From 98ec800bdf6fdc324c1e6414b3b597d94977cfaa Mon Sep 17 00:00:00 2001
From: Neelkamal Semwal <neelkamal.semwal@ittiam.com>
Date: Thu, 8 Jul 2021 09:15:53 +0530
Subject: libOpus: fix integer overflow in silk_resampler_down2_hp

Bug: 190882774

Test: poc in bug description

Change-Id: Ib780a7d3e114ed29047c50459c01462c6b244f31
---
 src/analysis.c | 5 ++++-
 1 file changed, 4 insertions(+), 1 deletion(-)

diff --git a/src/analysis.c b/src/analysis.c
index 058328f0..8b4f22d0 100644
--- a/src/analysis.c
+++ b/src/analysis.c
@@ -149,7 +149,10 @@ static opus_val32 silk_resampler_down2_hp(
         out32_hp  = ADD32( out32_hp, X );
         S[ 2 ] = ADD32( -in32, X );
 
-        hp_ener += out32_hp*(opus_val64)out32_hp;
+        if(__builtin_add_overflow(hp_ener, out32_hp*(opus_val64)out32_hp, &hp_ener))
+        {
+           hp_ener = UINT64_MAX;
+        }
         /* Add, convert back to int16 and store to output */
         out[ k ] = HALF32(out32);
     }
-- 
cgit v1.2.3


From 878bdeb38043407869c684fb73708b04e8fe0ce4 Mon Sep 17 00:00:00 2001
From: Neelkamal Semwal <neelkamal.semwal@ittiam.com>
Date: Wed, 15 Sep 2021 21:46:10 +0530
Subject: libOpus: fix OOB read in ssse4 correlation kernel

Few SIMD functions read 16 bytes at a time and this
potentially leads to OOB read for some buffers
allocated on stack using ALLOC() calls. In order to
avoid these OOB reads, ALLOC() now allocates 16 additional bytes.

Bug: 191352053

Test: poc in bug description
Test: atest VtsHalMediaC2V1_0TargetAudioDecTest
Test: atest VtsHalMediaC2V1_0TargetAudioEncTest

Change-Id: I4da2840844d60f251dd7a222f51d508e4eb8749f
---
 Android.bp         |  1 +
 celt/stack_alloc.h | 25 ++++++++++++++++++++++---
 2 files changed, 23 insertions(+), 3 deletions(-)

diff --git a/Android.bp b/Android.bp
index 702ddcc4..270d3271 100644
--- a/Android.bp
+++ b/Android.bp
@@ -208,6 +208,7 @@ cc_library {
         "-DOPUS_BUILD",
         "-DFIXED_POINT",
         "-DUSE_ALLOCA",
+        "-DSIMD_EXTRA_ALLOC_BYTES=16",
         "-DHAVE_LRINT",
         "-DHAVE_LRINTF",
         "-DENABLE_HARDENING",
diff --git a/celt/stack_alloc.h b/celt/stack_alloc.h
index ae40e2a1..b289facd 100644
--- a/celt/stack_alloc.h
+++ b/celt/stack_alloc.h
@@ -88,10 +88,22 @@
  * @param type Type of element
  */
 
+#ifndef SIMD_EXTRA_ALLOC_BYTES
+#error define SIMD_EXTRA_ALLOC_BYTES appropriately in your makefile
+/*
+ * Useful values:
+ * 0  for an all-scalar processor, which should never over-read the arrays
+ * 16 for an implementation using ARM Neon or X86 SSE4 instructions, which work
+ *    with blocks of 16 bytes (128 bits)
+ */
+#endif
+
 #if defined(VAR_ARRAYS)
 
 #define VARDECL(type, var)
-#define ALLOC(var, size, type) type var[size]
+// include a full SIMD width afterwards;
+#define ALLOC(var, size, type) type var[(size) + ((SIMD_EXTRA_ALLOC_BYTES)/sizeof(type))]
+
 #define SAVE_STACK
 #define RESTORE_STACK
 #define ALLOC_STACK
@@ -103,9 +115,11 @@
 #define VARDECL(type, var) type *var
 
 # ifdef _WIN32
-#  define ALLOC(var, size, type) var = ((type*)_alloca(sizeof(type)*(size)))
+#  define ALLOC(var, size, type) var = \
+                                 ((type*)_alloca(sizeof(type)*(size) + SIMD_EXTRA_ALLOC_BYTES))
 # else
-#  define ALLOC(var, size, type) var = ((type*)alloca(sizeof(type)*(size)))
+#  define ALLOC(var, size, type) var = \
+                                 ((type*)alloca(sizeof(type)*(size) + SIMD_EXTRA_ALLOC_BYTES))
 # endif
 
 #define SAVE_STACK
@@ -151,6 +165,11 @@ extern char *global_stack_top;
 
 #endif /* ENABLE_VALGRIND */
 
+// this path has NOT been modified to be safe in the face of SIMD over-reads
+#if SIMD_EXTRA_ALLOC_BYTES != 0
+#error  "ALLOC() is not updated in this configuration to provide for SIMD over-reads"
+#endif
+
 #include "os_support.h"
 #define VARDECL(type, var) type *var
 #define ALLOC(var, size, type) var = PUSH(global_stack, size, type)
-- 
cgit v1.2.3


From a6a69736bad24c7a142bc40916d7bfa576be7fc1 Mon Sep 17 00:00:00 2001
From: Neelkamal Semwal <neelkamal.semwal@ittiam.com>
Date: Wed, 15 Sep 2021 21:46:10 +0530
Subject: libOpus: fix OOB read in ssse4 correlation kernel

Few SIMD functions read 16 bytes at a time and this
potentially leads to OOB read for some buffers
allocated on stack using ALLOC() calls. In order to
avoid these OOB reads, ALLOC() now allocates 16 additional bytes.

Bug: 191352053

Test: poc in bug description
Test: atest VtsHalMediaC2V1_0TargetAudioDecTest
Test: atest VtsHalMediaC2V1_0TargetAudioEncTest

Change-Id: I4da2840844d60f251dd7a222f51d508e4eb8749f
(cherry picked from commit 878bdeb38043407869c684fb73708b04e8fe0ce4)
---
 Android.bp         |  1 +
 celt/stack_alloc.h | 25 ++++++++++++++++++++++---
 2 files changed, 23 insertions(+), 3 deletions(-)

diff --git a/Android.bp b/Android.bp
index 702ddcc4..270d3271 100644
--- a/Android.bp
+++ b/Android.bp
@@ -208,6 +208,7 @@ cc_library {
         "-DOPUS_BUILD",
         "-DFIXED_POINT",
         "-DUSE_ALLOCA",
+        "-DSIMD_EXTRA_ALLOC_BYTES=16",
         "-DHAVE_LRINT",
         "-DHAVE_LRINTF",
         "-DENABLE_HARDENING",
diff --git a/celt/stack_alloc.h b/celt/stack_alloc.h
index ae40e2a1..b289facd 100644
--- a/celt/stack_alloc.h
+++ b/celt/stack_alloc.h
@@ -88,10 +88,22 @@
  * @param type Type of element
  */
 
+#ifndef SIMD_EXTRA_ALLOC_BYTES
+#error define SIMD_EXTRA_ALLOC_BYTES appropriately in your makefile
+/*
+ * Useful values:
+ * 0  for an all-scalar processor, which should never over-read the arrays
+ * 16 for an implementation using ARM Neon or X86 SSE4 instructions, which work
+ *    with blocks of 16 bytes (128 bits)
+ */
+#endif
+
 #if defined(VAR_ARRAYS)
 
 #define VARDECL(type, var)
-#define ALLOC(var, size, type) type var[size]
+// include a full SIMD width afterwards;
+#define ALLOC(var, size, type) type var[(size) + ((SIMD_EXTRA_ALLOC_BYTES)/sizeof(type))]
+
 #define SAVE_STACK
 #define RESTORE_STACK
 #define ALLOC_STACK
@@ -103,9 +115,11 @@
 #define VARDECL(type, var) type *var
 
 # ifdef _WIN32
-#  define ALLOC(var, size, type) var = ((type*)_alloca(sizeof(type)*(size)))
+#  define ALLOC(var, size, type) var = \
+                                 ((type*)_alloca(sizeof(type)*(size) + SIMD_EXTRA_ALLOC_BYTES))
 # else
-#  define ALLOC(var, size, type) var = ((type*)alloca(sizeof(type)*(size)))
+#  define ALLOC(var, size, type) var = \
+                                 ((type*)alloca(sizeof(type)*(size) + SIMD_EXTRA_ALLOC_BYTES))
 # endif
 
 #define SAVE_STACK
@@ -151,6 +165,11 @@ extern char *global_stack_top;
 
 #endif /* ENABLE_VALGRIND */
 
+// this path has NOT been modified to be safe in the face of SIMD over-reads
+#if SIMD_EXTRA_ALLOC_BYTES != 0
+#error  "ALLOC() is not updated in this configuration to provide for SIMD over-reads"
+#endif
+
 #include "os_support.h"
 #define VARDECL(type, var) type *var
 #define ALLOC(var, size, type) var = PUSH(global_stack, size, type)
-- 
cgit v1.2.3


From f357e4087dbcdd78fe5dede15faa2014206decfd Mon Sep 17 00:00:00 2001
From: Maria Uretsky <mariaur@google.com>
Date: Tue, 7 Dec 2021 13:23:50 +0000
Subject: Update cpe for vulnerability scanners

Bug: http://b/201572953
Change-Id: I0da1a3d8acd302cfbc9c6485d714fb7160905817
---
 METADATA | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/METADATA b/METADATA
index 4d26f677..cb40ec68 100644
--- a/METADATA
+++ b/METADATA
@@ -12,4 +12,7 @@ third_party {
     month: 2
     day: 5
   }
+  security {
+    tag: "NVD-CPE2.3:cpe:/a:opus-codec:opus:1.0.3"
+  }
 }
-- 
cgit v1.2.3