Commit graph

177 commits

Author SHA1 Message Date
Ramesh Katuri
015d135f65 Fix for stack buffer overflow in ixheaacd_latm_stream_mux_config am: 2e513342a1
am: f4b31cc0cf

Change-Id: I625b419eeca9a88d0e9d7eff4d03450fa6bb8cea
2019-01-02 12:08:35 -08:00
TreeHugger Robot
e6d51f6bf3 Merge "Fix for files with unsupported AOT in the first frame" 2018-12-29 14:44:12 +00:00
TreeHugger Robot
00e3408f15 Merge "Fix for segmentation fault in ixheaacd_dec_execute" 2018-12-29 00:03:41 +00:00
TreeHugger Robot
67f9744ec7 Merge "Fix for oobw in impd_drc_parse_coeff() due to gain_seq_idx" 2018-12-29 00:02:11 +00:00
TreeHugger Robot
c5557262fb Merge "Fix for multiply overflow in coupling channel element decoding" 2018-12-28 23:11:49 +00:00
TreeHugger Robot
c27192a5bb Merge "Fix for use of uninitialized variable in ixheaacd_read_block_data." 2018-12-28 23:11:47 +00:00
TreeHugger Robot
300eb8e9e3 Merge "Fix for Use of uninitialized value in ixheaacd_mps_mapindexdata" 2018-12-28 23:11:00 +00:00
TreeHugger Robot
725e48df07 Merge "Fix for Use of uninitialized value in ixheaacd_fd_channel_stream." 2018-12-28 23:10:28 +00:00
TreeHugger Robot
024727c93e Merge "Fix for Global buffer overflow in ixheaacd_extract_frame_info_ld" 2018-12-28 23:10:11 +00:00
TreeHugger Robot
039a5f8a1a Merge "Fix for Heap buffer overflow in main process function" 2018-12-28 23:08:44 +00:00
Ramesh Katuri
f7144dfe8f Fix for oobr in impd_manage_drc_complexity function
bs_gain_set_idx is a 6 bit field read from bitstream, which is used
to access gain_set_index_for_channel_group[] whose size is GAIN_SET_COUNT_MAX
which is 24.bs_gain_set_idx value greater than 23 is causing oob access.

As fix for this issue bound check is added for bs_gain_set_idx

Bug:119263784
Test: vendor
Change-Id: I26d3668c54a739016c1102158c73db49cb35f1c4
2018-12-28 11:45:54 -08:00
Ramesh Katuri
e32f2f97cd Fix for Use of uninitialized value in ixheaacd_fd_channel_stream.
valgrind has reported usage of un-initialized variable for elements
of structure pstr_core_coder.

As a fix initialized the structure with memset.

Bug:118492594
Test: vendor
Change-Id: If1ce7f04ae03b58f44b9b551cab2461349e48394
2018-12-28 10:22:04 -08:00
Ramesh Katuri
7513c8b52a Fix for Use of uninitialized value in ixheaacd_mps_mapindexdata
valgrind has reported usage of un-initialized variable,interpolate_local
in,ixheaacd_mps_mapindexdata().

As a fix interpolate_local variable is initialized to zero

Bug:118492282
Test: vendor
Change-Id: I741fa634a4f0481b59acbbb88b4cd7a44200bed6
2018-12-28 10:15:50 -08:00
Rajat Kumar
ee90aac01b Fix for Heap buffer overflow in main process function
Initialized num_ch to zero and moved num_ch update outside
if (skip_full_decode == 0) condition to avoid propagation
of uninitialized or wrong num_ch for all cases.

Bug:120590841
Test: vendor, poc
Change-Id: I8aca82be8a20689547a2b85f8f3a06700b9927d2
2018-12-28 09:44:41 -08:00
Rajat Kumar
fa41125141 Fix for Global buffer overflow in ixheaacd_extract_frame_info_ld
adds a bounds check.

Bug:120250878
Test: vendor
Change-Id: I7760f81bd90f2901ae5fa61a850298d216909592
2018-12-22 06:57:22 -08:00
Ramesh Katuri
b17f1b007f Fix for segmentation fault in ixheaacd_dec_execute
ixheaacd_aac_decoder_init() is called inside ixheaacd_dec_execute().
ixheaacd_aac_decoder_init() will return NULL pointer in failure case and
pointer to aac decoder structure in successful case.

After this function NULL pointer check before de-referencing is missing
which is causing segmentation fault.

As a fix NULL pointer check is added

Bug:118615735
Test: vendor
Change-Id: I0e9a22e0f97dc99c238a026bf0fd693c3e93e4e7
2018-12-22 05:58:47 -08:00
Ramesh Katuri
cd952cc64e Fix for multiply overflow in coupling channel element decoding
The numbers stored in the table
common_tables_ptr->cc_gain_scale are multiplied with itself,
((-norm_value) - 1) times and stored in ind_channel_info->cc_gain.
Since the number stored in common_tables_ptr->cc_gain_scale
has a q factor of 29, the result is right shifted by 29 to maintain
the same q factor.

Bug:112705155
Test: vendor
Change-Id: I94199d172e4d3ad511dbae3a49d76f8e440fe724
2018-12-22 05:57:51 -08:00
Tripti Tiwari
34f516c4c8 Fix for use of uninitialized variable in ixheaacd_read_block_data.
Valgrind has reported use of uninitialized variable in
ixheaacd_read_block_data, which is caused due to uninitialized
api object.

As fix, initialized the api object.

Bug:118615735.
Test: vendor
Change-Id: Ib2702eac2c2f659589ce7616a9818913879ff3de
2018-12-22 05:57:18 -08:00
Ramesh Katuri
2e513342a1 Fix for stack buffer overflow in ixheaacd_latm_stream_mux_config
Bug:118149009
Test: vendor
Change-Id: I16213a2db36e9d678f7105edda9a4a6c17a3f8a6
2018-12-21 10:27:29 -08:00
Ramesh Katuri
a516b49570 Fix for oobw in impd_drc_parse_coeff() due to gain_seq_idx
gain_seq_idx is a 6 bit value read from the bit stream.
it can get any value between 0 to 63. gain_seq_idx is used
to access gain_set_params_index_for_gain_sequence[] array
whose size is SEQUENCE_COUNT_MAX which is 24. if gain_seq_idx
value is greater than or equal to SEQUENCE_COUNT_MAX cause
oob write.

Bound check on gain_seq_idx is added to prevent oob access.

Bug:119117381
Test: vendor
Change-Id: I571e6e705489ae1c46c651f87491f15428719b30
2018-12-21 10:11:38 -08:00
TreeHugger Robot
657393883b Merge "Fix for Segmentation fault in ixheaacd_sbr_dec_from_mps" into pi-dev 2018-11-28 21:33:31 +00:00
Ramesh Katuri
06c5d85bfd Fix for oobw-in-impd_parse_drc_instructions_uni_drc am: 4692bee50b
am: 9a26915ed2

Change-Id: I9d01f979d2fb637594719d53789ee4afc0e91f3d
2018-11-27 17:31:41 -08:00
Ramesh Katuri
f81b8d0dbd Fix for Segmentation fault in ixheaacd_sbr_dec_from_mps
Bug: 110629822
Test: re-run poc
Change-Id: I5495b01d5d0c779185ff04eb8f1c048f353396b2
(cherry picked from commit 70396d6ced)
2018-11-27 23:22:45 +00:00
Ramesh Katuri
4692bee50b Fix for oobw-in-impd_parse_drc_instructions_uni_drc
Bug:117883804
Test: vendor
Change-Id: I9512dbc1d184ea838572218df3db9e91574c1460
2018-11-27 13:58:34 -08:00
TreeHugger Robot
859712dff3 Merge "Fix for crash in ixheaacd_lt_prediction" 2018-11-27 02:05:25 +00:00
TreeHugger Robot
fcbf01186b Merge "Fix for heap buffer overflow in showbits_7 function" 2018-11-27 02:01:37 +00:00
TreeHugger Robot
f20429551c Merge "Fix for un-initialized value in ixheaacd_acelp_alias_cnx" 2018-11-27 01:59:59 +00:00
Ramesh Katuri
ec6c3bb222 Fix for heap buffer overflow in showbits_7 function
only fetch next byte of input if we actually need it.

Bug: 117655547
Test: vendor
Change-Id: I4b12feb0b92861b75689b54eae207cf1c693023c
2018-11-25 16:34:14 -08:00
Ramesh Katuri
52618d0834 Fix for un-initialized value in ixheaacd_acelp_alias_cnx
In xaacdec even though lpd decoder handle is defined to support 6
channels, only 2 channels are initialized with data (because we
support only stereo in USAC profile). The input stream used for
this issue has 3 channels. When third channel is getting processed
valgrind is reporting un-initialized data usage.

To solve the issue, a conditional check is added based on number
of channels in the bit stream

Bug:117661478
Test: vendor
Change-Id: Iafc63a022d168791f63b79b0c1965182e69cafe6
2018-11-25 15:50:42 -08:00
Ramesh Katuri
c0ead4ba18 Fix for heap buffer overflow in dec data init function
Bug:117935831
Test: vendor + poc
Change-Id: Iede9bd265eebbefda39c3328a5367399e6ace963
2018-11-25 15:36:26 -08:00
Ramesh Katuri
d9c4a50914 Fix for crash in ixheaacd_lt_prediction
Crash was due to integer overflow. To resolve the
integer overflow issue added saturation addition
and subtraction

Bug:116969100

Change-Id: Ib0d21403c3d714b434f893d71d9a32eea9fc9219
2018-11-23 15:35:29 -08:00
Ray Essick
577f7d9147 Merge "Fix for OOB write in mpeg-d drc bit stream parsing by adding bound checks" into pi-dev am: 850b4ba6f3
am: 94c8007f23

Change-Id: Ie1399a552c63c50c5ebb13b180a560303265bfa5
2018-11-21 09:38:33 -08:00
Ray Essick
850b4ba6f3 Merge "Fix for OOB write in mpeg-d drc bit stream parsing by adding bound checks" into pi-dev 2018-11-21 17:21:38 +00:00
Ray Essick
7f8d990145 Merge "Fix for OOB write in td filter casecade parsing" into pi-dev am: 1c63dd338e
am: 0fc68a180f

Change-Id: I6ff3a2b8630b075485a19874d06a701c7b715e67
2018-11-19 20:38:40 -08:00
Ray Essick
1c63dd338e Merge "Fix for OOB write in td filter casecade parsing" into pi-dev 2018-11-20 04:23:25 +00:00
Ramesh Katuri
c9f59f71e5 Fix for global buffer overflow in lt prediction function.
Bug:114746174
Test: vendor
Change-Id: Ifa3424ef7743fb937121ea3a1d0ec07a5cb98a05
2018-11-18 11:04:35 -08:00
Ray Essick
46d91bac30 Merge "Fix for Stack buffer overflow in ixheaacd_mps_getstridemap" into pi-dev am: e0040b411e
am: c103860d52

Change-Id: If00f07dfe2377e6698003476b1fda72c2c1a3fd5
2018-11-16 14:31:52 -08:00
Ray Essick
e0040b411e Merge "Fix for Stack buffer overflow in ixheaacd_mps_getstridemap" into pi-dev 2018-11-16 22:06:08 +00:00
Ray Essick
5c3eb1fc65 Merge "Fix for OOB write in equalizer instructions parsing." into pi-dev am: d498d63513
am: 0905f025b8

Change-Id: Icfc383473a556092ecc362ec2fe22ddbaaff81ec
2018-11-15 15:29:31 -08:00
Ramesh Katuri
7a57950b34 Fix for stack-buffer-underflow in ixheaacd_sbr_env_calc am: 565b25f432
am: e4c01befc0

Change-Id: I58f32245bd0d16f901e8982f6600336bef2cc052
2018-11-15 15:28:44 -08:00
Ray Essick
d498d63513 Merge "Fix for OOB write in equalizer instructions parsing." into pi-dev 2018-11-15 23:03:11 +00:00
Ramesh Katuri
565b25f432 Fix for stack-buffer-underflow in ixheaacd_sbr_env_calc
Bug:117050162
Test: vendor, poc no longer fails
Change-Id: I1ff8f0ce42ade33c93653edc9e19282b68108b9b
2018-11-14 18:31:32 -08:00
Ramesh Katuri
c9ecca9cd8 Fix for OOB write in equalizer instructions parsing.
Bound check was missing for eq_ch_group_count. Added
as fix.

Bug: 117216549
Test: vendor
Change-Id: Ie36446a3604ae1cb2471dad0a938a96f2b7fff64
2018-11-14 18:01:47 -08:00
Ramesh Katuri
bd5770772f Fix for Stack buffer overflow in ixheaacd_mps_getstridemap
Bug:117495103
Bug:117495366
Test: vendor + poc
Change-Id: Iff5b9135a8fc1b9ad1f00b6fdbe6a8e20c0a61c4
2018-11-14 14:56:14 -08:00
Ramesh Katuri
589d21b8a3 Fix for OOB write in mpeg-d drc bit stream parsing by adding bound checks
Added bound checks for all the parameters which are
derived from bit stream.

Bug:116760188
Bug:116019594
Bug:116114402
Test: vendor
Change-Id: I126cd520e7faf2281ab731da559b11c74a9e30b5
2018-11-07 00:55:26 +00:00
Ramesh Katuri
ae206c1fa5 Fix for OOB write in td filter casecade parsing
Add bounds checks for values delivered as N-bits in the bitstream
but that have smaller allowed range in this implementation.

Bug:116617847
Test: vendor
Change-Id: Iad0c020ceacd2226d8e1af688a52a46179a39a2d
2018-11-06 16:46:03 -08:00
Ramesh Katuri
9da98c5ba9 Use saturating addition in ixheaacd_imdct_process()
Crash was due to addition overflow in ixheaacd_imdct_process().
Used saturating addition to resolve this.

Bug:116843813
Test: vendor
Change-Id: I5f57a377e5e4c27cb04cd3613bbb28a8665dbf75
2018-11-06 16:12:59 -08:00
Ramesh Katuri
c992830e35 Fix for segmentation fault in hf generator
Number of envelopes is becoming zero because of erroneous input
stream.Inside SBR start band and stop band are calculated based
on number of envelope's.

In this case start bands is becoming negative. In sbr processing
buffer is accessed from start to stop band. This is causing OOB
read access

Bug:113037143
Test: poc
Change-Id: Iade10e8cb86676784703e7226b7e132761eb12b1
(cherry picked from commit 4e5b9cb8f6)
2018-11-02 22:53:22 +00:00
Ray Essick
176f86406d Merge changes from topic "b117495362" into pi-dev am: 8fe5da1ed4
am: cdb835c4dc

Change-Id: I354d70de86e98797d9973153d2000f016c0fa6c6
2018-11-01 15:49:11 -07:00
Ray Essick
8fe5da1ed4 Merge changes from topic "b117495362" into pi-dev
* changes:
  Fix for stack buffer overflow in mps ecdata pair decode
  Fix for OOB read in bit stream parsing in mps module
  Clean an array bounds violation.
  Fix for sanitizer multiplication overflow error
  Fix for Segmentation fault in ixheaacd_mps_apply_pre_matrix
2018-11-01 22:14:01 +00:00