Skip to content

Commit 736d72e

Browse files
rbessick4rsp4jack
rbessick4
authored and
rsp4jack
committed
fix buffer overrun in eas_wtengine
avoid a buffer overrun in eas_wtengine. Check buffer limits during application of gain Clip calculated length in eas_wtsynth Bug: 317780080 Test: POC with bug (cherry picked from https://googleplex-android-review.googlesource.com/q/commit:6b66e7665dbcd891ff23081c13ab0b1637bb1dda) Merged-In: I3609d6a36d89b26ae7eb3ae84cbe7772f6c3bee0 Change-Id: I3609d6a36d89b26ae7eb3ae84cbe7772f6c3bee0 backporting fix from main
1 parent a678afe commit 736d72e

File tree

2 files changed

+35
-1
lines changed

2 files changed

+35
-1
lines changed

arm-wt-22k/lib_src/eas_wtengine.c

+24
Original file line numberDiff line numberDiff line change
@@ -99,6 +99,10 @@ void WT_VoiceGain (S_WT_VOICE *pWTVoice, S_WT_INT_FRAME *pWTIntFrame)
9999
ALOGE("b/26366256");
100100
android_errorWriteLog(0x534e4554, "26366256");
101101
return;
102+
} else if (numSamples > BUFFER_SIZE_IN_MONO_SAMPLES) {
103+
ALOGE("b/317780080 clip numSamples %ld -> %d", numSamples, BUFFER_SIZE_IN_MONO_SAMPLES);
104+
android_errorWriteLog(0x534e4554, "317780080");
105+
numSamples = BUFFER_SIZE_IN_MONO_SAMPLES;
102106
}
103107
pMixBuffer = pWTIntFrame->pMixBuffer;
104108
pInputBuffer = pWTIntFrame->pAudioBuffer;
@@ -196,6 +200,10 @@ void WT_Interpolate (S_WT_VOICE *pWTVoice, S_WT_INT_FRAME *pWTIntFrame)
196200
ALOGE("b/26366256");
197201
android_errorWriteLog(0x534e4554, "26366256");
198202
return;
203+
} else if (numSamples > BUFFER_SIZE_IN_MONO_SAMPLES) {
204+
ALOGE("b/317780080 clip numSamples %ld -> %d", numSamples, BUFFER_SIZE_IN_MONO_SAMPLES);
205+
android_errorWriteLog(0x534e4554, "317780080");
206+
numSamples = BUFFER_SIZE_IN_MONO_SAMPLES;
199207
}
200208
pOutputBuffer = pWTIntFrame->pAudioBuffer;
201209

@@ -297,6 +305,10 @@ void WT_InterpolateNoLoop (S_WT_VOICE *pWTVoice, S_WT_INT_FRAME *pWTIntFrame)
297305
ALOGE("b/26366256");
298306
android_errorWriteLog(0x534e4554, "26366256");
299307
return;
308+
} else if (numSamples > BUFFER_SIZE_IN_MONO_SAMPLES) {
309+
ALOGE("b/317780080 clip numSamples %ld -> %d", numSamples, BUFFER_SIZE_IN_MONO_SAMPLES);
310+
android_errorWriteLog(0x534e4554, "317780080");
311+
numSamples = BUFFER_SIZE_IN_MONO_SAMPLES;
300312
}
301313
pOutputBuffer = pWTIntFrame->pAudioBuffer;
302314

@@ -397,6 +409,10 @@ void WT_VoiceFilter (S_FILTER_CONTROL *pFilter, S_WT_INT_FRAME *pWTIntFrame)
397409
ALOGE("b/26366256");
398410
android_errorWriteLog(0x534e4554, "26366256");
399411
return;
412+
} else if (numSamples > BUFFER_SIZE_IN_MONO_SAMPLES) {
413+
ALOGE("b/317780080 clip numSamples %ld -> %d", numSamples, BUFFER_SIZE_IN_MONO_SAMPLES);
414+
android_errorWriteLog(0x534e4554, "317780080");
415+
numSamples = BUFFER_SIZE_IN_MONO_SAMPLES;
400416
}
401417
pAudioBuffer = pWTIntFrame->pAudioBuffer;
402418

@@ -465,6 +481,10 @@ void WT_VoiceFilter (S_FILTER_CONTROL *pFilter, S_WT_INT_FRAME *pWTIntFrame)
465481
ALOGE("b/26366256");
466482
android_errorWriteLog(0x534e4554, "26366256");
467483
return;
484+
} else if (numSamples > BUFFER_SIZE_IN_MONO_SAMPLES) {
485+
ALOGE("b/317780080 clip numSamples %ld -> %d", numSamples, BUFFER_SIZE_IN_MONO_SAMPLES);
486+
android_errorWriteLog(0x534e4554, "317780080");
487+
numSamples = BUFFER_SIZE_IN_MONO_SAMPLES;
468488
}
469489
pOutputBuffer = pWTIntFrame->pAudioBuffer;
470490
phaseInc = pWTIntFrame->frame.phaseIncrement;
@@ -613,6 +633,10 @@ void WT_InterpolateMono (S_WT_VOICE *pWTVoice, S_WT_INT_FRAME *pWTIntFrame)
613633
ALOGE("b/26366256");
614634
android_errorWriteLog(0x534e4554, "26366256");
615635
return;
636+
} else if (numSamples > BUFFER_SIZE_IN_MONO_SAMPLES) {
637+
ALOGE("b/317780080 clip numSamples %ld -> %d", numSamples, BUFFER_SIZE_IN_MONO_SAMPLES);
638+
android_errorWriteLog(0x534e4554, "317780080");
639+
numSamples = BUFFER_SIZE_IN_MONO_SAMPLES;
616640
}
617641
pMixBuffer = pWTIntFrame->pMixBuffer;
618642

arm-wt-22k/lib_src/eas_wtsynth.c

+11-1
Original file line numberDiff line numberDiff line change
@@ -484,14 +484,24 @@ EAS_BOOL WT_CheckSampleEnd (S_WT_VOICE *pWTVoice, S_WT_INT_FRAME *pWTIntFrame, E
484484
/*lint -e{703} use shift for performance */
485485
numSamples = (numSamples << NUM_PHASE_FRAC_BITS) - (EAS_I32) pWTVoice->phaseFrac;
486486
if (pWTIntFrame->frame.phaseIncrement) {
487-
pWTIntFrame->numSamples = 1 + (numSamples / pWTIntFrame->frame.phaseIncrement);
487+
EAS_I32 oldMethod = 1 + (numSamples / pWTIntFrame->frame.phaseIncrement);
488+
pWTIntFrame->numSamples =
489+
(numSamples + pWTIntFrame->frame.phaseIncrement - 1) / pWTIntFrame->frame.phaseIncrement;
490+
if (oldMethod != pWTIntFrame->numSamples) {
491+
ALOGE("b/317780080 old %ld new %ld", oldMethod, pWTIntFrame->numSamples);
492+
}
488493
} else {
489494
pWTIntFrame->numSamples = numSamples;
490495
}
491496
if (pWTIntFrame->numSamples < 0) {
492497
ALOGE("b/26366256");
493498
android_errorWriteLog(0x534e4554, "26366256");
494499
pWTIntFrame->numSamples = 0;
500+
} else if (pWTIntFrame->numSamples > BUFFER_SIZE_IN_MONO_SAMPLES) {
501+
ALOGE("b/317780080 clip numSamples %ld -> %d",
502+
pWTIntFrame->numSamples, BUFFER_SIZE_IN_MONO_SAMPLES);
503+
android_errorWriteLog(0x534e4554, "317780080");
504+
pWTIntFrame->numSamples = BUFFER_SIZE_IN_MONO_SAMPLES;
495505
}
496506

497507
/* sound will be done this frame */

0 commit comments

Comments
 (0)