Commit graph

155 commits

Author SHA1 Message Date
Ramesh Katuri
ce4e2da628 Fix for oobw in impd_manage_drc_complexity() due to drc_set_id
drc_set_id is a 6 bit filed read from bitstream. This drc_set_id is
used to access drc_set_id_valid_flag[] array whose size is
DRC_INSTRUCTIONS_COUNT_MAX i.e. 36. drc_set_id value greater than or
equal to 36 is causing oob write.

Bound check has been added for drc_set_id

Bug:119261935
Test: vendor
Change-Id: Ib218f4d72d23a2cbf4e74eea6a2d71ae8a735c6d
2018-11-29 16:24:19 -08:00
Ramesh Katuri
06c5d85bfd Fix for oobw-in-impd_parse_drc_instructions_uni_drc am: 4692bee50b
am: 9a26915ed2

Change-Id: I9d01f979d2fb637594719d53789ee4afc0e91f3d
2018-11-27 17:31:41 -08:00
Ramesh Katuri
4692bee50b Fix for oobw-in-impd_parse_drc_instructions_uni_drc
Bug:117883804
Test: vendor
Change-Id: I9512dbc1d184ea838572218df3db9e91574c1460
2018-11-27 13:58:34 -08:00
TreeHugger Robot
859712dff3 Merge "Fix for crash in ixheaacd_lt_prediction" 2018-11-27 02:05:25 +00:00
TreeHugger Robot
fcbf01186b Merge "Fix for heap buffer overflow in showbits_7 function" 2018-11-27 02:01:37 +00:00
TreeHugger Robot
f20429551c Merge "Fix for un-initialized value in ixheaacd_acelp_alias_cnx" 2018-11-27 01:59:59 +00:00
Ramesh Katuri
ec6c3bb222 Fix for heap buffer overflow in showbits_7 function
only fetch next byte of input if we actually need it.

Bug: 117655547
Test: vendor
Change-Id: I4b12feb0b92861b75689b54eae207cf1c693023c
2018-11-25 16:34:14 -08:00
Ramesh Katuri
52618d0834 Fix for un-initialized value in ixheaacd_acelp_alias_cnx
In xaacdec even though lpd decoder handle is defined to support 6
channels, only 2 channels are initialized with data (because we
support only stereo in USAC profile). The input stream used for
this issue has 3 channels. When third channel is getting processed
valgrind is reporting un-initialized data usage.

To solve the issue, a conditional check is added based on number
of channels in the bit stream

Bug:117661478
Test: vendor
Change-Id: Iafc63a022d168791f63b79b0c1965182e69cafe6
2018-11-25 15:50:42 -08:00
Ramesh Katuri
c0ead4ba18 Fix for heap buffer overflow in dec data init function
Bug:117935831
Test: vendor + poc
Change-Id: Iede9bd265eebbefda39c3328a5367399e6ace963
2018-11-25 15:36:26 -08:00
Ramesh Katuri
d9c4a50914 Fix for crash in ixheaacd_lt_prediction
Crash was due to integer overflow. To resolve the
integer overflow issue added saturation addition
and subtraction

Bug:116969100

Change-Id: Ib0d21403c3d714b434f893d71d9a32eea9fc9219
2018-11-23 15:35:29 -08:00
Ray Essick
577f7d9147 Merge "Fix for OOB write in mpeg-d drc bit stream parsing by adding bound checks" into pi-dev am: 850b4ba6f3
am: 94c8007f23

Change-Id: Ie1399a552c63c50c5ebb13b180a560303265bfa5
2018-11-21 09:38:33 -08:00
Ray Essick
850b4ba6f3 Merge "Fix for OOB write in mpeg-d drc bit stream parsing by adding bound checks" into pi-dev 2018-11-21 17:21:38 +00:00
Ray Essick
7f8d990145 Merge "Fix for OOB write in td filter casecade parsing" into pi-dev am: 1c63dd338e
am: 0fc68a180f

Change-Id: I6ff3a2b8630b075485a19874d06a701c7b715e67
2018-11-19 20:38:40 -08:00
Ray Essick
1c63dd338e Merge "Fix for OOB write in td filter casecade parsing" into pi-dev 2018-11-20 04:23:25 +00:00
Ramesh Katuri
c9f59f71e5 Fix for global buffer overflow in lt prediction function.
Bug:114746174
Test: vendor
Change-Id: Ifa3424ef7743fb937121ea3a1d0ec07a5cb98a05
2018-11-18 11:04:35 -08:00
Ray Essick
46d91bac30 Merge "Fix for Stack buffer overflow in ixheaacd_mps_getstridemap" into pi-dev am: e0040b411e
am: c103860d52

Change-Id: If00f07dfe2377e6698003476b1fda72c2c1a3fd5
2018-11-16 14:31:52 -08:00
Ray Essick
e0040b411e Merge "Fix for Stack buffer overflow in ixheaacd_mps_getstridemap" into pi-dev 2018-11-16 22:06:08 +00:00
Ray Essick
5c3eb1fc65 Merge "Fix for OOB write in equalizer instructions parsing." into pi-dev am: d498d63513
am: 0905f025b8

Change-Id: Icfc383473a556092ecc362ec2fe22ddbaaff81ec
2018-11-15 15:29:31 -08:00
Ramesh Katuri
7a57950b34 Fix for stack-buffer-underflow in ixheaacd_sbr_env_calc am: 565b25f432
am: e4c01befc0

Change-Id: I58f32245bd0d16f901e8982f6600336bef2cc052
2018-11-15 15:28:44 -08:00
Ray Essick
d498d63513 Merge "Fix for OOB write in equalizer instructions parsing." into pi-dev 2018-11-15 23:03:11 +00:00
Ramesh Katuri
565b25f432 Fix for stack-buffer-underflow in ixheaacd_sbr_env_calc
Bug:117050162
Test: vendor, poc no longer fails
Change-Id: I1ff8f0ce42ade33c93653edc9e19282b68108b9b
2018-11-14 18:31:32 -08:00
Ramesh Katuri
c9ecca9cd8 Fix for OOB write in equalizer instructions parsing.
Bound check was missing for eq_ch_group_count. Added
as fix.

Bug: 117216549
Test: vendor
Change-Id: Ie36446a3604ae1cb2471dad0a938a96f2b7fff64
2018-11-14 18:01:47 -08:00
Ramesh Katuri
bd5770772f Fix for Stack buffer overflow in ixheaacd_mps_getstridemap
Bug:117495103
Bug:117495366
Test: vendor + poc
Change-Id: Iff5b9135a8fc1b9ad1f00b6fdbe6a8e20c0a61c4
2018-11-14 14:56:14 -08:00
Ramesh Katuri
589d21b8a3 Fix for OOB write in mpeg-d drc bit stream parsing by adding bound checks
Added bound checks for all the parameters which are
derived from bit stream.

Bug:116760188
Bug:116019594
Bug:116114402
Test: vendor
Change-Id: I126cd520e7faf2281ab731da559b11c74a9e30b5
2018-11-07 00:55:26 +00:00
Ramesh Katuri
ae206c1fa5 Fix for OOB write in td filter casecade parsing
Add bounds checks for values delivered as N-bits in the bitstream
but that have smaller allowed range in this implementation.

Bug:116617847
Test: vendor
Change-Id: Iad0c020ceacd2226d8e1af688a52a46179a39a2d
2018-11-06 16:46:03 -08:00
Ramesh Katuri
9da98c5ba9 Use saturating addition in ixheaacd_imdct_process()
Crash was due to addition overflow in ixheaacd_imdct_process().
Used saturating addition to resolve this.

Bug:116843813
Test: vendor
Change-Id: I5f57a377e5e4c27cb04cd3613bbb28a8665dbf75
2018-11-06 16:12:59 -08:00
Ramesh Katuri
c992830e35 Fix for segmentation fault in hf generator
Number of envelopes is becoming zero because of erroneous input
stream.Inside SBR start band and stop band are calculated based
on number of envelope's.

In this case start bands is becoming negative. In sbr processing
buffer is accessed from start to stop band. This is causing OOB
read access

Bug:113037143
Test: poc
Change-Id: Iade10e8cb86676784703e7226b7e132761eb12b1
(cherry picked from commit 4e5b9cb8f6)
2018-11-02 22:53:22 +00:00
Ray Essick
176f86406d Merge changes from topic "b117495362" into pi-dev am: 8fe5da1ed4
am: cdb835c4dc

Change-Id: I354d70de86e98797d9973153d2000f016c0fa6c6
2018-11-01 15:49:11 -07:00
Ray Essick
8fe5da1ed4 Merge changes from topic "b117495362" into pi-dev
* changes:
  Fix for stack buffer overflow in mps ecdata pair decode
  Fix for OOB read in bit stream parsing in mps module
  Clean an array bounds violation.
  Fix for sanitizer multiplication overflow error
  Fix for Segmentation fault in ixheaacd_mps_apply_pre_matrix
2018-11-01 22:14:01 +00:00
Ray Essick
669178420f Merge "Fix for heap buffer overflow in tns block" into pi-dev am: 6511706b0b
am: b69f0f116c

Change-Id: If78275080e2b9cfb68aaae09fbd71718f30a91a6
2018-10-30 15:29:48 -07:00
Ray Essick
e79457567e Merge "Fix for OOB write in loudness info set ext" into pi-dev am: 69e7a92ab9
am: 2dd49bc124

Change-Id: I04e80eafebc7241034af28dc615e385c473a0c4b
2018-10-30 15:24:28 -07:00
Ray Essick
6391584b4a Merge "Fix for OOB write in parsing eq sub band gain vector in drc" into pi-dev am: 86a4367f4c
am: 2b463e4b0a

Change-Id: Id6d1b6f8d44baf643927dd8dba8157566d74a8e6
2018-10-30 15:24:13 -07:00
Ramesh Katuri
85589b0353 Fix for stack buffer overflow in drc loudness control am: 851d0d122a
am: 8a2678ef55

Change-Id: Ic73f4ee2630999d39c270afeda1111370612b928
2018-10-30 15:23:36 -07:00
Ray Essick
6511706b0b Merge "Fix for heap buffer overflow in tns block" into pi-dev 2018-10-30 22:12:07 +00:00
Ramesh Katuri
48b9e0f857 Fix for stack buffer overflow in mps ecdata pair decode
Bug:116971427
Test: vendor
Change-Id: Icb76f5700651ba701b51fdc626e797f0ae86c2cf
2018-10-30 14:56:10 -07:00
Ramesh Katuri
639e7a88a5 Fix for OOB read in bit stream parsing in mps module
icc and cld index are calculated using parameters derived
from bit stream.There is no bound check for icc and cld index,
because of which OOB read is happening in mps parsing

After icc and cld index calculation,values are clamped to
avoid OOB read

Bug:112856493
Bug:112858430
Test: poc
Change-Id: I59905926d8a2d1a532bec33e5998a67531a99bd9
2018-10-30 14:56:10 -07:00
Ray Essick
97123f8e06 Clean an array bounds violation.
unchecked bounds on array that was also 1 entry to small.

Bug: 110596152
Test: vendor
Change-Id: Ia6c0ddd342257177323a87af85fb42ba24eb8d11
2018-10-30 14:56:10 -07:00
Ramesh Katuri
40c1157b52 Fix for sanitizer multiplication overflow error
Bug: 110596152
Test: re-run POC
Change-Id: I24b01b4ab13987abd028f013262f732cd06e81f8
2018-10-30 14:56:10 -07:00
Ramesh Katuri
0ccd0efbd0 Fix for Segmentation fault in ixheaacd_mps_apply_pre_matrix
Bug: 110649314
Test: run poc
Change-Id: I40f74385499064c0e982608181d98e9e577df84c
2018-10-30 14:56:10 -07:00
Ray Essick
69e7a92ab9 Merge "Fix for OOB write in loudness info set ext" into pi-dev 2018-10-30 21:54:50 +00:00
Ray Essick
86a4367f4c Merge "Fix for OOB write in parsing eq sub band gain vector in drc" into pi-dev 2018-10-30 21:51:39 +00:00
Ramesh Katuri
6bd9129c03 Fix for OOB write in parsing eq sub band gain vector in drc
bounds checking on subband information.

Bug:115908308
Test: vendor
Change-Id: I8cb2684c7f02b287065ef8b0b1a11c7dcf88e6d1
2018-10-29 16:17:55 -07:00
Ramesh Katuri
851d0d122a Fix for stack buffer overflow in drc loudness control
Bug:114749542
Test: vendor
Change-Id: I3b394faf8e6659724ee361fb94ec7d89f60eaf5e
2018-10-29 15:47:53 -07:00
Ray Essick
dbcbdb48e3 Merge "Fix for stack over flow write in drc set pre selection" into pi-dev am: 3ddab42b81
am: e9f01642ae

Change-Id: I290beae7f39906fbab952640efe6d7b48c0a7060
2018-10-29 15:22:18 -07:00
Ray Essick
3ddab42b81 Merge "Fix for stack over flow write in drc set pre selection" into pi-dev 2018-10-29 22:08:57 +00:00
Ray Essick
8c4d76093e Merge "Fix for stack overflow in impd parse equalizer coefficients" into pi-dev am: e99fa1316d
am: a4076520bc

Change-Id: I2994b12f333055c8ddddd9147e36f9c91ac6184a
2018-10-29 14:47:54 -07:00
Ray Essick
1fe53b9203 Merge "Fix for OOB in parse drc config extension" into pi-dev am: 402fce8468
am: 19b90a410d

Change-Id: I58be68b51be085ea38a994094e653fa1c0943c72
2018-10-29 14:39:00 -07:00
Ray Essick
e99fa1316d Merge "Fix for stack overflow in impd parse equalizer coefficients" into pi-dev 2018-10-29 21:28:05 +00:00
Ray Essick
402fce8468 Merge "Fix for OOB in parse drc config extension" into pi-dev 2018-10-29 21:19:30 +00:00
Ramesh Katuri
d3c1212562 Merge "Fix for stack overflow in eq selection in drc module" into pi-dev am: 09cc55d5fa
am: 226f011619

Change-Id: Iccb00e370ec58bafe5d5d162e318b15b31786bb8
2018-10-29 13:58:20 -07:00