69 lines
2.4 KiB
Diff

From c007165a4c8ff93ed1b4d5659cbd71e961e14ef4 Mon Sep 17 00:00:00 2001
From: Jean-Michel Trivi <jmtrivi@google.com>
Date: Fri, 17 May 2019 07:29:07 -0700
Subject: [PATCH] AMR WB encoder: prevent OOB write in ACELP_4t64_fx
In ACELP_4t64_fx, when iterating over ind array, check index against
array size to prevent OOB write, log an error if such an access
was about to happen.
Bug: 132647222
Test: atest EncoderTest#testAMRWBEncoders
Change-Id: I33f476d94baec2feffc7bcccd0ad0481b8452518
(cherry picked from commit 82cb46d0d55a407f468023977204eb7133b7fd77)
Merged-in: I33f476d94baec2feffc7bcccd0ad0481b8452518
(cherry picked from commit 9a44849c88b306e1b4fb37bd9aa34d6ba0607b7a)
---
.../codecs/amrwbenc/SampleCode/Android.mk | 3 ++-
media/libstagefright/codecs/amrwbenc/src/c4t64fx.c | 13 +++++++++++--
2 files changed, 13 insertions(+), 3 deletions(-)
diff --git a/media/libstagefright/codecs/amrwbenc/SampleCode/Android.mk b/media/libstagefright/codecs/amrwbenc/SampleCode/Android.mk
index c203f77e84..7ddbbe5f7b 100644
--- a/media/libstagefright/codecs/amrwbenc/SampleCode/Android.mk
+++ b/media/libstagefright/codecs/amrwbenc/SampleCode/Android.mk
@@ -14,7 +14,8 @@ LOCAL_CFLAGS := -DLINUX
LOCAL_SHARED_LIBRARIES := \
libstagefright \
- libdl
+ libdl \
+ liblog
LOCAL_C_INCLUDES := \
$(LOCAL_PATH)/ \
diff --git a/media/libstagefright/codecs/amrwbenc/src/c4t64fx.c b/media/libstagefright/codecs/amrwbenc/src/c4t64fx.c
index 1ecc11f536..9262a0d49b 100644
--- a/media/libstagefright/codecs/amrwbenc/src/c4t64fx.c
+++ b/media/libstagefright/codecs/amrwbenc/src/c4t64fx.c
@@ -47,6 +47,10 @@
#include "q_pulse.h"
+#undef LOG_TAG
+#define LOG_TAG "amrwbenc"
+#include "log/log.h"
+
static Word16 tipos[36] = {
0, 1, 2, 3, /* starting point &ipos[0], 1st iter */
1, 2, 3, 0, /* starting point &ipos[4], 2nd iter */
@@ -737,11 +741,16 @@ void ACELP_4t64_fx(
i = (Word16)((vo_L_mult(track, NPMAXPT) >> 1));
- while (ind[i] >= 0)
+ while (i < NPMAXPT * NB_TRACK && ind[i] >= 0)
{
i += 1;
}
- ind[i] = index;
+ if (i < NPMAXPT * NB_TRACK) {
+ ind[i] = index;
+ } else {
+ ALOGE("b/132647222, OOB access in ind array track=%d i=%d", track, i);
+ android_errorWriteLog(0x534e4554, "132647222");
+ }
}
k = 0;