bs_gain_set_idx is a 6 bit field read from bitstream, which is used
to access gain_set_index_for_channel_group[] whose size is GAIN_SET_COUNT_MAX
which is 24.bs_gain_set_idx value greater than 23 is causing oob access.
As fix for this issue bound check is added for bs_gain_set_idx
Bug:119263784
Test: vendor
Change-Id: I26d3668c54a739016c1102158c73db49cb35f1c4
valgrind has reported usage of un-initialized variable for elements
of structure pstr_core_coder.
As a fix initialized the structure with memset.
Bug:118492594
Test: vendor
Change-Id: If1ce7f04ae03b58f44b9b551cab2461349e48394
valgrind has reported usage of un-initialized variable,interpolate_local
in,ixheaacd_mps_mapindexdata().
As a fix interpolate_local variable is initialized to zero
Bug:118492282
Test: vendor
Change-Id: I741fa634a4f0481b59acbbb88b4cd7a44200bed6
Initialized num_ch to zero and moved num_ch update outside
if (skip_full_decode == 0) condition to avoid propagation
of uninitialized or wrong num_ch for all cases.
Bug:120590841
Test: vendor, poc
Change-Id: I8aca82be8a20689547a2b85f8f3a06700b9927d2
ixheaacd_aac_decoder_init() is called inside ixheaacd_dec_execute().
ixheaacd_aac_decoder_init() will return NULL pointer in failure case and
pointer to aac decoder structure in successful case.
After this function NULL pointer check before de-referencing is missing
which is causing segmentation fault.
As a fix NULL pointer check is added
Bug:118615735
Test: vendor
Change-Id: I0e9a22e0f97dc99c238a026bf0fd693c3e93e4e7
The numbers stored in the table
common_tables_ptr->cc_gain_scale are multiplied with itself,
((-norm_value) - 1) times and stored in ind_channel_info->cc_gain.
Since the number stored in common_tables_ptr->cc_gain_scale
has a q factor of 29, the result is right shifted by 29 to maintain
the same q factor.
Bug:112705155
Test: vendor
Change-Id: I94199d172e4d3ad511dbae3a49d76f8e440fe724
Valgrind has reported use of uninitialized variable in
ixheaacd_read_block_data, which is caused due to uninitialized
api object.
As fix, initialized the api object.
Bug:118615735.
Test: vendor
Change-Id: Ib2702eac2c2f659589ce7616a9818913879ff3de
gain_seq_idx is a 6 bit value read from the bit stream.
it can get any value between 0 to 63. gain_seq_idx is used
to access gain_set_params_index_for_gain_sequence[] array
whose size is SEQUENCE_COUNT_MAX which is 24. if gain_seq_idx
value is greater than or equal to SEQUENCE_COUNT_MAX cause
oob write.
Bound check on gain_seq_idx is added to prevent oob access.
Bug:119117381
Test: vendor
Change-Id: I571e6e705489ae1c46c651f87491f15428719b30
In xaacdec even though lpd decoder handle is defined to support 6
channels, only 2 channels are initialized with data (because we
support only stereo in USAC profile). The input stream used for
this issue has 3 channels. When third channel is getting processed
valgrind is reporting un-initialized data usage.
To solve the issue, a conditional check is added based on number
of channels in the bit stream
Bug:117661478
Test: vendor
Change-Id: Iafc63a022d168791f63b79b0c1965182e69cafe6
Crash was due to integer overflow. To resolve the
integer overflow issue added saturation addition
and subtraction
Bug:116969100
Change-Id: Ib0d21403c3d714b434f893d71d9a32eea9fc9219
Added bound checks for all the parameters which are
derived from bit stream.
Bug:116760188
Bug:116019594
Bug:116114402
Test: vendor
Change-Id: I126cd520e7faf2281ab731da559b11c74a9e30b5
Add bounds checks for values delivered as N-bits in the bitstream
but that have smaller allowed range in this implementation.
Bug:116617847
Test: vendor
Change-Id: Iad0c020ceacd2226d8e1af688a52a46179a39a2d
Crash was due to addition overflow in ixheaacd_imdct_process().
Used saturating addition to resolve this.
Bug:116843813
Test: vendor
Change-Id: I5f57a377e5e4c27cb04cd3613bbb28a8665dbf75
Number of envelopes is becoming zero because of erroneous input
stream.Inside SBR start band and stop band are calculated based
on number of envelope's.
In this case start bands is becoming negative. In sbr processing
buffer is accessed from start to stop band. This is causing OOB
read access
Bug:113037143
Test: poc
Change-Id: Iade10e8cb86676784703e7226b7e132761eb12b1
(cherry picked from commit 4e5b9cb8f6)
* changes:
Fix for stack buffer overflow in mps ecdata pair decode
Fix for OOB read in bit stream parsing in mps module
Clean an array bounds violation.
Fix for sanitizer multiplication overflow error
Fix for Segmentation fault in ixheaacd_mps_apply_pre_matrix