Commit graph

411 commits

Author SHA1 Message Date
Rajat Kumar
57b4f3eac4 Fix for OOB in external libxaac
Codec initialization is done with AOT 2 (AAC-LC profile),
but AOT changes abruptly to 42 (USAC profile) in execution
leading to access of uninitialized tables. Hence Added a
check for mismatch in AOT during initialization and
AOT during execution.

Bug:150400335
Test: poc in bug

Change-Id: I73ca2bf0f963df7982c1a8371a8fc0c2e3c7cd82
2020-03-29 17:16:45 -07:00
TreeHugger Robot
7862de4bd2 Merge "Fix for array out of bound in decoder/drc_src/impd_drc_eq.c" into rvc-dev 2020-03-19 19:07:47 +00:00
Sushanth Patil
40fb6f798f Fix for array out of bound in decoder/drc_src/impd_drc_eq.c
Error return check was missing, which caused an
unchecked value to propagate and lead to array OOB.

Bug: 151407605
Test: poc in bug

Change-Id: I0ab9ced7504314e0a31fbe7138c0b95ecbc8cd84
2020-03-18 20:56:48 +00:00
Rajat Kumar
ed2dbffd88 Fix for array out of bound for type 'ia_filt_cascade_td_struct[4]'
Value is read from the bit stream and used as index
before checking for bounds, added the same as fix here.

Bug: 151412914
Test: poc in bug

Change-Id: I2f484398d87bee0a525e4f31b4f0da4c1b13bb1d
2020-03-18 09:09:45 -07:00
TreeHugger Robot
418325e543 Merge "Fix for missing bound check in MPS bit parsing" into rvc-dev 2020-03-10 04:51:59 +00:00
TreeHugger Robot
4bbb59d953 Merge "Fix for SEGV in ixheaacd_aacdec_decodeframe function." into rvc-dev 2020-03-09 22:30:23 +00:00
TreeHugger Robot
3eb739ab1d Merge "Fix for read buffer overflow in impd_filter_banks_process" into rvc-dev 2020-03-09 22:27:29 +00:00
Tripti Tiwari
f034dda6d2 Fix for SEGV in ixheaacd_aacdec_decodeframe function.
For erroneous stream, coupling channel initialization memory
was overlapping with SBR scratch memory usage, causing unwanted
reset of the some of the pointers.
All initialization should take place in persistent memory.
As a fix, replaced scratch with persistent memory for initialization.

Bug:145264510
Test:poc in bug

Change-Id: Iaa757d0e87fd3a0b2f75c5288cfe662f556c871f
2020-03-07 15:07:54 -08:00
Rajat Kumar
5426a0bf19 Fix for read buffer overflow in impd_filter_banks_process
str_node[k].time is used as index later, added a check
where its calculated.

Bug:146948608
Test:poc in bug

Change-Id: I35ca08ad19045deca44b5b5c55532a84f5a58ed3
2020-03-07 15:00:27 -08:00
Rajat Kumar
24e72af590 Fix for missing bound check in MPS bit parsing
Value of bs_decorr_config = 3 is not supported.
A check has been added for the same.

Bug: 136063852
Test: manual review

Change-Id: Idd2309e9d0f6d346fb5c9227bed1124d622e6f7e
2020-03-05 16:35:16 -08:00
Rajat kumar
7a984f6ccc Fix for segv in ixheaacd_read_bits_buf
When ixheaacd_drc_offset comes negative, we read
backward in bitbuffer. There was no bound check to
make sure it did not go beyond the start of bitbuffer.
This caused a SEGV.

As a fix, bound check has been added.

Bug:144134845
Test: poc in bug

Change-Id: I94c4362f26fdb463eb07f5006d0f36860aad8128
2020-03-05 12:24:41 -08:00
Rajat Kumar
f60122a142 Fix for array out of bound in impd_drc_parse_coeff func
Variable num_gain_max_values was used as index in
impd_init_table function without checked
for bounds. Added check to prevent out of bound array
access.

Bug:141524702
Test: poc in bug

Change-Id: Ia902153ef614db6dbd002572cdbdb62421580588
(cherry picked from commit 566b69f066)
2020-03-04 17:23:02 +00:00
Rajat Kumar
74fa48f677 Fix for SBO in impd_drc_selection_process_drcset_selection.c
Index k is incremented and used as an index of
selection_candidate_info_step_2 array. k can be
max (str_drc_instruction_str->dwnmix_id_count *
selection_candidate_step_2_count), this can be
more than max size of selection_candidate_info_step_2
array.

Hence added a check before assignment as fix.

Bug:147331996
Test:poc in bug

Change-Id: I1ffa88eddfcef93ab15a08599270924d54cdf1de
2020-02-20 16:58:14 -08:00
TreeHugger Robot
1207285ca0 Merge "Fix for segv in impd_filter_banks_process function" 2020-01-29 20:41:46 +00:00
Rajat Kumar
3c5f6c0399 Fix for memcpy-param-overlap in apply sbr function
ptr_sbr_qmf->filter_states memory is initialized based on
down_sample_flag. But it's used irrespective of
down_sample_flag values for few testcases.
Therefore assigned maximum memory to
ptr_sbr_qmf->filter_states as a fix in the current CL.

Bug: 147028944
Test: poc in bug

Change-Id: I84f9976645a53e09d638d214730801af4156962e
2020-01-28 16:55:45 -08:00
TreeHugger Robot
bd868287e9 Merge "Fix for integer overflow in ixheaacd_block.c file" 2020-01-23 01:42:05 +00:00
TreeHugger Robot
f0ee84c4b9 Merge "Fix for use of uninitialsied value in ixheaacd_bass_post_filter" 2020-01-20 18:57:53 +00:00
TreeHugger Robot
7d71f971a8 Merge "Fix for SBO in ixheaacd_enery_calc_persfb function" 2020-01-20 17:16:56 +00:00
TreeHugger Robot
3938795985 Merge "Fix for array bound overflow in ia_gain_set_params_struct." 2020-01-16 01:26:59 +00:00
TreeHugger Robot
da4f7feef2 Merge "Fix for array out of bound in parse drc instruction func" 2020-01-16 00:50:46 +00:00
TreeHugger Robot
9d8fb8147a Merge "Fix for heap-buffer-overflow in ixheaacd_read_bits_buf." 2020-01-16 00:50:07 +00:00
TreeHugger Robot
3214d04ad9 Merge "Fix for array oob in ia_shape_filter_block_params_struct" 2020-01-15 20:06:21 +00:00
TreeHugger Robot
6606e742ba Merge "Fix for oob in ia_drc_instructions_struct" 2020-01-15 19:58:59 +00:00
TreeHugger Robot
c31cf4f962 Merge "Fix for integer-overflow in ixheaacd_tns_ar_filter_fixed_armv8" 2020-01-15 19:58:08 +00:00
Ray Essick
cb7680cd72 Merge "Fix for array out of bound access in gain_set_param structure" 2020-01-15 19:17:45 +00:00
TreeHugger Robot
6a015d6931 Merge "Fix for integer overflow in ixheaacd_add32 function" 2020-01-15 00:25:33 +00:00
TreeHugger Robot
f8f448a82f Merge "Fix for heap buffer overflow in set sbr persistent buffer" 2020-01-13 18:45:51 +00:00
Sushanth Patil
af0071f0e3 Fix for use of uninitialsied value in ixheaacd_bass_post_filter
Uninitialsed float arrays were initialised with -nan/nan values
which got propagated in the code flow and crashed in an "if"
statement where a varibale whose value was nan was compared to
a constant.

Bug: 140094983

Change-Id: I70a18ca213f00a6d6d75b5a64951ffc60205bfb2
2020-01-11 19:39:10 -08:00
Rajat Kumar
acd1da2eb8 Fix for integer overflow in ixheaacd_block.c file
(b == 0) case is not taken care in
ixheaacd_shr32_drc function. Hence
added here.

Bug:140980272
Test: poc in bug

Change-Id: Ie830855dd8dc4bebba0b1742f5aada4cdcb48e0d
2020-01-11 19:32:33 -08:00
Rajat Kumar
09fd1c3c1f Fix for array out of bound in parse drc instruction func
target_channel_count read from bit stream is being
used as index without bound check. Hence the check
has been added.

Bug:142693847
Test: poc in bug

Change-Id: I9d6c832e75b9cb78fe4989516d13707f1ecf7f91
2020-01-11 19:10:09 -08:00
Rajat kumar
4a19deca5d Fix for array bound overflow in ia_gain_set_params_struct.
Max value of
str_p_loc_drc_coefficients_uni_drc->gain_set_count_plus
is used as index without checking for upper bound.
Hence added a check here.

Bug:144665190
Test:poc in bug

Change-Id: Ibd8dfe91910eb4d7548cf3236065eb38121b60c8
2020-01-11 19:03:43 -08:00
Rajat kumar
33026c922d Fix for SBO in ixheaacd_enery_calc_persfb function
start_pos was used as an index to access a stack memory
before been checked for bounds. Hence, Added the check

Bug:144476750
Test: poc in bug

Change-Id: Ib019dab8d83bae0ba085a4c2c15a19631d3695df
2020-01-11 17:34:55 -08:00
Tripti Tiwari
3bb1d13705 Fix for heap-buffer-overflow in ixheaacd_read_bits_buf.
During bitbuffer search for sync word, the buffer is incremented each
time in the loop. However, in the second initialization, this size
is not taken care of.
As a fix, reduced the size appropriately in the second init.

Bug:145727847
Test:poc in bug

Change-Id: Id1079d2feeba6841675562e0e1f7b7983acd1b35
2020-01-11 17:27:28 -08:00
Rajat kumar
7924f0cb44 Fix for array oob in ia_shape_filter_block_params_struct
pstr_gain_modifiers->shape_filter_idx is read from
bitstream and used as an index before been checked
for bound. Hence added a check.

Bug:145043907
Test:poc in bug

Change-Id: I9a46c4227017328f2c3aa6e7d911889c01efef91
2020-01-11 17:22:27 -08:00
Rajat kumar
7d0a228c3e Fix for segv in impd_filter_banks_process function
str_node[k].time calculated here is used as an index
to access buf_interpolation->lpcm_gains array. Added a
check here so that the access does not go out of bound.

Bug:145043038
Test:poc in bug

Change-Id: I7620efcfb79e9a34b175b2cdf60c1674c279135d
2020-01-11 17:07:02 -08:00
Rajat Kumar
86d7dd791e Fix for oob in ia_drc_instructions_struct
drc_config->drc_instructions_uni_drc_count
+ drc_config->dwnmix_instructions_count is
used as index in the function
impd_drc_gen_instructions_for_drc_off,
without checked for bounds.

Hence the check has been added here.

Bug:143517852
Test: poc in bug

Change-Id: I1134236b421d97097a5deb25dbf889f25e7a29ef
2020-01-11 16:50:54 -08:00
Rajat kumar
fcc838f01b Fix for integer-overflow in ixheaacd_tns_ar_filter_fixed_armv8
Added saturation check to avoid integer overflow
while addition.

Bug:143791665
Test: poc in bug

Change-Id: Ifbe410b5b4adede8417109a0cb37fd7bdc9f947c
2020-01-11 16:39:29 -08:00
Rajat kumar
b2007999c1 Fix for integer overflow in ixheaacd_add32 function
Added saturation check after two 32 bit numbers
are added and stored in a 32 bit register

Bug: 144391058
Test: Poc in bug

Change-Id: I56c0c626bffb5ffa2bf36456115a093366b84332
2020-01-09 14:57:32 -08:00
Rajat Kumar
bdaf57013d Fix for array out of bound access in gain_set_param structure
Added check before accessing the index.

Bug:141289121
Test: poc in bug

Change-Id: Ifd7bfcb2e978317069efea43ba64f2fb60b9e644
2020-01-09 14:48:29 -08:00
Rajat Kumar
0e6ba25314 Fix for array out of bound esbr_envcalc file.
Added bound checks before access

Bug:131878685
Test: poc in bug

Change-Id: Ibd8dec7875509fc98f7c57d000bcc3635f36f297
2020-01-09 14:24:30 -08:00
Sushanth Patil
da82edd619 Fix for int-oveflow in ixheaacd_sub32
Added check for subtraction overflow.

Bug:144813972
Test: poc in bug
Change-Id: Ic923f0b0f155f196aca85128d7993d7f355d0e13
2020-01-07 15:24:37 -08:00
TreeHugger Robot
e57f919f8a Merge "Fix to add few bound checks in DRC, based on code review" 2019-11-14 01:43:53 +00:00
TreeHugger Robot
52ca260630 Merge "Fix for array out of bound in drc dynamic payload." 2019-11-14 01:09:15 +00:00
Rajat Kumar
c2cb9c2424 Fix to add few bound checks in DRC, based on code review
Added few checks to avoid out of bound access and
and remove few redundant checks based on review.

Bug:130279444
Test: atest android.media.cts.DecoderTestXheAac
Test: atest android.media.cts.DecoderTestAacDrc

Change-Id: If9a7917eea5d68d4c484d02fca4c755ffa6a9123
2019-11-13 14:23:08 -08:00
Rajat Kumar
dc6af3edb4 Fix for array out of bound in drc dynamic payload.
str_spline_nodes->num_nodes was not checked for bound,
before using as index. Added bound check before access.

Bug:141215451
Test: poc in bug

Change-Id: I9cd78035521731a3f338dc52ebf0afc3a3e5d3ff
2019-11-13 14:12:14 -08:00
Rajat Kumar
deb3f00a38 Fix for array out of bound in api file
Removed the redundant part of code which initilizes
an array with -1 and uses it as index.

Bug:141524696
Test: poc in bug

Change-Id: Ie126ca257dc0f7276c46733b043a84d5a88a062d
2019-11-07 14:32:42 -08:00
TreeHugger Robot
e96e08da90 Merge "Fix for array out of bound in impd_drc_static_payload.c" 2019-11-04 20:45:18 +00:00
Rajat Kumar
8410947cb1 Fix for array out of bound access in envelop calc func.
Added check before accessing index.

Bug:141290158
Test: poc in bug

Change-Id: Ia761cf76344e2d0008d73813c2017f0471f734a9
2019-11-02 09:21:04 -07:00
Rajat Kumar
fb6a48906e Fix for array out of bound in impd_drc_static_payload.c
channel_layout->base_channel_count was not checked
for bounds after it is read from bit stream.
Corresponding check has been added here.

Bug:140979418
Test: poc in bug

Change-Id: I57e6a4ea9a39c64e82c3add0d20a85716ad20cc1
2019-11-02 07:03:49 -07:00
Rajat Kumar
0d2d1af703 Fix for heap buffer overflow in set sbr persistent buffer
Maximum CC CHANNEL element supported in xaac decoder
is only two, but we are getting more for this
error stream, leading to heap buffer overflow.
Hence a check is added.

Bug:141344322
Test: poc in bug

Change-Id: Ib63b4c74e66d9e37c85153c87341de0601044bec
2019-11-02 06:55:04 -07:00