diff options
author | Ray Essick <essick@google.com> | 2024-02-14 11:10:41 -0600 |
---|---|---|
committer | Android Build Coastguard Worker <android-build-coastguard-worker@google.com> | 2024-03-13 18:39:20 +0000 |
commit | 7f523cb79230afa187962013999bc7feade66fa5 (patch) | |
tree | 969331baa28507bdcd5891fa15b793c5965f9f90 | |
parent | fc16ebb35fea245330ec94c48e69d64929f54655 (diff) | |
download | sonivox-7f523cb79230afa187962013999bc7feade66fa5.tar.gz |
WIP fix buffer overrun in eas_wtengine
avoid a buffer overrun in eas_wtengine.
Check buffer limits during application of gain
Clip calculated length in eas_wtsynth
Bug: 317780080
Test: POC with bug
(cherry picked from https://googleplex-android-review.googlesource.com/q/commit:6b66e7665dbcd891ff23081c13ab0b1637bb1dda)
Merged-In: I3609d6a36d89b26ae7eb3ae84cbe7772f6c3bee0
Change-Id: I3609d6a36d89b26ae7eb3ae84cbe7772f6c3bee0
-rw-r--r-- | arm-wt-22k/lib_src/eas_wtengine.c | 24 | ||||
-rw-r--r-- | arm-wt-22k/lib_src/eas_wtsynth.c | 12 |
2 files changed, 35 insertions, 1 deletions
diff --git a/arm-wt-22k/lib_src/eas_wtengine.c b/arm-wt-22k/lib_src/eas_wtengine.c index b1ee749..dc8d864 100644 --- a/arm-wt-22k/lib_src/eas_wtengine.c +++ b/arm-wt-22k/lib_src/eas_wtengine.c @@ -99,6 +99,10 @@ void WT_VoiceGain (S_WT_VOICE *pWTVoice, S_WT_INT_FRAME *pWTIntFrame) ALOGE("b/26366256"); android_errorWriteLog(0x534e4554, "26366256"); return; + } else if (numSamples > BUFFER_SIZE_IN_MONO_SAMPLES) { + ALOGE("b/317780080 clip numSamples %ld -> %d", numSamples, BUFFER_SIZE_IN_MONO_SAMPLES); + android_errorWriteLog(0x534e4554, "317780080"); + numSamples = BUFFER_SIZE_IN_MONO_SAMPLES; } pMixBuffer = pWTIntFrame->pMixBuffer; pInputBuffer = pWTIntFrame->pAudioBuffer; @@ -196,6 +200,10 @@ void WT_Interpolate (S_WT_VOICE *pWTVoice, S_WT_INT_FRAME *pWTIntFrame) ALOGE("b/26366256"); android_errorWriteLog(0x534e4554, "26366256"); return; + } else if (numSamples > BUFFER_SIZE_IN_MONO_SAMPLES) { + ALOGE("b/317780080 clip numSamples %ld -> %d", numSamples, BUFFER_SIZE_IN_MONO_SAMPLES); + android_errorWriteLog(0x534e4554, "317780080"); + numSamples = BUFFER_SIZE_IN_MONO_SAMPLES; } pOutputBuffer = pWTIntFrame->pAudioBuffer; @@ -297,6 +305,10 @@ void WT_InterpolateNoLoop (S_WT_VOICE *pWTVoice, S_WT_INT_FRAME *pWTIntFrame) ALOGE("b/26366256"); android_errorWriteLog(0x534e4554, "26366256"); return; + } else if (numSamples > BUFFER_SIZE_IN_MONO_SAMPLES) { + ALOGE("b/317780080 clip numSamples %ld -> %d", numSamples, BUFFER_SIZE_IN_MONO_SAMPLES); + android_errorWriteLog(0x534e4554, "317780080"); + numSamples = BUFFER_SIZE_IN_MONO_SAMPLES; } pOutputBuffer = pWTIntFrame->pAudioBuffer; @@ -397,6 +409,10 @@ void WT_VoiceFilter (S_FILTER_CONTROL *pFilter, S_WT_INT_FRAME *pWTIntFrame) ALOGE("b/26366256"); android_errorWriteLog(0x534e4554, "26366256"); return; + } else if (numSamples > BUFFER_SIZE_IN_MONO_SAMPLES) { + ALOGE("b/317780080 clip numSamples %ld -> %d", numSamples, BUFFER_SIZE_IN_MONO_SAMPLES); + android_errorWriteLog(0x534e4554, "317780080"); + numSamples = BUFFER_SIZE_IN_MONO_SAMPLES; } pAudioBuffer = pWTIntFrame->pAudioBuffer; @@ -465,6 +481,10 @@ void WT_VoiceFilter (S_FILTER_CONTROL *pFilter, S_WT_INT_FRAME *pWTIntFrame) ALOGE("b/26366256"); android_errorWriteLog(0x534e4554, "26366256"); return; + } else if (numSamples > BUFFER_SIZE_IN_MONO_SAMPLES) { + ALOGE("b/317780080 clip numSamples %ld -> %d", numSamples, BUFFER_SIZE_IN_MONO_SAMPLES); + android_errorWriteLog(0x534e4554, "317780080"); + numSamples = BUFFER_SIZE_IN_MONO_SAMPLES; } pOutputBuffer = pWTIntFrame->pAudioBuffer; phaseInc = pWTIntFrame->frame.phaseIncrement; @@ -613,6 +633,10 @@ void WT_InterpolateMono (S_WT_VOICE *pWTVoice, S_WT_INT_FRAME *pWTIntFrame) ALOGE("b/26366256"); android_errorWriteLog(0x534e4554, "26366256"); return; + } else if (numSamples > BUFFER_SIZE_IN_MONO_SAMPLES) { + ALOGE("b/317780080 clip numSamples %ld -> %d", numSamples, BUFFER_SIZE_IN_MONO_SAMPLES); + android_errorWriteLog(0x534e4554, "317780080"); + numSamples = BUFFER_SIZE_IN_MONO_SAMPLES; } pMixBuffer = pWTIntFrame->pMixBuffer; diff --git a/arm-wt-22k/lib_src/eas_wtsynth.c b/arm-wt-22k/lib_src/eas_wtsynth.c index 74f78f5..ea1fe78 100644 --- a/arm-wt-22k/lib_src/eas_wtsynth.c +++ b/arm-wt-22k/lib_src/eas_wtsynth.c @@ -484,7 +484,12 @@ EAS_BOOL WT_CheckSampleEnd (S_WT_VOICE *pWTVoice, S_WT_INT_FRAME *pWTIntFrame, E /*lint -e{703} use shift for performance */ numSamples = (numSamples << NUM_PHASE_FRAC_BITS) - (EAS_I32) pWTVoice->phaseFrac; if (pWTIntFrame->frame.phaseIncrement) { - pWTIntFrame->numSamples = 1 + (numSamples / pWTIntFrame->frame.phaseIncrement); + EAS_I32 oldMethod = 1 + (numSamples / pWTIntFrame->frame.phaseIncrement); + pWTIntFrame->numSamples = + (numSamples + pWTIntFrame->frame.phaseIncrement - 1) / pWTIntFrame->frame.phaseIncrement; + if (oldMethod != pWTIntFrame->numSamples) { + ALOGE("b/317780080 old %ld new %ld", oldMethod, pWTIntFrame->numSamples); + } } else { pWTIntFrame->numSamples = numSamples; } @@ -492,6 +497,11 @@ EAS_BOOL WT_CheckSampleEnd (S_WT_VOICE *pWTVoice, S_WT_INT_FRAME *pWTIntFrame, E ALOGE("b/26366256"); android_errorWriteLog(0x534e4554, "26366256"); pWTIntFrame->numSamples = 0; + } else if (pWTIntFrame->numSamples > BUFFER_SIZE_IN_MONO_SAMPLES) { + ALOGE("b/317780080 clip numSamples %ld -> %d", + pWTIntFrame->numSamples, BUFFER_SIZE_IN_MONO_SAMPLES); + android_errorWriteLog(0x534e4554, "317780080"); + pWTIntFrame->numSamples = BUFFER_SIZE_IN_MONO_SAMPLES; } /* sound will be done this frame */ |