fix buffer overrun in eas_wtengine

avoid a buffer overrun in eas_wtengine. Check buffer limits during application of gain Clip calculated length in eas_wtsynth Bug: 317780080 Test: POC with bug (cherry picked from https://googleplex-android-review.googlesource.com/q/commit:6b66e7665dbcd891ff23081c13ab0b1637bb1dda) Merged-In: I3609d6a36d89b26ae7eb3ae84cbe7772f6c3bee0 Change-Id: I3609d6a36d89b26ae7eb3ae84cbe7772f6c3bee0 backporting fix from main
pedrolcl · Oct 1, 2024 · 736d72e · 736d72e
1 parent a678afe
commit 736d72e
Show file tree

Hide file tree

Showing 2 changed files with 35 additions and 1 deletion.
diff --git a/arm-wt-22k/lib_src/eas_wtengine.c b/arm-wt-22k/lib_src/eas_wtengine.c
@@ -99,6 +99,10 @@ void WT_VoiceGain (S_WT_VOICE *pWTVoice, S_WT_INT_FRAME *pWTIntFrame)
         ALOGE("b/26366256");
         android_errorWriteLog(0x534e4554, "26366256");
         return;
+    } else if (numSamples > BUFFER_SIZE_IN_MONO_SAMPLES) {
+        ALOGE("b/317780080 clip numSamples %ld -> %d", numSamples, BUFFER_SIZE_IN_MONO_SAMPLES);
+        android_errorWriteLog(0x534e4554, "317780080");
+        numSamples = BUFFER_SIZE_IN_MONO_SAMPLES;
     }
     pMixBuffer = pWTIntFrame->pMixBuffer;
     pInputBuffer = pWTIntFrame->pAudioBuffer;
@@ -196,6 +200,10 @@ void WT_Interpolate (S_WT_VOICE *pWTVoice, S_WT_INT_FRAME *pWTIntFrame)
         ALOGE("b/26366256");
         android_errorWriteLog(0x534e4554, "26366256");
         return;
+    } else if (numSamples > BUFFER_SIZE_IN_MONO_SAMPLES) {
+        ALOGE("b/317780080 clip numSamples %ld -> %d", numSamples, BUFFER_SIZE_IN_MONO_SAMPLES);
+        android_errorWriteLog(0x534e4554, "317780080");
+        numSamples = BUFFER_SIZE_IN_MONO_SAMPLES;
     }
     pOutputBuffer = pWTIntFrame->pAudioBuffer;
 
@@ -297,6 +305,10 @@ void WT_InterpolateNoLoop (S_WT_VOICE *pWTVoice, S_WT_INT_FRAME *pWTIntFrame)
         ALOGE("b/26366256");
         android_errorWriteLog(0x534e4554, "26366256");
         return;
+    } else if (numSamples > BUFFER_SIZE_IN_MONO_SAMPLES) {
+        ALOGE("b/317780080 clip numSamples %ld -> %d", numSamples, BUFFER_SIZE_IN_MONO_SAMPLES);
+        android_errorWriteLog(0x534e4554, "317780080");
+        numSamples = BUFFER_SIZE_IN_MONO_SAMPLES;
     }
     pOutputBuffer = pWTIntFrame->pAudioBuffer;
 
@@ -397,6 +409,10 @@ void WT_VoiceFilter (S_FILTER_CONTROL *pFilter, S_WT_INT_FRAME *pWTIntFrame)
         ALOGE("b/26366256");
         android_errorWriteLog(0x534e4554, "26366256");
         return;
+    } else if (numSamples > BUFFER_SIZE_IN_MONO_SAMPLES) {
+        ALOGE("b/317780080 clip numSamples %ld -> %d", numSamples, BUFFER_SIZE_IN_MONO_SAMPLES);
+        android_errorWriteLog(0x534e4554, "317780080");
+        numSamples = BUFFER_SIZE_IN_MONO_SAMPLES;
     }
     pAudioBuffer = pWTIntFrame->pAudioBuffer;
 
@@ -465,6 +481,10 @@ void WT_VoiceFilter (S_FILTER_CONTROL *pFilter, S_WT_INT_FRAME *pWTIntFrame)
         ALOGE("b/26366256");
         android_errorWriteLog(0x534e4554, "26366256");
         return;
+    } else if (numSamples > BUFFER_SIZE_IN_MONO_SAMPLES) {
+        ALOGE("b/317780080 clip numSamples %ld -> %d", numSamples, BUFFER_SIZE_IN_MONO_SAMPLES);
+        android_errorWriteLog(0x534e4554, "317780080");
+        numSamples = BUFFER_SIZE_IN_MONO_SAMPLES;
     }
     pOutputBuffer = pWTIntFrame->pAudioBuffer;
     phaseInc = pWTIntFrame->frame.phaseIncrement;
@@ -613,6 +633,10 @@ void WT_InterpolateMono (S_WT_VOICE *pWTVoice, S_WT_INT_FRAME *pWTIntFrame)
         ALOGE("b/26366256");
         android_errorWriteLog(0x534e4554, "26366256");
         return;
+    } else if (numSamples > BUFFER_SIZE_IN_MONO_SAMPLES) {
+        ALOGE("b/317780080 clip numSamples %ld -> %d", numSamples, BUFFER_SIZE_IN_MONO_SAMPLES);
+        android_errorWriteLog(0x534e4554, "317780080");
+        numSamples = BUFFER_SIZE_IN_MONO_SAMPLES;
     }
     pMixBuffer = pWTIntFrame->pMixBuffer;
 

diff --git a/arm-wt-22k/lib_src/eas_wtsynth.c b/arm-wt-22k/lib_src/eas_wtsynth.c
@@ -484,14 +484,24 @@ EAS_BOOL WT_CheckSampleEnd (S_WT_VOICE *pWTVoice, S_WT_INT_FRAME *pWTIntFrame, E
         /*lint -e{703} use shift for performance */
         numSamples = (numSamples << NUM_PHASE_FRAC_BITS) - (EAS_I32) pWTVoice->phaseFrac;
         if (pWTIntFrame->frame.phaseIncrement) {
-            pWTIntFrame->numSamples = 1 + (numSamples / pWTIntFrame->frame.phaseIncrement);
+            EAS_I32 oldMethod = 1 + (numSamples / pWTIntFrame->frame.phaseIncrement);
+            pWTIntFrame->numSamples =
+                (numSamples + pWTIntFrame->frame.phaseIncrement - 1) / pWTIntFrame->frame.phaseIncrement;
+            if (oldMethod != pWTIntFrame->numSamples) {
+                ALOGE("b/317780080 old %ld new %ld", oldMethod, pWTIntFrame->numSamples);
+            }
         } else {
             pWTIntFrame->numSamples = numSamples;
         }
         if (pWTIntFrame->numSamples < 0) {
             ALOGE("b/26366256");
             android_errorWriteLog(0x534e4554, "26366256");
             pWTIntFrame->numSamples = 0;
+        } else if (pWTIntFrame->numSamples > BUFFER_SIZE_IN_MONO_SAMPLES) {
+            ALOGE("b/317780080 clip numSamples %ld -> %d",
+                  pWTIntFrame->numSamples, BUFFER_SIZE_IN_MONO_SAMPLES);
+            android_errorWriteLog(0x534e4554, "317780080");
+            pWTIntFrame->numSamples = BUFFER_SIZE_IN_MONO_SAMPLES;
         }
 
         /* sound will be done this frame */