This fixes un intialized data access in loudness equalizer selection
Memory allocation and distribution inside DRC module was cleaned up.
Memory clean-up changes were done inside the library and in test bench.
Similar changes were done in OMX and C2 plug-in as well.
Bug: 115509210
Test: vendor+poc
Change-Id: I6a2bf5fe6eeecc5d0fec395af020aef8221a5f93
pstr_drc_uni_sel_proc->drc_config.str_drc_instruction_str
and pstr_drc_uni_sel_proc->drc_config.str_drc_config_ext
.str_eq_instructions arrays were accessed with -1
indexes, which is implemented as default configuration for no
updation.
Since we have already initialized all the structures to zero
before itself, this assignment is not needed when the indexes
are -1, so the check has been added.
Bug: 122330975
Test: atest android.media.cts.DecoderTestAacDrc
Change-Id: I841c748c53c057db38379c97def6b28fb6421482
bs_gain_set_idx is a 6 bit field read from bitstream, which is used
to access gain_set_index_for_channel_group[] whose size is GAIN_SET_COUNT_MAX
which is 24.bs_gain_set_idx value greater than 23 is causing oob access.
As fix for this issue bound check is added for bs_gain_set_idx
Bug:119263784
Test: vendor
Change-Id: I26d3668c54a739016c1102158c73db49cb35f1c4
gain_set_index_for_channel_group[] is any array of size
CHANNEL_GROUP_COUNT_MAX i.e 24. This array is accessed using
str_drc_instruction_str->num_drc_ch_groups as index, whose
value can be more than 24.
Bound check is added for str_drc_instruction_str->num_drc_ch_groups
before accessing gain_set_index_for_channel_group[]
Bug:117832864
Test: vendor
Change-Id: I3799c2de6926f1193a5e0193bc3b5863c478d4ab
gain_seq_idx is a 6 bit value read from the bit stream.
it can get any value between 0 to 63. gain_seq_idx is used
to access gain_set_params_index_for_gain_sequence[] array
whose size is SEQUENCE_COUNT_MAX which is 24. if gain_seq_idx
value is greater than or equal to SEQUENCE_COUNT_MAX cause
oob write.
Bound check on gain_seq_idx is added to prevent oob access.
Bug:119117381
Test: vendor
Change-Id: I571e6e705489ae1c46c651f87491f15428719b30
drc_set_id is a 6 bit filed read from bitstream. This drc_set_id is
used to access drc_set_id_valid_flag[] array whose size is
DRC_INSTRUCTIONS_COUNT_MAX i.e. 36. drc_set_id value greater than or
equal to 36 is causing oob write.
Bound check has been added for drc_set_id
Bug:119261935
Test: vendor
Change-Id: Ib218f4d72d23a2cbf4e74eea6a2d71ae8a735c6d
str_eq_instructions->eq_set_id is a 7 bit field read from bit stream,
whose value can be between 0 to 127.eq_set_id_valid_flag[] is an array
of size EQ_INSTRUCTIONS_COUNT_MAX(8).eq_set_id_valid_flag[] array is
accessed using eq_set_id as offset. str_eq_instructions->eq_set_id
value greater than EQ_INSTRUCTIONS_COUNT_MAX is causing OOB write
Bound check is added for str_eq_instructions->eq_set_id
Bug:119263248
Test: vendor
Change-Id: I3e10e4769fd8db130ffed8e5c703480e6a8c4312
In DRC, one of the memcpy is called with uninitialized variable as size,
which is resulting a crash during memcpy.
As a fix all the members of structure str_bit_handler are set to zero.
Bug:115780779
Test: vendor
Change-Id: Ib991f7ca6fde9d448b975b4a9fa34234fa54231e
Added bound checks for all the parameters which are
derived from bit stream.
Bug:116760188
Bug:116019594
Bug:116114402
Test: vendor
Change-Id: I126cd520e7faf2281ab731da559b11c74a9e30b5
Add bounds checks for values delivered as N-bits in the bitstream
but that have smaller allowed range in this implementation.
Bug:116617847
Test: vendor
Change-Id: Iad0c020ceacd2226d8e1af688a52a46179a39a2d
