Commit graph

142 commits

Author SHA1 Message Date
Harish Mahendrakar
cbaa0dc3f9 Fix stack buffer overflow in ih264d_process_intra_mb
am: f69e34419b

Change-Id: I154d8dd94d11be2d34b8085c30e24f6bec62d9eb
2017-05-10 16:20:37 +00:00
Harish Mahendrakar
f69e34419b Fix stack buffer overflow in ih264d_process_intra_mb
Aligned the sizes of au1_ngbr_pels to ensure SSE42 functions do not
result in stack buffer overflow

Bug: 36490809

Change-Id: I0bfe493f94647046013759b3ec9db3c627ac471e
2017-05-10 15:58:24 +00:00
Marco Nelissen
9208f9461f Merge "Decoder: Fix in reference list initialization." into mnc-dev
am: 0015860fdc

Change-Id: I731793974cd3607fed07cb7895234e5f9484a0ea
2017-04-06 23:10:11 +00:00
Marco Nelissen
0015860fdc Merge "Decoder: Fix in reference list initialization." into mnc-dev 2017-04-06 23:00:48 +00:00
Ray Essick
ba33452066 Merge "Decoder: Fixes in accessing mbaff flag in error cases" into mnc-dev
am: 7ace2f5ca2

Change-Id: I5dde0d284cb06fa2faddae483900df1102d9bc52
2017-04-05 23:36:35 +00:00
Ray Essick
7ace2f5ca2 Merge "Decoder: Fixes in accessing mbaff flag in error cases" into mnc-dev 2017-04-05 23:29:45 +00:00
Ray Essick
bfb5f29471 Merge "Fix in the case of MMCO 3 (long term reference idx)." into mnc-dev
am: 64b617346c

Change-Id: Ia57a698ac23ee4abeefe194c8585301941984771
2017-04-05 21:13:56 +00:00
Ray Essick
64b617346c Merge "Fix in the case of MMCO 3 (long term reference idx)." into mnc-dev 2017-04-05 21:09:18 +00:00
Harish Mahendrakar
0f2f2b5fde Decoder: Fixes in accessing mbaff flag in error cases
ps_dec->ps_cur_slice->u1_mbaff_frame_flag is updated in ih264d_start_of_pic().
So updated value should be used after calling ih264d_start_of_pic()

Bug: 33974623
Test: ran POC from bug
Change-Id: I0f1ff5e01ed39767f493f197791e51b0da74952f
(cherry picked from commit 3f6937a003)
2017-03-23 23:46:33 +00:00
Hamsalekha S
93954f5e9a Decoder: Fix in reference list initialization.
In the case of error, initialize the new reference list1 with the first
picture in default list0 instead of default list1, as first picture in
list1 could still be invalid.

Bug: 36035074

Change-Id: I7ab493ee7a157cbefcd4da8389ff1ff899c16b7f
2017-03-22 16:55:01 +00:00
Ray Essick
cd5ebec24a Merge "Decoder: Fixed error handling for dangling fields" into mnc-dev
am: 78334b2a24

Change-Id: Id5cb9826e72c59890526300ad9e8833b61691c20
2017-03-14 22:15:20 +00:00
Ray Essick
78334b2a24 Merge "Decoder: Fixed error handling for dangling fields" into mnc-dev 2017-03-14 22:08:38 +00:00
Hamsalekha S
46e96d40db Fix in the case of MMCO 3 (long term reference idx).
Increment number of long term reference buffers only when both top field
and bottom field have been set as long term.

[backport for M/N from master]

Bug: 35584425
Test: ran POC - no hang, no segfault.

Change-Id: I94e3857944da675eda38f8e1a9bd887f48bff524
(cherry picked from commit 6fa5df8811)
2017-03-04 20:13:09 +00:00
Marco Nelissen
37345554fe resolve merge conflicts of 3654ad0 to mnc-dr-dev
Bug: 33818508
Bug: 34013472
Change-Id: I2e99cbceba1c00555d624e8975522725e362362b
2017-02-14 13:49:16 -08:00
Marco Nelissen
3654ad0da5 Merge changes Iec2941f1,I38be0e4c into mnc-dev
* changes:
  Decoder: Add supported width check for MBaff streams
  Decoder: Added a check for unsupported resolutions
2017-02-14 21:30:39 +00:00
Harish Mahendrakar
16fa990ce1 Decoder: Fixed initialization of first_slice_in_pic
am: 0b23c81c3d

Change-Id: I55e49ca9616a151456342bad7673d0986098b448
2017-02-14 17:03:06 +00:00
Harish Mahendrakar
ba7f9e2aed Decoder: Moved end of pic processing to end of decode call
am: 494561291a

Change-Id: Id3867f5dd0788f12f6827ed311a309d1fa58c535
2017-02-14 17:00:16 +00:00
Harish Mahendrakar
8b75cdae9b Decoder: Treat first slice in a picture as part of new picture always
am: 8b5fd8f24e

Change-Id: Ia14e9fae4a08143ff86439b5440ab9cf5e3052e3
2017-02-14 17:00:07 +00:00
Harish Mahendrakar
0b23c81c3d Decoder: Fixed initialization of first_slice_in_pic
To handle some errors, first_slice_in_pic was being set to 2.
This is now cleaned up and first_slice_in_pic is set to 1 only once per pic.
This will ensure picture level initializations are done only once even in case
of error clips

Bug: 33717589
Bug: 33551775
Bug: 33716442
Bug: 33677995

Change-Id: If341436b3cbaa724017eedddd88c2e6fac36d8ba
2017-02-14 16:59:09 +00:00
Harish Mahendrakar
494561291a Decoder: Moved end of pic processing to end of decode call
ih264d_end_of_pic() was called after parsing slice of a new picture.
This is now being done at the end of decode of the current picture.
decode_gaps_in_frame_num which needs frame_num of new slice is now
done after decoding frame_num in new slice.

This helps in handling errors in picaff streams with gaps in frames

Bug: 33588051
Bug: 33641588
Bug: 34097231
Change-Id: I1a26e611aaa2c19e2043e05a210849bd21b22220
2017-02-14 16:58:07 +00:00
Harish Mahendrakar
8b5fd8f24e Decoder: Treat first slice in a picture as part of new picture always
This is needed to decode streams with consecutive IDRs.

Bug: 34097231
Test: successful run of POC in security bug
Change-Id: Ib737a4ef4b8c5bb7a57c90292102dd28af0615fe
2017-02-14 04:41:02 +00:00
Harish Mahendrakar
69b5191865 Decoder: Add supported width check for MBaff streams
In case of MBAff streams, decoder processes two rows at a time,
this limits maximum supported width to 1920 for MBAff streams.

Bug: 33818508
Bug: 34013472
Change-Id: Iec2941f116cf3c36b63013a930319960023a3b42
2017-02-13 15:30:57 -08:00
Harish Mahendrakar
9d60a0c5da Decoder: Added a check for unsupported resolutions
Decoder now returns an error for resolutions greater than 3840x2176

Bug: 24542936

Change-Id: I38be0e4c5cf2a980bfd4c781f3b49171f73b5ccb
2017-02-13 15:30:46 -08:00
Harish Mahendrakar
1f0ab0b089 DO NOT MERGE: Decoder: Fixes an out of bound write in bitstream buffer
[this is for mnc-dev only, not any other mnc-*-dev flavors;
there is a different patch for mnc-dr-dev, nyc-* and going forward]

After emulation prevention, data is written as an int,
so at least 3 additional bytes should be available.
And since bitstream functions read 8 bytes ahead, 8 extra bytes
should be available in the bitstream buffer.

Bug: 33934721
Test: Ittiam testing, POC in the bug no longer fails
Change-Id: I444ec6f85d01b0bade9f827e15c4b476779d6c69
2017-02-13 14:44:11 -08:00
Ray Essick
cf05624312 Merge "Decoder: Return correct error code for slice header errors" into mnc-dev
am: 51ecbcabfb

Change-Id: Ib486869b38d66e1fb0fdeffe4316dce6a5ff9fd9
2017-02-13 19:21:06 +00:00
Ray Essick
16306f7347 Merge "Decoder: Initialize default reference buffers for all pictures" into mnc-dev
am: d61abc5195

Change-Id: Ieb21ecb1c3152bde97adc7cfcfc4d49afcafd93b
2017-02-13 19:20:57 +00:00
Harish Mahendrakar
73f74a84e1 Fix in returning end of bitstream error for MBAFF
am: 7950bf47b6

Change-Id: If45518b6d58c393313dbcb425f7aa2e7bec02056
2017-02-13 19:20:47 +00:00
Ray Essick
51ecbcabfb Merge "Decoder: Return correct error code for slice header errors" into mnc-dev 2017-02-13 19:15:36 +00:00
Ray Essick
d61abc5195 Merge "Decoder: Initialize default reference buffers for all pictures" into mnc-dev 2017-02-13 19:15:31 +00:00
Harish Mahendrakar
9a00f562a6 Decoder: Return correct error code for slice header errors
Return ERROR_INV_SLICE_HDR_T instead of ERROR_INV_SPS_PPS_T for slice
header errors.

Bug: 34097915
Change-Id: I45d14a71f2322ff349058baaf65fb0f3c1140fba
2017-02-13 19:14:59 +00:00
Harish Mahendrakar
f634481e94 Decoder: Initialize default reference buffers for all pictures
Reference buffer is now initialized to default value for
each pic before decoding the first slice in the pic

Bug: 34097866
Change-Id: Id64b123af2188217ce833f11db0e6c0681d41dfd
2017-02-13 19:14:50 +00:00
Harish Mahendrakar
7950bf47b6 Fix in returning end of bitstream error for MBAFF
In case of MBAFF streams, slices should terminate on
even MB boundary. If bytes are exhausted with odd number
of MBs decoded for MBAff, then treat that as error.

Bug: 33933140

Change-Id: Ifc26b66ff8ebdb3aec5c0d6c512e4cac3f54c5b7
2017-02-13 19:14:18 +00:00
Harish Mahendrakar
33ef7de9dd Decoder: Fixes an out of bound write in bitstream buffer
[for mnc-dr-dev and later;  mnc-dev gets a different patch]

After emulation prevention, data is written as an int,
so at least 3 additional bytes should be available.
And since bitstream functions read 8 bytes ahead, 8 extra bytes
should be available in the bitstream buffer.

Bug: 33934721

Change-Id: I444ec6f85d01b0bade9f827e15c4b476779d6c69
2017-01-19 09:17:00 -08:00
Harish Mahendrakar
5a26569fa3 Decoder: Initialize ps_cur_slice->u1_mbaff_frame_flag correctly for error cases
am: 1d5640f2f9

Change-Id: I32e960c752ccbc991f8ce04455618a534f1f52c7
2017-01-18 21:11:11 +00:00
Ray Essick
43a184ad48 Merge "Decoder: Initialize ps_cur_slice->u1_mbaff_frame_flag correctly for error cases" into mnc-dev 2017-01-18 21:00:19 +00:00
Marco Nelissen
d5424f66e3 Merge "DO NOT MERGE Decoder: Increase memory allocation for weights & offsets for interlaced clips" into mnc-dev 2017-01-18 18:42:47 +00:00
Harish Mahendrakar
274529d8aa Decoder: Fix in checking first_mb_in_slice
am: ef27433ca8

Change-Id: Ic27ccbbcad3d991862b7e680595ab0ae4fd23eb0
2017-01-18 18:18:24 +00:00
Marco Nelissen
78523d557a Merge "Decoder: Fix in checking first_mb_in_slice" into mnc-dev 2017-01-18 18:07:51 +00:00
Harish Mahendrakar
bb4b279eb1 Decoder: Padded gau1_ih264d_top_left_mb_part_indx_mod to avoid an out of bound read
am: b88f59d835

Change-Id: If2e3c4258f8e64918e0ab066c9cc75cf8887c797
2017-01-18 17:32:47 +00:00
Marco Nelissen
4e0cdd450e Merge "Decoder: Padded gau1_ih264d_top_left_mb_part_indx_mod to avoid an out of bound read" into mnc-dev 2017-01-18 17:25:17 +00:00
Marco Nelissen
696b6f666c Merge "Decoder: Increase memory allocation for weights & offsets for interlaced clips" into mnc-dr-dev 2017-01-18 16:27:26 +00:00
Harish Mahendrakar
cec6503a20 Decoder: Fixed DoS in header decode when no PPS is present
am: 2cd2f7a335

Change-Id: If8a7c11ef215a84a350cd0a734bca9c69b91f1c6
2017-01-18 00:26:14 +00:00
TreeHugger Robot
e74ab7dba4 Merge "Decoder: Fixed DoS in header decode when no PPS is present" into mnc-dev 2017-01-18 00:23:33 +00:00
Harish Mahendrakar
b88f59d835 Decoder: Padded gau1_ih264d_top_left_mb_part_indx_mod to avoid an out of bound read
Change-Id: Ie8761de856ed8c7d08f3da61631c1bef446448e6
2017-01-17 16:12:12 -08:00
Harish Mahendrakar
ef27433ca8 Decoder: Fix in checking first_mb_in_slice
Also, increment slice header only if previous slice had atleast one MB
This is to ensure there is no out of bound read for streams with 1 MB, and
due to error 2 slices were being accessed.

Bug: 33982658
Change-Id: I5f1918c09e922ca39f495f6059dfea3fa1d49448
2017-01-17 16:02:35 -08:00
Harish Mahendrakar
bee9b9a54b Decoder: Increase memory allocation for weights & offsets for interlaced clips
Bug: 33816782
Change-Id: I65a5376f46902139f9fc49a2fff54b53b518d703
2017-01-17 15:25:56 -08:00
Harish Mahendrakar
2cd2f7a335 Decoder: Fixed DoS in header decode when no PPS is present
When the input does not contain PPS and decoder is in header decode
mode, decoder was entering an infinite loop.

Bug: 33621215
(cherry picked from commit 33e1b190d6db09bd72a9f0f51acef4b14eabd6ff)
2017-01-17 15:25:13 -08:00
Harish Mahendrakar
74f03b639e DO NOT MERGE Decoder: Increase memory allocation for weights & offsets for interlaced clips
Bug: 33816782
Change-Id: I10f8b2a7691aeb55365901c166e765ab22ec6106
2017-01-17 23:25:11 +00:00
Harish Mahendrakar
4e7779e0ef Decoder: Fixed number of MB calculation for interlaced error streams
am: e1cf7ea8ae

Change-Id: If723b1da6adf7a816c095f327023853bcaccd0c5
2017-01-17 20:34:28 +00:00
Marco Nelissen
c4f317b873 Merge "Decoder: Fixed number of MB calculation for interlaced error streams" into mnc-dev 2017-01-17 20:27:24 +00:00