Commit graph

272 commits

Author SHA1 Message Date
Ramesh Katuri
2c9929c4a3 Fix for heap-buffer-overflow in ixheaacd_aac_showbits_32
Better feedback from a bit reading routine, allowing separate offset
adjustments into buffer.

Bug:117610057
Test: vendor+poc
Change-Id: I3031cc50a727987512e2b8979fe14cbe23778245
2019-02-22 18:28:54 -08:00
Pirama Arumuga Nainar
266216e42b Merge "Mark two inline functions as static" am: 624825bb2e am: cc99c427a1
am: 153f44de04

Change-Id: Ib163444b0cbeca4ffc3a79cc94b48d1cd9da18ee
2019-02-20 11:18:20 -08:00
Pirama Arumuga Nainar
153f44de04 Merge "Mark two inline functions as static" am: 624825bb2e
am: cc99c427a1

Change-Id: Ice5ebf305594238aa721abc83df2d6631e741a5a
2019-02-20 10:06:21 -08:00
Pirama Arumuga Nainar
624825bb2e Merge "Mark two inline functions as static" 2019-02-20 16:29:59 +00:00
Pirama Arumuga Nainar
0be5c447de Mark two inline functions as static
Bug: http://b/116873221

Mark ixheaacd_init_sbr_tables and ixheaacd_filt_buf_update as static, so
clang emits an out-of-line definition for it.  This fixes the coverage
build, that builds with O0, where the functions don't get inlined.

As an unrelated cleanup, remove an extra declaration of
ixheaacd_filt_buf_update.

Test: Build with coverage
Change-Id: Ia92f1d73c404193116fa3f269948027c771a43bf
2019-02-19 11:03:06 -08:00
TreeHugger Robot
1deaf88b6e Merge "Fix for invalid memory access in ixheaacd_init_sbr access." 2019-02-08 20:33:18 +00:00
TreeHugger Robot
f986e101ae Merge "Fix for integer overflow in ixheaacd_decode_init()" 2019-02-08 20:29:18 +00:00
TreeHugger Robot
ca93ed6307 Merge "Fix for integer overflow in ixheaacd_cal_fac_data" 2019-02-08 18:44:25 +00:00
TreeHugger Robot
07b0a15be9 Merge "Fix for stack-buffer-overflow in ixheaacd_generate_hf" 2019-02-08 18:43:05 +00:00
Tripti Tiwari
f86897eaad Fix for integer overflow in ixheaacd_cal_fac_data
Negation overflow occurs in ixheaacd_cal_fac_data.

As fix, added saturation check in absolute value
calculation.

Bug:120250030
Test: vendor
Change-Id: Ie310d9d21fc12fc76135fa7b411572d3673fe871
2019-02-01 11:20:25 -08:00
Rajat Kumar
864279697e Fix for integer overflow's in ixheaacd_voronoi_search
Saturation checks has been added after 32 bit
additions and multiplication to avoid integer
overflows in this CL.

Bug:120252825
Test: poc
Change-Id: Ifec303f477de51c218f8cfeb8a4a8ac3e570fcd5
2019-02-01 10:52:08 -08:00
Tripti Tiwari
00cfd09980 Fix for invalid memory access in ixheaacd_init_sbr access.
In this erroneous case, initial few frames don't have sbr
and later sbr is present, causing invalid memory access.

As a fix, removed the condition over sbr initialization,
allowing it to initialize sbr independent of sbr being
present or not.

Bug:118685461
Bug:120124033
Test: poc
Change-Id: I54810fb8cb20ebeeff6341efbe32f99860aa0a5c
2019-02-01 10:39:02 -08:00
Ramesh Katuri
ad50545546 Fix for stack-buffer-overflow in ixheaacd_generate_hf
Bug:117051619
Test: vendor + poc
Change-Id: Ie7067ed5104a7fabc99ac7bd46516a6be4a5e481
2019-01-31 17:23:34 -08:00
TreeHugger Robot
4d7d9daad6 Merge "Fix for array bound overflows" 2019-01-28 19:15:34 +00:00
Rajat Kumar
5e84510dff Fix for invalid read of data below stack pointer
eliminate [sp, <negativeconstant> ] references by growing stack appropriately
larger and adjusting all sp-based offsets.

Bug:117660045
Test: vendor
Change-Id: I927a98c3da2dd331bd9205712404941fae5c3f81
(cherry picked from commit de3801a089)
2019-01-23 17:50:40 +00:00
Ray Essick
23770a90e5 Merge "Fix for invalid read of data below stack pointer" 2019-01-23 17:18:54 +00:00
TreeHugger Robot
ae3f833889 Merge "Fix for integer overflow in ixheaacd_voronoi_search" 2019-01-18 01:44:23 +00:00
Tripti Tiwari
1908d24066 Fix for integer overflow in ixheaacd_voronoi_search
Subtraction overflow occurs in ixheaacd_voronoi_search.
As fix, saturation check added.

Bug:120064853
Test: vendor
Change-Id: If8c6c21c4d77d2c60e34db6296e500e448c3ed8b
2019-01-17 16:05:08 -08:00
Ramesh Katuri
7431cc93ad Fix for crash in ixheaacd_filter_and_add
Use saturating math in many places to avoid integer overflow.

Bug: 117048334
Test: vendor
Change-Id: I6ba53797035b812002f85ef67ef0f6a73b650aca
2019-01-17 14:36:09 -08:00
Ray Essick
ac85257e25 Merge "Fix for crash in ixheaacd_rvlc_dec" 2019-01-17 16:58:39 +00:00
TreeHugger Robot
6bf18bef96 Merge "Fix for crash in in ixheaacd_core_coder_data" 2019-01-17 02:31:21 +00:00
TreeHugger Robot
78c8e8d43d Merge "Fix for crash in ixheaacd_voronoi_idx_dec" 2019-01-16 16:10:56 +00:00
TreeHugger Robot
27c3699b3d Merge "Fix for crash in ixheaacd_ga_hdr_dec" 2019-01-15 01:41:39 +00:00
Ramesh Katuri
51a9c02020 Fix for crash in in ixheaacd_core_coder_data
Bug:117047613
Test: vendor
Change-Id: Ia64ca8a0e65bfa41e05cd53e4ebd39c02768edef
2019-01-14 17:24:00 -08:00
Ramesh Katuri
43b2e7c94c Fix for crash in ixheaacd_voronoi_idx_dec
Bug:117047616
Test: vendor + poc
Change-Id: I01fedfe098a3128b4ee965566054e889003e6667
2019-01-14 17:10:34 -08:00
Rajat Kumar
eb58cff832 Fix for array bound overflows
Added bound checks and handled the respective returned
error across source and header files.

Bug:120452956
Test: vendor, poc
Change-Id: I5a9ebf68e7a5d2f41a0112aff113f0b1b8eeba7c
2019-01-11 14:16:39 -08:00
Rajat Kumar
de3801a089 Fix for invalid read of data below stack pointer
eliminate [sp, <negativeconstant> ] references by growing stack appropriately
larger and adjusting all sp-based offsets.

Bug:117660045
Test: vendor
Change-Id: I927a98c3da2dd331bd9205712404941fae5c3f81
2019-01-11 12:31:08 -08:00
Ramesh Katuri
acae580792 Fix for crash in ixheaacd_rvlc_dec
Instead of saving the cnt_bits and later doing the math
(which was causing integer overflow) to restore bit-buffer
values, we are saving the bit-buffer structure at the start
and then restoring it at the end of the function.

Bug:116843194
Test: vendor
Change-Id: I956e36e1b5d7823171d5d04a9058205b69c65be7
2019-01-11 10:40:28 -08:00
Ramesh Katuri
5017b03aeb Fix for crash in ixheaacd_ga_hdr_dec
Bug:117049088
Test: vendor
Change-Id: I2b64b5c60eaf037ab2ff23c9edef2ddd7064fb8e
2019-01-11 10:26:12 -08:00
Rajat Kumar
c300f50cf1 Fix OOB read in impd_drc_uni_sel_proc_process
pstr_drc_uni_sel_proc->drc_config.str_drc_instruction_str
and pstr_drc_uni_sel_proc->drc_config.str_drc_config_ext
.str_eq_instructions  arrays were accessed with -1
indexes, which is implemented as default configuration for no
updation.

Since we have already initialized all the structures to zero
before itself, this assignment is not needed when the indexes
are -1, so the check has been added.

Bug: 122330975
Test: atest android.media.cts.DecoderTestAacDrc
Change-Id: I841c748c53c057db38379c97def6b28fb6421482
2019-01-10 10:50:22 -08:00
Tripti Tiwari
0c4b1b73fc Fix for integer overflow in ixheaacd_decode_init()
In this POC sampling rate is user defined value, which is
very high. This is causing integer overflow during multiplication.

As fix bound check is added for sampling rate

Bug:120251340
Test: vendor + poc
Change-Id: Ia11a261ec108638f721c08d72b1353bf429edc03
2019-01-08 11:05:48 -08:00
Rajat Kumar
cdce0be099 Fix for integer overflow in ixheaacd_nearest_neighbor_2d
Saturation checks has been added after negation
and subtraction operations to avoid integer
overflows in this CL.

Bug:120252334
Test: poc + vendor
Change-Id: Ief97ec7b4715bc76b7accc78ece535c7a561447e
2019-01-08 10:36:28 -08:00
TreeHugger Robot
a2796e6022 Merge "Fix for segmentation fault in latmGetValue" 2019-01-07 19:36:33 +00:00
TreeHugger Robot
2f4e7d8d97 Merge "Fix for integer overflow in xaacdec test bench" 2019-01-07 19:36:31 +00:00
TreeHugger Robot
a0e487a8bd Merge "Fix for few uninitialized accesses" 2019-01-07 19:32:27 +00:00
TreeHugger Robot
b58b82de38 Merge "Fix for oobw in ixheaacd_decode_init()" 2019-01-07 19:30:14 +00:00
TreeHugger Robot
9b6182fe2e Merge "Fix for oobw in impd_manage_drc_complexity() due to drc_set_id" 2019-01-07 19:28:00 +00:00
TreeHugger Robot
322278fed9 Merge "Fix for oobw in impd_manage_eq_complexity() due to eq_set_id" 2019-01-07 19:26:30 +00:00
TreeHugger Robot
92663c01c7 Merge "Fix for stack buffer underflow in sbr dec" 2019-01-07 19:24:23 +00:00
TreeHugger Robot
4cbdac93d2 Merge "Fix for segmentation fault in read spectral data" 2019-01-07 18:34:14 +00:00
TreeHugger Robot
f6bf43db8f Merge "Fix for crash in ixheaacd_decode_init" 2019-01-07 18:22:03 +00:00
TreeHugger Robot
7ec9d127e7 Merge "Fix for global buffer overflow in impd_init_loudness_control function" 2019-01-07 17:55:21 +00:00
TreeHugger Robot
cea2548155 Merge "Fix for global buffer over flow in error handler." 2019-01-07 17:49:47 +00:00
TreeHugger Robot
c1c9021f5c Merge "Fix for heap buffer overflow in ixheaacd_aac_read_2bytes" 2019-01-07 17:49:02 +00:00
TreeHugger Robot
4a6e2011a8 Merge "Fix for addition overflow in ixheaacd_shr32_drc" 2019-01-07 03:00:43 +00:00
TreeHugger Robot
c7e444dad2 Merge "Fix for parsing erroneous Program Config Element" 2019-01-05 01:13:39 +00:00
Ray Essick
7ead99042a Merge "Bit buffer error handling using setjmp and longjmp" 2019-01-04 23:12:23 +00:00
Ramesh Katuri
7639b651b2 Fix for addition overflow in ixheaacd_shr32_drc
Addition overflow was observed in function ixheaacd_shr32_drc.
After fixing this issue we observed an infinite loop in
ixheaacd_reset_hf_generator(), which is fixed in the current CL

Bug:118388357
Test: vendor + poc
Change-Id: I95ebac387057e170763e230fc081a2bb57312ebd
2019-01-04 10:13:49 -08:00
TreeHugger Robot
8b11755f03 Merge "Fix for stack buffer over flow in ixheaacd_lpd_bpf_fix function" 2019-01-04 03:54:02 +00:00
TreeHugger Robot
98b3146396 Merge "Fix for uninitialized bit buffer variables" 2019-01-04 02:00:36 +00:00