Commit graph

365 commits

Author SHA1 Message Date
Rajat Kumar
deb3f00a38 Fix for array out of bound in api file
Removed the redundant part of code which initilizes
an array with -1 and uses it as index.

Bug:141524696
Test: poc in bug

Change-Id: Ie126ca257dc0f7276c46733b043a84d5a88a062d
2019-11-07 14:32:42 -08:00
TreeHugger Robot
e96e08da90 Merge "Fix for array out of bound in impd_drc_static_payload.c" 2019-11-04 20:45:18 +00:00
Rajat Kumar
8410947cb1 Fix for array out of bound access in envelop calc func.
Added check before accessing index.

Bug:141290158
Test: poc in bug

Change-Id: Ia761cf76344e2d0008d73813c2017f0471f734a9
2019-11-02 09:21:04 -07:00
Rajat Kumar
fb6a48906e Fix for array out of bound in impd_drc_static_payload.c
channel_layout->base_channel_count was not checked
for bounds after it is read from bit stream.
Corresponding check has been added here.

Bug:140979418
Test: poc in bug

Change-Id: I57e6a4ea9a39c64e82c3add0d20a85716ad20cc1
2019-11-02 07:03:49 -07:00
Rajat Kumar
4c2758690d Fix to handle infinite loop in reset hf generator function
Added break condition when no indexes are modified and
while loop enters infinite iterations.

Bug:140986186
Test: poc in bug

Change-Id: Ibf5953c0af7a0b96c50e3a2f1095b5cc30825711
2019-10-21 10:11:26 -07:00
Rajat Kumar
8d9d3d1d58 Fix for non-handling of fatal error returned during init.
Fatal error returned from previous init call was not handled
during subsequent init calls. This check has been added here.

Bug:140984035
Bug:140988475
Bug:140986175
Test: poc in bug

Change-Id: I37599ba304bbf137b1a590c1fec7e0da236f7308
2019-10-12 16:28:30 -07:00
TreeHugger Robot
58aa3e2ad5 Merge "Fix for unitialized memory access at ixheaacd_add32_sat3" 2019-08-27 22:05:45 +00:00
TreeHugger Robot
7c44e0aac5 Merge "Adding bound checks in USAC config bit stream parsing" 2019-08-27 20:13:53 +00:00
Ray Essick
65a3c3bb70 Merge "Fix for signed integer overflow at ixheaacd_mps_hyb_filt_type1" 2019-08-26 22:46:32 +00:00
Ramesh Katuri
ce7b4e93ce Fix for correcting #include delimiters
This CL contains changes to make #include delimiters stying
consistent. For all system files inclusion we will use <> and
all user files we will use ""

Bug: 125443111
Test: compilation
Change-Id: Ie5f609b9bef8357877affb7f48d46df7c387d142
2019-08-26 13:35:44 -07:00
Ray Essick
c1634d122e Merge "Fix for integer overflow in libxaac/decoder/ixheaacd_freq_sca.c" 2019-08-26 19:32:49 +00:00
Sushanth Patil
e765682ee7 Fix for heap-buffer-overflow in ixheaacd_samples_sat
Output memory size initialised was not sufficient for the
case when audio preroll is 3 and core_sbr_framelength = 4.

Hence, it has been increased to accomodate for the same.

Bug: 136441188
Test: poc in bug

Change-Id: I4e21395f46f4b16c538bf5522b92ad0836ece67f
2019-07-31 14:04:45 -07:00
TreeHugger Robot
2244422be0 Merge "Fix for int overflow in voronoi_idx_dec and voronoi_search function" 2019-07-24 00:35:56 +00:00
TreeHugger Robot
354dcb59b2 Merge "Fix for global buffer overflow in error handler function" 2019-07-23 23:17:30 +00:00
Ray Essick
78d29e53d2 Merge "Fix for potential stack buffer overflow in ixheaacd_lpp_tran.c" 2019-07-23 22:26:08 +00:00
Rajat Kumar
61cdf5e6b5 Fix for global buffer overflow in error handler function
Added error handling for few unhandled error
returned from library to ixheaacd_error.c file.

Bug:133133640
Test: poc in bug

Change-Id: I584da0278ebcb04fc48538b5ae55e8ab2e65c684
2019-07-23 14:59:21 -07:00
Sushanth Patil
60dd57536f Fix for heap buffer overflow in show bits buf
We observed that ptr_read_next in ixheaacd_show_bits_buf()
would go beyond ptr_bit_buf_end in the corner case when
the bitbuffer is exhausted i.e cnt_bits = no_of_bits
case in the current logic of the code.

A different logic has been applied at the corner case in
this patch similar to the one already present in
ixheaacd_read_bits_buf().

Added check to handle the case when both cnt_bits and
no_of_bits come as zero.

Bug: 132050349

Test: poc in bug

Change-Id: I79e1d1e7a4f213c4802e5f7f28a5c419a8d01136
2019-07-22 15:23:47 -07:00
Rajat Kumar
4f06fb9796 Fix for potential stack buffer overflow in ixheaacd_lpp_tran.c
Added bound check for bw_index[patch] before using it as
index.

Bug:135077036
Test: Manual review

Change-Id: Ifb934cc2485596aa906f4a129df87b1b21d9da1f
2019-07-22 14:22:43 -07:00
Rajat Kumar
5cc187a97f Fix for int overflow in voronoi_idx_dec and voronoi_search function
Added addition and substraction saturation checks

Bug:131875460
Test: poc in bug

Change-Id: Ifb235ebc43f18216773900e56d67b419e87d0e0f
2019-07-22 14:10:10 -07:00
TreeHugger Robot
07a470cab1 Merge "Fix for negative-size-param for memcpy in ixheaacd_sbr_env_calc" 2019-07-18 08:57:36 +00:00
TreeHugger Robot
bf9a41e1ef Merge "Fix for SEGV in ixheaacd_usac_process" 2019-07-18 04:02:32 +00:00
Sushanth Patil
70ac75945f Fix for negative-size-param for memcpy in ixheaacd_sbr_env_calc
stere_config_index was not intialised to 0 whenever
a codec re-configure happened which lead to current
frame being processed with stereo_config_index of
frame before codec re-configure which lead to a
mismatch of usac_ele_type[] & stere_config_index
in this case which lead to setting mps_sbr_flag even
in its absence which further went on to crash in
memcpy for ch = 2 which was not set for current
usac_ele_type[].

So, stereo_config_index is cleared in init_config
for USAC_SCE & USAC_LFE cases where it is not used.

Bug: 136975538
Test: poc in bug

Change-Id: I7b976f9512ce3d940a43e94309e61ec780e096cc
2019-07-17 16:21:00 -07:00
Rajat Kumar
a3bcab8198 Fix for SEGV in ixheaacd_usac_process
pstr_dec_data->str_usac_data.pstr_esbr_dec is
initialised only when sbr_ratio_idx > 0. We use
this structure when stereo_config_index > 0,
without checking sbr_ratio_idx > 0. Hence a check
has been added as a fix.

Bug:136061116
Test: poc in bug

Change-Id: I7e8c687f4e77b51e81b3f4add752c37a63f09dbf
2019-07-17 15:00:07 -07:00
Rajat Kumar
93ade1f683 Fix to define all tables as const in libxaac
libxaac had few tables which were not declared as constants.
Added const and did corresponding changes to build and
execute.

Bug:128433649
Test: Manual Review

Change-Id: I1babf22a45fbd595c5a9c67804ecdc0317ebb96c
2019-07-17 12:24:16 -07:00
Ramesh Katuri
5775ff7635 Adding bound checks in USAC config bit stream parsing
These were added based on code review

Bug:130111727
Bug:131212731

Test: poc in bug

Change-Id: Ibe55885956e12ffacc54d809f67c466e20f0eb4d
2019-07-16 15:21:25 -07:00
Rajat Kumar
ff0048f5cb Fix for unitialized memory access at ixheaacd_add32_sat3
Initilized arrays in ixheaacd_imdct.c file responsible for
unitilized memory access at ixheaacd_add32_sat3.

Bug:131390601
Test: poc in bug

Change-Id: Iefea5ce309f95d3def733691a2351021bc6acec9
2019-07-16 15:17:11 -07:00
Rajat Kumar
fbf81eb94e Fix for integer overflow in imdct related functions
Added saturation checks across ixheaacd_imdct.c and
ixheaacd_basic_ops.c file to avoid integer overflow
based on fuzzer testing and code review.

Bug:130497287
Bug:137055524
Bug:131193902

Test: poc in bug

Change-Id: Ice86d1cc70edfb1831ae5f08942a2f834be25102
2019-07-16 15:09:51 -07:00
Rajat Kumar
49a3a0788a Fix for signed integer overflow at ixheaacd_mps_hyb_filt_type1
Added saturation checks in ixheaacd_mps_hyb_filt_type1 and
ixheaacd_mps_hyb_filt_type2 functions to avoid integer
overflows.

Bug:130493471
Bug:131296731
Test: poc in bug

Change-Id: I1e7febaf1cebc88652fa100a07d45bc3921951bc
2019-07-16 12:51:35 -07:00
Rajat Kumar
3d1e5dab81 Fix for integer overflow in libxaac/decoder/ixheaacd_freq_sca.c
Replaced 32*32 multiplication to 64*64 and moved right
shift operation to resultant 64 bit number, before storing it
back to 32 bit register.

Bug:130494634
Bug:131214091
Bug:132893904

Test: poc in bug

Change-Id: I8977f0df4891a2f6edcc1a360f707e34da5b54bd
2019-07-16 11:10:33 -07:00
TreeHugger Robot
fc905bc6c3 Merge "Fix for stack buffer overflow in ixheaacd_esbr_chirp_fac_calc." 2019-07-08 18:46:41 +00:00
Rajat Kumar
f6b2d77787 Fixes to incorporate latest conformance criteria
Bug:128648229
Test: atest android.media.cts.DecoderTestXheAac
Test: atest android.media.cts.DecoderTestAacDrc
Change-Id: Ic85bacc660c91096e29cd0cbe24323f4a6109c9a
2019-07-03 10:23:20 -07:00
Rajat Kumar
e34ec6918e Fix for stack buffer overflow in ixheaacd_esbr_chirp_fac_calc.
We found that error return was not being handled properly
in ixheaacd_applysbr() function. This led to a wrong value
being propagated which led to a stack buffer overflow.

Also, a flag for checking if any previous frames encountered
a fatal error has been added to ensure that further processing
of frames doesn't happen after encountering a fatal error.

Bug:130219994
Bug:131307285
Test: vendor
Change-Id: If7b3887afcb375dda292082438f61d156027b60e
2019-06-11 15:29:57 -07:00
Sushanth Patil
08225b931e Fix for memcpy param overlap in ixheaacd_applysbr
In ixheaacd_applysbr(), down_samp_sbr was coming as 1 during init
and 0 during execute, which lead to a down sampled(smaller array)
being intialised but memcpy at line 633 in ixheaacd_sbrdecoder.c
tried to do it for a non down sampled array(larger array) causing
a memcpy param overlap.
As a fix a check has been added in ixheaacd_dec_execute() for
down_spamp_sbr flag which should be 0 for AOT 42(USAC).

Bug:130273553
Bug:131278612
Test: vendor
Change-Id: Ide3af2da26fdceb8fa51b2e976ff96a0dba9b7a5
2019-06-11 15:19:11 -07:00
TreeHugger Robot
6106e348c0 Merge "Fix for sub-oveflow in ixheaacd_tns_ar_filter_fixed_armv8" 2019-05-17 23:43:39 +00:00
TreeHugger Robot
360cf0550b Merge "Fix to remove unused codes from MPEG-D DRC." 2019-05-16 04:30:25 +00:00
Rajat Kumar
7bee3616b8 Fix to remove unused codes from MPEG-D DRC.
MPEG-D DRC integrated with USAC does work only in
time domain.
Hence removed the above related code in this patch.

Bug:130262151
Test: atest android.media.cts.DecoderTestXheAac
Test: atest android.media.cts.DecoderTestAacDrc

Change-Id: Ib51ef29fb7a1fe7a09718d48e2c9e7cda268ae7b
2019-05-15 15:18:34 -07:00
TreeHugger Robot
4d19cb5a15 Merge "Adding bound check for lpc array in tns processing" 2019-05-14 17:05:57 +00:00
TreeHugger Robot
0d1ebe61ce Merge "Integer overflow fix in mps poly filter" 2019-05-14 14:04:33 +00:00
TreeHugger Robot
79113776a2 Merge "Fix for int-overflows in ixheaacd_avq_dec.c file" 2019-05-13 14:11:27 +00:00
TreeHugger Robot
6855e3f84a Merge "Fix for integer-overflows in ixheaacd_qmf_dec_armv8.c file" 2019-05-13 14:10:07 +00:00
TreeHugger Robot
330d1f1ddc Merge "Fix for Parametric stereo stream playback issue" 2019-05-13 14:03:58 +00:00
TreeHugger Robot
89de8ea934 Merge "Fix for addition/subtraction overflows in fft32x32_ld_dec func()." 2019-05-11 00:31:45 +00:00
TreeHugger Robot
61f4b0f072 Merge "Fix for heap buffer overflow in read_bits_buf" 2019-05-11 00:30:55 +00:00
Sushanth Patil
1df4b16f92 Fix for sub-oveflow in ixheaacd_tns_ar_filter_fixed_armv8
Added check for subtraction overflow.

Bug:129251257
Test: vendor
Change-Id: I318705f48d0fd0ef2ca14c258cbf6b9113852da1
2019-05-06 16:33:47 -07:00
Ramesh Katuri
d0b45123a9 Adding bound check for lpc array in tns processing
Bug:130393179
Test: vendor
Change-Id: I4772a9af7036dc4c7b02f059b3de62fd9d9ad910
2019-05-06 16:27:26 -07:00
Ramesh Katuri
b1ad73e389 Integer overflow fix in mps poly filter
use saturating version of negation for a particular calculation

Bug:130393181
Test: vendor
Change-Id: I6f1c94a52b6b7dbbe79c057fcceb925d0b779786
2019-05-06 16:21:46 -07:00
Rajat Kumar
33d66caa64 Fix to add missing PUSH-POP of D registers in armv7 assemblies.
Added missing push and pop instructions of D8-D15 neon registers
for armv7 assembly functions.

Bug:121357211
Test: vendor app
Change-Id: I669df71eff05fd0c693f2bf569a66ed781a02f20
2019-05-06 15:11:54 -07:00
Sushanth Patil
9ddcaf6623 Fix for int-overflows in ixheaacd_avq_dec.c file
Added saturation checks for integer overflows.

Bug: 129251709
Test: vendor
Change-Id: Ia087af25ce6854ebfbaa4be7f59bb449f193a619
2019-05-04 14:57:26 -07:00
Rajat Kumar
8c7b964c74 Fix for integer-overflows in ixheaacd_qmf_dec_armv8.c file
Added saturation checks throughout the file.

Bug: 129252271
Test: poc (xaacdec64)
Change-Id: I77ed53c5d36f6d5f633da30d53bf71219b9fa4be
2019-05-04 14:07:32 -07:00
Sushanth Patil
ed03681d52 Fix for heap buffer overflow in read_bits_buf
In ixheaacd_arith_decode(), ixheaacd_read_bidireciton()
was being called even when bitbuffer was exhausted which
in turn made cnt_bits and bit_pos more and more negative
which overflowed eventually and resulted in heap buffer
overlow. We also observed the variable "cumulative"
value to be zero even after reaching the end of bitbuffer
and this in turn lead to an infinte for loop
"for (lev = esc_nb = 0;;)" in ixheaacd_arth_decoding_level2()
as "cumulative" value would not be updated after reaching
end of bitbuffer.
As a fix , we return whenever "cumulative" value remains
zero even after bitbuffer is exhausted.

And this patch adds a check for (cnt_bits < 0) in
ixheaacd_bitbuffer.c and removes bitbuffer wrap around
in ixheaacd_read_bidirection().

Added cnt_bits > 25 check in ixheaacd_read_bits_buf() &
ixheaacd_show_bits_buf() as these functions cannot handle
read of more than 25 bits at a time.

Bug:123976878
Test: poc
Change-Id: I4ec729fddb859ddd0add0045532e20fbfffd2e5c
2019-05-02 12:02:08 -07:00