Fix for stack-buffer-underflow in ixheaacd_sbr_env_calc
Bug:117050162
Test: vendor, poc no longer fails
Change-Id: I1ff8f0ce42ade33c93653edc9e19282b68108b9b
diff --git a/decoder/ixheaacd_esbr_envcal.c b/decoder/ixheaacd_esbr_envcal.c
index 53aacef..b90df22 100644
--- a/decoder/ixheaacd_esbr_envcal.c
+++ b/decoder/ixheaacd_esbr_envcal.c
@@ -68,11 +68,12 @@
} while (inc > 1);
}
-VOID ixheaacd_sbr_env_calc(ia_sbr_frame_info_data_struct *frame_data,
- FLOAT32 input_real[][64], FLOAT32 input_imag[][64],
- FLOAT32 input_real1[][64], FLOAT32 input_imag1[][64],
- WORD32 x_over_qmf[MAX_NUM_PATCHES],
- FLOAT32 *scratch_buff, FLOAT32 *env_out) {
+WORD32 ixheaacd_sbr_env_calc(ia_sbr_frame_info_data_struct *frame_data,
+ FLOAT32 input_real[][64], FLOAT32 input_imag[][64],
+ FLOAT32 input_real1[][64],
+ FLOAT32 input_imag1[][64],
+ WORD32 x_over_qmf[MAX_NUM_PATCHES],
+ FLOAT32 *scratch_buff, FLOAT32 *env_out) {
WORD8 harmonics[64];
FLOAT32(*env_tmp)[48];
FLOAT32(*noise_level_pvc)[48];
@@ -192,6 +193,7 @@
ui = frame_data->pstr_sbr_header->pstr_freq_band_data
->freq_band_tbl_hi[i + 1];
tmp = ((ui + li) - (sub_band_start << 1)) >> 1;
+ if ((tmp >= 64) || (tmp < 0)) return -1;
harmonics[tmp] = add_harmonics[i];
}
@@ -559,6 +561,7 @@
ui = frame_data->pstr_sbr_header->pstr_freq_band_data
->freq_band_tbl_hi[i + 1];
tmp = ((ui + li) - (sub_band_start << 1)) >> 1;
+ if ((tmp >= 64) || (tmp < 0)) return -1;
harmonics[tmp] = add_harmonics[i];
}
@@ -783,6 +786,7 @@
frame_data->phase_index = phase_index;
frame_data->pstr_sbr_header->esbr_start_up = esbr_start_up;
frame_data->pstr_sbr_header->esbr_start_up_pvc = esbr_start_up_pvc;
+ return 0;
}
VOID ixheaacd_createlimiterbands(WORD32 lim_table[4][12 + 1],
diff --git a/decoder/ixheaacd_sbr_dec.c b/decoder/ixheaacd_sbr_dec.c
index 1adc72a..049433d 100644
--- a/decoder/ixheaacd_sbr_dec.c
+++ b/decoder/ixheaacd_sbr_dec.c
@@ -759,21 +759,16 @@
ptr_pvc_data->prev_pvc_rate = ptr_pvc_data->pvc_rate;
ptr_frame_data->pstr_sbr_header = ptr_header_data;
- if (ptr_header_data->hbe_flag == 0)
- ixheaacd_sbr_env_calc(
- ptr_frame_data, ptr_sbr_dec->sbr_qmf_out_real + (SBR_HF_ADJ_OFFSET),
- ptr_sbr_dec->sbr_qmf_out_imag + (SBR_HF_ADJ_OFFSET),
- ptr_sbr_dec->qmf_buf_real + (SBR_HF_ADJ_OFFSET),
- ptr_sbr_dec->qmf_buf_imag + (SBR_HF_ADJ_OFFSET), NULL,
- ptr_sbr_dec->scratch_buff, pvc_dec_out_buf);
- else
- ixheaacd_sbr_env_calc(
- ptr_frame_data, ptr_sbr_dec->sbr_qmf_out_real + (SBR_HF_ADJ_OFFSET),
- ptr_sbr_dec->sbr_qmf_out_imag + (SBR_HF_ADJ_OFFSET),
- ptr_sbr_dec->qmf_buf_real + (SBR_HF_ADJ_OFFSET),
- ptr_sbr_dec->qmf_buf_imag + (SBR_HF_ADJ_OFFSET),
- ptr_sbr_dec->p_hbe_txposer->x_over_qmf, ptr_sbr_dec->scratch_buff,
- pvc_dec_out_buf);
+ err_code = ixheaacd_sbr_env_calc(
+ ptr_frame_data, ptr_sbr_dec->sbr_qmf_out_real + (SBR_HF_ADJ_OFFSET),
+ ptr_sbr_dec->sbr_qmf_out_imag + (SBR_HF_ADJ_OFFSET),
+ ptr_sbr_dec->qmf_buf_real + (SBR_HF_ADJ_OFFSET),
+ ptr_sbr_dec->qmf_buf_imag + (SBR_HF_ADJ_OFFSET),
+ (ptr_header_data->hbe_flag == 0)
+ ? NULL
+ : ptr_sbr_dec->p_hbe_txposer->x_over_qmf,
+ ptr_sbr_dec->scratch_buff, pvc_dec_out_buf);
+ if (err_code) return err_code;
} else {
for (i = 0; i < 64; i++) {
@@ -1213,22 +1208,16 @@
ptr_frame_data->pstr_sbr_header = ptr_header_data;
ptr_frame_data->sbr_mode = ORIG_SBR;
ptr_frame_data->prev_sbr_mode = ORIG_SBR;
- if (ptr_header_data->hbe_flag == 0)
- ixheaacd_sbr_env_calc(ptr_frame_data,
- ptr_sbr_dec->mps_sbr_qmf_buf_real + SBR_HF_ADJ_OFFSET,
- ptr_sbr_dec->mps_sbr_qmf_buf_imag + SBR_HF_ADJ_OFFSET,
- ptr_sbr_dec->mps_qmf_buf_real + SBR_HF_ADJ_OFFSET,
- ptr_sbr_dec->mps_qmf_buf_imag + SBR_HF_ADJ_OFFSET,
- NULL, ptr_sbr_dec->scratch_buff, NULL);
- else
- ixheaacd_sbr_env_calc(ptr_frame_data,
- ptr_sbr_dec->mps_sbr_qmf_buf_real + SBR_HF_ADJ_OFFSET,
- ptr_sbr_dec->mps_sbr_qmf_buf_imag + SBR_HF_ADJ_OFFSET,
- ptr_sbr_dec->mps_qmf_buf_real + SBR_HF_ADJ_OFFSET,
- ptr_sbr_dec->mps_qmf_buf_imag + SBR_HF_ADJ_OFFSET,
- ptr_sbr_dec->p_hbe_txposer->x_over_qmf,
- ptr_sbr_dec->scratch_buff, NULL);
+ err = ixheaacd_sbr_env_calc(
+ ptr_frame_data, ptr_sbr_dec->mps_sbr_qmf_buf_real + SBR_HF_ADJ_OFFSET,
+ ptr_sbr_dec->mps_sbr_qmf_buf_imag + SBR_HF_ADJ_OFFSET,
+ ptr_sbr_dec->mps_qmf_buf_real + SBR_HF_ADJ_OFFSET,
+ ptr_sbr_dec->mps_qmf_buf_imag + SBR_HF_ADJ_OFFSET,
+ (ptr_header_data->hbe_flag == 0) ? NULL
+ : ptr_sbr_dec->p_hbe_txposer->x_over_qmf,
+ ptr_sbr_dec->scratch_buff, NULL);
+ if (err) return err;
for (i = 0; i < no_bins; i++) {
FLOAT32 *p_loc_mps_qmf_output =
p_mps_qmf_output + i * (MAX_NUM_QMF_BANDS_ESBR * 2);
diff --git a/decoder/ixheaacd_sbr_dec.h b/decoder/ixheaacd_sbr_dec.h
index 0beec6d..69a4d23 100644
--- a/decoder/ixheaacd_sbr_dec.h
+++ b/decoder/ixheaacd_sbr_dec.h
@@ -183,11 +183,12 @@
FLOAT32 pv_qmf_buf_imag[][64],
WORD32 pitch_in_bins);
-VOID ixheaacd_sbr_env_calc(ia_sbr_frame_info_data_struct *frame_data,
- FLOAT32 input_real[][64], FLOAT32 input_imag[][64],
- FLOAT32 input_real1[][64], FLOAT32 input_imag1[][64],
- WORD32 x_over_qmf[MAX_NUM_PATCHES],
- FLOAT32 *scratch_buff, FLOAT32 *env_out);
+WORD32 ixheaacd_sbr_env_calc(ia_sbr_frame_info_data_struct *frame_data,
+ FLOAT32 input_real[][64], FLOAT32 input_imag[][64],
+ FLOAT32 input_real1[][64],
+ FLOAT32 input_imag1[][64],
+ WORD32 x_over_qmf[MAX_NUM_PATCHES],
+ FLOAT32 *scratch_buff, FLOAT32 *env_out);
WORD32 ixheaacd_generate_hf(FLOAT32 ptr_src_buf_real[][64],
FLOAT32 ptr_src_buf_imag[][64],
