From c007165a4c8ff93ed1b4d5659cbd71e961e14ef4 Mon Sep 17 00:00:00 2001 From: Jean-Michel Trivi Date: Fri, 17 May 2019 07:29:07 -0700 Subject: [PATCH] AMR WB encoder: prevent OOB write in ACELP_4t64_fx In ACELP_4t64_fx, when iterating over ind array, check index against array size to prevent OOB write, log an error if such an access was about to happen. Bug: 132647222 Test: atest EncoderTest#testAMRWBEncoders Change-Id: I33f476d94baec2feffc7bcccd0ad0481b8452518 (cherry picked from commit 82cb46d0d55a407f468023977204eb7133b7fd77) Merged-in: I33f476d94baec2feffc7bcccd0ad0481b8452518 (cherry picked from commit 9a44849c88b306e1b4fb37bd9aa34d6ba0607b7a) --- .../codecs/amrwbenc/SampleCode/Android.mk | 3 ++- media/libstagefright/codecs/amrwbenc/src/c4t64fx.c | 13 +++++++++++-- 2 files changed, 13 insertions(+), 3 deletions(-) diff --git a/media/libstagefright/codecs/amrwbenc/SampleCode/Android.mk b/media/libstagefright/codecs/amrwbenc/SampleCode/Android.mk index c203f77e84..7ddbbe5f7b 100644 --- a/media/libstagefright/codecs/amrwbenc/SampleCode/Android.mk +++ b/media/libstagefright/codecs/amrwbenc/SampleCode/Android.mk @@ -14,7 +14,8 @@ LOCAL_CFLAGS := -DLINUX LOCAL_SHARED_LIBRARIES := \ libstagefright \ - libdl + libdl \ + liblog LOCAL_C_INCLUDES := \ $(LOCAL_PATH)/ \ diff --git a/media/libstagefright/codecs/amrwbenc/src/c4t64fx.c b/media/libstagefright/codecs/amrwbenc/src/c4t64fx.c index 1ecc11f536..9262a0d49b 100644 --- a/media/libstagefright/codecs/amrwbenc/src/c4t64fx.c +++ b/media/libstagefright/codecs/amrwbenc/src/c4t64fx.c @@ -47,6 +47,10 @@ #include "q_pulse.h" +#undef LOG_TAG +#define LOG_TAG "amrwbenc" +#include "log/log.h" + static Word16 tipos[36] = { 0, 1, 2, 3, /* starting point &ipos[0], 1st iter */ 1, 2, 3, 0, /* starting point &ipos[4], 2nd iter */ @@ -737,11 +741,16 @@ void ACELP_4t64_fx( i = (Word16)((vo_L_mult(track, NPMAXPT) >> 1)); - while (ind[i] >= 0) + while (i < NPMAXPT * NB_TRACK && ind[i] >= 0) { i += 1; } - ind[i] = index; + if (i < NPMAXPT * NB_TRACK) { + ind[i] = index; + } else { + ALOGE("b/132647222, OOB access in ind array track=%d i=%d", track, i); + android_errorWriteLog(0x534e4554, "132647222"); + } } k = 0;