Commit graph

180 commits

Author SHA1 Message Date
Ray Essick
ff358cfa4e Merge "Fix for oobw in impd_dec_slopes in DRC dynamic payload" into pi-dev am: 622f724911
am: 6c7bac4af8

Change-Id: Ieea4955c915f84e7c150e6427d785bf78f287741
2019-01-02 12:16:53 -08:00
Ramesh Katuri
015d135f65 Fix for stack buffer overflow in ixheaacd_latm_stream_mux_config am: 2e513342a1
am: f4b31cc0cf

Change-Id: I625b419eeca9a88d0e9d7eff4d03450fa6bb8cea
2019-01-02 12:08:35 -08:00
Ray Essick
622f724911 Merge "Fix for oobw in impd_dec_slopes in DRC dynamic payload" into pi-dev 2019-01-02 19:38:40 +00:00
TreeHugger Robot
e6d51f6bf3 Merge "Fix for files with unsupported AOT in the first frame" 2018-12-29 14:44:12 +00:00
TreeHugger Robot
00e3408f15 Merge "Fix for segmentation fault in ixheaacd_dec_execute" 2018-12-29 00:03:41 +00:00
TreeHugger Robot
67f9744ec7 Merge "Fix for oobw in impd_drc_parse_coeff() due to gain_seq_idx" 2018-12-29 00:02:11 +00:00
TreeHugger Robot
c5557262fb Merge "Fix for multiply overflow in coupling channel element decoding" 2018-12-28 23:11:49 +00:00
TreeHugger Robot
c27192a5bb Merge "Fix for use of uninitialized variable in ixheaacd_read_block_data." 2018-12-28 23:11:47 +00:00
TreeHugger Robot
300eb8e9e3 Merge "Fix for Use of uninitialized value in ixheaacd_mps_mapindexdata" 2018-12-28 23:11:00 +00:00
TreeHugger Robot
725e48df07 Merge "Fix for Use of uninitialized value in ixheaacd_fd_channel_stream." 2018-12-28 23:10:28 +00:00
TreeHugger Robot
024727c93e Merge "Fix for Global buffer overflow in ixheaacd_extract_frame_info_ld" 2018-12-28 23:10:11 +00:00
TreeHugger Robot
039a5f8a1a Merge "Fix for Heap buffer overflow in main process function" 2018-12-28 23:08:44 +00:00
Ramesh Katuri
f7144dfe8f Fix for oobr in impd_manage_drc_complexity function
bs_gain_set_idx is a 6 bit field read from bitstream, which is used
to access gain_set_index_for_channel_group[] whose size is GAIN_SET_COUNT_MAX
which is 24.bs_gain_set_idx value greater than 23 is causing oob access.

As fix for this issue bound check is added for bs_gain_set_idx

Bug:119263784
Test: vendor
Change-Id: I26d3668c54a739016c1102158c73db49cb35f1c4
2018-12-28 11:45:54 -08:00
Ramesh Katuri
e32f2f97cd Fix for Use of uninitialized value in ixheaacd_fd_channel_stream.
valgrind has reported usage of un-initialized variable for elements
of structure pstr_core_coder.

As a fix initialized the structure with memset.

Bug:118492594
Test: vendor
Change-Id: If1ce7f04ae03b58f44b9b551cab2461349e48394
2018-12-28 10:22:04 -08:00
Ramesh Katuri
7513c8b52a Fix for Use of uninitialized value in ixheaacd_mps_mapindexdata
valgrind has reported usage of un-initialized variable,interpolate_local
in,ixheaacd_mps_mapindexdata().

As a fix interpolate_local variable is initialized to zero

Bug:118492282
Test: vendor
Change-Id: I741fa634a4f0481b59acbbb88b4cd7a44200bed6
2018-12-28 10:15:50 -08:00
Rajat Kumar
ee90aac01b Fix for Heap buffer overflow in main process function
Initialized num_ch to zero and moved num_ch update outside
if (skip_full_decode == 0) condition to avoid propagation
of uninitialized or wrong num_ch for all cases.

Bug:120590841
Test: vendor, poc
Change-Id: I8aca82be8a20689547a2b85f8f3a06700b9927d2
2018-12-28 09:44:41 -08:00
Rajat Kumar
fa41125141 Fix for Global buffer overflow in ixheaacd_extract_frame_info_ld
adds a bounds check.

Bug:120250878
Test: vendor
Change-Id: I7760f81bd90f2901ae5fa61a850298d216909592
2018-12-22 06:57:22 -08:00
Ramesh Katuri
b17f1b007f Fix for segmentation fault in ixheaacd_dec_execute
ixheaacd_aac_decoder_init() is called inside ixheaacd_dec_execute().
ixheaacd_aac_decoder_init() will return NULL pointer in failure case and
pointer to aac decoder structure in successful case.

After this function NULL pointer check before de-referencing is missing
which is causing segmentation fault.

As a fix NULL pointer check is added

Bug:118615735
Test: vendor
Change-Id: I0e9a22e0f97dc99c238a026bf0fd693c3e93e4e7
2018-12-22 05:58:47 -08:00
Ramesh Katuri
cd952cc64e Fix for multiply overflow in coupling channel element decoding
The numbers stored in the table
common_tables_ptr->cc_gain_scale are multiplied with itself,
((-norm_value) - 1) times and stored in ind_channel_info->cc_gain.
Since the number stored in common_tables_ptr->cc_gain_scale
has a q factor of 29, the result is right shifted by 29 to maintain
the same q factor.

Bug:112705155
Test: vendor
Change-Id: I94199d172e4d3ad511dbae3a49d76f8e440fe724
2018-12-22 05:57:51 -08:00
Tripti Tiwari
34f516c4c8 Fix for use of uninitialized variable in ixheaacd_read_block_data.
Valgrind has reported use of uninitialized variable in
ixheaacd_read_block_data, which is caused due to uninitialized
api object.

As fix, initialized the api object.

Bug:118615735.
Test: vendor
Change-Id: Ib2702eac2c2f659589ce7616a9818913879ff3de
2018-12-22 05:57:18 -08:00
Ramesh Katuri
56a2e1e9c6 Fix for oobw in impd_dec_slopes in DRC dynamic payload
Bug:118143575
Test: vendor
Change-Id: I35940099dc804a96a5790bf8e8b29df049838a17
2018-12-21 10:43:09 -08:00
Ramesh Katuri
2e513342a1 Fix for stack buffer overflow in ixheaacd_latm_stream_mux_config
Bug:118149009
Test: vendor
Change-Id: I16213a2db36e9d678f7105edda9a4a6c17a3f8a6
2018-12-21 10:27:29 -08:00
Ramesh Katuri
a516b49570 Fix for oobw in impd_drc_parse_coeff() due to gain_seq_idx
gain_seq_idx is a 6 bit value read from the bit stream.
it can get any value between 0 to 63. gain_seq_idx is used
to access gain_set_params_index_for_gain_sequence[] array
whose size is SEQUENCE_COUNT_MAX which is 24. if gain_seq_idx
value is greater than or equal to SEQUENCE_COUNT_MAX cause
oob write.

Bound check on gain_seq_idx is added to prevent oob access.

Bug:119117381
Test: vendor
Change-Id: I571e6e705489ae1c46c651f87491f15428719b30
2018-12-21 10:11:38 -08:00
TreeHugger Robot
657393883b Merge "Fix for Segmentation fault in ixheaacd_sbr_dec_from_mps" into pi-dev 2018-11-28 21:33:31 +00:00
Ramesh Katuri
06c5d85bfd Fix for oobw-in-impd_parse_drc_instructions_uni_drc am: 4692bee50b
am: 9a26915ed2

Change-Id: I9d01f979d2fb637594719d53789ee4afc0e91f3d
2018-11-27 17:31:41 -08:00
Ramesh Katuri
f81b8d0dbd Fix for Segmentation fault in ixheaacd_sbr_dec_from_mps
Bug: 110629822
Test: re-run poc
Change-Id: I5495b01d5d0c779185ff04eb8f1c048f353396b2
(cherry picked from commit 70396d6ced)
2018-11-27 23:22:45 +00:00
Ramesh Katuri
4692bee50b Fix for oobw-in-impd_parse_drc_instructions_uni_drc
Bug:117883804
Test: vendor
Change-Id: I9512dbc1d184ea838572218df3db9e91574c1460
2018-11-27 13:58:34 -08:00
TreeHugger Robot
859712dff3 Merge "Fix for crash in ixheaacd_lt_prediction" 2018-11-27 02:05:25 +00:00
TreeHugger Robot
fcbf01186b Merge "Fix for heap buffer overflow in showbits_7 function" 2018-11-27 02:01:37 +00:00
TreeHugger Robot
f20429551c Merge "Fix for un-initialized value in ixheaacd_acelp_alias_cnx" 2018-11-27 01:59:59 +00:00
Ramesh Katuri
ec6c3bb222 Fix for heap buffer overflow in showbits_7 function
only fetch next byte of input if we actually need it.

Bug: 117655547
Test: vendor
Change-Id: I4b12feb0b92861b75689b54eae207cf1c693023c
2018-11-25 16:34:14 -08:00
Ramesh Katuri
52618d0834 Fix for un-initialized value in ixheaacd_acelp_alias_cnx
In xaacdec even though lpd decoder handle is defined to support 6
channels, only 2 channels are initialized with data (because we
support only stereo in USAC profile). The input stream used for
this issue has 3 channels. When third channel is getting processed
valgrind is reporting un-initialized data usage.

To solve the issue, a conditional check is added based on number
of channels in the bit stream

Bug:117661478
Test: vendor
Change-Id: Iafc63a022d168791f63b79b0c1965182e69cafe6
2018-11-25 15:50:42 -08:00
Ramesh Katuri
c0ead4ba18 Fix for heap buffer overflow in dec data init function
Bug:117935831
Test: vendor + poc
Change-Id: Iede9bd265eebbefda39c3328a5367399e6ace963
2018-11-25 15:36:26 -08:00
Ramesh Katuri
d9c4a50914 Fix for crash in ixheaacd_lt_prediction
Crash was due to integer overflow. To resolve the
integer overflow issue added saturation addition
and subtraction

Bug:116969100

Change-Id: Ib0d21403c3d714b434f893d71d9a32eea9fc9219
2018-11-23 15:35:29 -08:00
Ray Essick
577f7d9147 Merge "Fix for OOB write in mpeg-d drc bit stream parsing by adding bound checks" into pi-dev am: 850b4ba6f3
am: 94c8007f23

Change-Id: Ie1399a552c63c50c5ebb13b180a560303265bfa5
2018-11-21 09:38:33 -08:00
Ray Essick
850b4ba6f3 Merge "Fix for OOB write in mpeg-d drc bit stream parsing by adding bound checks" into pi-dev 2018-11-21 17:21:38 +00:00
Ray Essick
7f8d990145 Merge "Fix for OOB write in td filter casecade parsing" into pi-dev am: 1c63dd338e
am: 0fc68a180f

Change-Id: I6ff3a2b8630b075485a19874d06a701c7b715e67
2018-11-19 20:38:40 -08:00
Ray Essick
1c63dd338e Merge "Fix for OOB write in td filter casecade parsing" into pi-dev 2018-11-20 04:23:25 +00:00
Ramesh Katuri
c9f59f71e5 Fix for global buffer overflow in lt prediction function.
Bug:114746174
Test: vendor
Change-Id: Ifa3424ef7743fb937121ea3a1d0ec07a5cb98a05
2018-11-18 11:04:35 -08:00
Ray Essick
46d91bac30 Merge "Fix for Stack buffer overflow in ixheaacd_mps_getstridemap" into pi-dev am: e0040b411e
am: c103860d52

Change-Id: If00f07dfe2377e6698003476b1fda72c2c1a3fd5
2018-11-16 14:31:52 -08:00
Ray Essick
e0040b411e Merge "Fix for Stack buffer overflow in ixheaacd_mps_getstridemap" into pi-dev 2018-11-16 22:06:08 +00:00
Ray Essick
5c3eb1fc65 Merge "Fix for OOB write in equalizer instructions parsing." into pi-dev am: d498d63513
am: 0905f025b8

Change-Id: Icfc383473a556092ecc362ec2fe22ddbaaff81ec
2018-11-15 15:29:31 -08:00
Ramesh Katuri
7a57950b34 Fix for stack-buffer-underflow in ixheaacd_sbr_env_calc am: 565b25f432
am: e4c01befc0

Change-Id: I58f32245bd0d16f901e8982f6600336bef2cc052
2018-11-15 15:28:44 -08:00
Ray Essick
d498d63513 Merge "Fix for OOB write in equalizer instructions parsing." into pi-dev 2018-11-15 23:03:11 +00:00
Ramesh Katuri
565b25f432 Fix for stack-buffer-underflow in ixheaacd_sbr_env_calc
Bug:117050162
Test: vendor, poc no longer fails
Change-Id: I1ff8f0ce42ade33c93653edc9e19282b68108b9b
2018-11-14 18:31:32 -08:00
Ramesh Katuri
c9ecca9cd8 Fix for OOB write in equalizer instructions parsing.
Bound check was missing for eq_ch_group_count. Added
as fix.

Bug: 117216549
Test: vendor
Change-Id: Ie36446a3604ae1cb2471dad0a938a96f2b7fff64
2018-11-14 18:01:47 -08:00
Ramesh Katuri
bd5770772f Fix for Stack buffer overflow in ixheaacd_mps_getstridemap
Bug:117495103
Bug:117495366
Test: vendor + poc
Change-Id: Iff5b9135a8fc1b9ad1f00b6fdbe6a8e20c0a61c4
2018-11-14 14:56:14 -08:00
Ramesh Katuri
589d21b8a3 Fix for OOB write in mpeg-d drc bit stream parsing by adding bound checks
Added bound checks for all the parameters which are
derived from bit stream.

Bug:116760188
Bug:116019594
Bug:116114402
Test: vendor
Change-Id: I126cd520e7faf2281ab731da559b11c74a9e30b5
2018-11-07 00:55:26 +00:00
Ramesh Katuri
ae206c1fa5 Fix for OOB write in td filter casecade parsing
Add bounds checks for values delivered as N-bits in the bitstream
but that have smaller allowed range in this implementation.

Bug:116617847
Test: vendor
Change-Id: Iad0c020ceacd2226d8e1af688a52a46179a39a2d
2018-11-06 16:46:03 -08:00
Ramesh Katuri
9da98c5ba9 Use saturating addition in ixheaacd_imdct_process()
Crash was due to addition overflow in ixheaacd_imdct_process().
Used saturating addition to resolve this.

Bug:116843813
Test: vendor
Change-Id: I5f57a377e5e4c27cb04cd3613bbb28a8665dbf75
2018-11-06 16:12:59 -08:00