ac +++ b/configure.ac @@ -1,7 +1,7 @@ dnl -*- Autoconf -*- dnl Process this file with autoconf to produce a configure script. -AC_INIT([fdk-aac], [0.1.5], [http://sourceforge.net/projects/opencore-amr/]) +AC_INIT([fdk-aac], [0.1.6], [http://sourceforge.net/projects/opencore-amr/]) AC_CONFIG_AUX_DIR(.) AC_CONFIG_MACRO_DIR([m4]) AM_INIT_AUTOMAKE([tar-ustar foreign]) @@ -26,7 +26,7 @@ AC_SEARCH_LIBS([sin], [m]) dnl soname version to use dnl goes by ‘current[:revision[:age]]’ with the soname ending up as dnl current.age.revision -FDK_AAC_VERSION=1:0:0 +FDK_AAC_VERSION=1:1:0 AS_IF([test x$enable_shared = xyes], [LIBS_PRIVATE=$LIBS], [LIBS_PUBLIC=$LIBS]) AC_SUBST(FDK_AAC_VERSION)