Uninitialsed float arrays were initialised with -nan/nan values
which got propagated in the code flow and crashed in an "if"
statement where a varibale whose value was nan was compared to
a constant.
Bug: 140094983
Change-Id: I70a18ca213f00a6d6d75b5a64951ffc60205bfb2
(b == 0) case is not taken care in
ixheaacd_shr32_drc function. Hence
added here.
Bug:140980272
Test: poc in bug
Change-Id: Ie830855dd8dc4bebba0b1742f5aada4cdcb48e0d
target_channel_count read from bit stream is being
used as index without bound check. Hence the check
has been added.
Bug:142693847
Test: poc in bug
Change-Id: I9d6c832e75b9cb78fe4989516d13707f1ecf7f91
Max value of
str_p_loc_drc_coefficients_uni_drc->gain_set_count_plus
is used as index without checking for upper bound.
Hence added a check here.
Bug:144665190
Test:poc in bug
Change-Id: Ibd8dfe91910eb4d7548cf3236065eb38121b60c8
start_pos was used as an index to access a stack memory
before been checked for bounds. Hence, Added the check
Bug:144476750
Test: poc in bug
Change-Id: Ib019dab8d83bae0ba085a4c2c15a19631d3695df
During bitbuffer search for sync word, the buffer is incremented each
time in the loop. However, in the second initialization, this size
is not taken care of.
As a fix, reduced the size appropriately in the second init.
Bug:145727847
Test:poc in bug
Change-Id: Id1079d2feeba6841675562e0e1f7b7983acd1b35
pstr_gain_modifiers->shape_filter_idx is read from
bitstream and used as an index before been checked
for bound. Hence added a check.
Bug:145043907
Test:poc in bug
Change-Id: I9a46c4227017328f2c3aa6e7d911889c01efef91
str_node[k].time calculated here is used as an index
to access buf_interpolation->lpcm_gains array. Added a
check here so that the access does not go out of bound.
Bug:145043038
Test:poc in bug
Change-Id: I7620efcfb79e9a34b175b2cdf60c1674c279135d
drc_config->drc_instructions_uni_drc_count
+ drc_config->dwnmix_instructions_count is
used as index in the function
impd_drc_gen_instructions_for_drc_off,
without checked for bounds.
Hence the check has been added here.
Bug:143517852
Test: poc in bug
Change-Id: I1134236b421d97097a5deb25dbf889f25e7a29ef
Added saturation check after two 32 bit numbers
are added and stored in a 32 bit register
Bug: 144391058
Test: Poc in bug
Change-Id: I56c0c626bffb5ffa2bf36456115a093366b84332
Added few checks to avoid out of bound access and
and remove few redundant checks based on review.
Bug:130279444
Test: atest android.media.cts.DecoderTestXheAac
Test: atest android.media.cts.DecoderTestAacDrc
Change-Id: If9a7917eea5d68d4c484d02fca4c755ffa6a9123
str_spline_nodes->num_nodes was not checked for bound,
before using as index. Added bound check before access.
Bug:141215451
Test: poc in bug
Change-Id: I9cd78035521731a3f338dc52ebf0afc3a3e5d3ff
Removed the redundant part of code which initilizes
an array with -1 and uses it as index.
Bug:141524696
Test: poc in bug
Change-Id: Ie126ca257dc0f7276c46733b043a84d5a88a062d
channel_layout->base_channel_count was not checked
for bounds after it is read from bit stream.
Corresponding check has been added here.
Bug:140979418
Test: poc in bug
Change-Id: I57e6a4ea9a39c64e82c3add0d20a85716ad20cc1
Maximum CC CHANNEL element supported in xaac decoder
is only two, but we are getting more for this
error stream, leading to heap buffer overflow.
Hence a check is added.
Bug:141344322
Test: poc in bug
Change-Id: Ib63b4c74e66d9e37c85153c87341de0601044bec
Added break condition when no indexes are modified and
while loop enters infinite iterations.
Bug:140986186
Test: poc in bug
Change-Id: Ibf5953c0af7a0b96c50e3a2f1095b5cc30825711
Fatal error returned from previous init call was not handled
during subsequent init calls. This check has been added here.
Bug:140984035
Bug:140988475
Bug:140986175
Test: poc in bug
Change-Id: I37599ba304bbf137b1a590c1fec7e0da236f7308
This CL contains changes to make #include delimiters stying
consistent. For all system files inclusion we will use <> and
all user files we will use ""
Bug: 125443111
Test: compilation
Change-Id: Ie5f609b9bef8357877affb7f48d46df7c387d142
Output memory size initialised was not sufficient for the
case when audio preroll is 3 and core_sbr_framelength = 4.
Hence, it has been increased to accomodate for the same.
Bug: 136441188
Test: poc in bug
Change-Id: I4e21395f46f4b16c538bf5522b92ad0836ece67f
Added error handling for few unhandled error
returned from library to ixheaacd_error.c file.
Bug:133133640
Test: poc in bug
Change-Id: I584da0278ebcb04fc48538b5ae55e8ab2e65c684
We observed that ptr_read_next in ixheaacd_show_bits_buf()
would go beyond ptr_bit_buf_end in the corner case when
the bitbuffer is exhausted i.e cnt_bits = no_of_bits
case in the current logic of the code.
A different logic has been applied at the corner case in
this patch similar to the one already present in
ixheaacd_read_bits_buf().
Added check to handle the case when both cnt_bits and
no_of_bits come as zero.
Bug: 132050349
Test: poc in bug
Change-Id: I79e1d1e7a4f213c4802e5f7f28a5c419a8d01136
stere_config_index was not intialised to 0 whenever
a codec re-configure happened which lead to current
frame being processed with stereo_config_index of
frame before codec re-configure which lead to a
mismatch of usac_ele_type[] & stere_config_index
in this case which lead to setting mps_sbr_flag even
in its absence which further went on to crash in
memcpy for ch = 2 which was not set for current
usac_ele_type[].
So, stereo_config_index is cleared in init_config
for USAC_SCE & USAC_LFE cases where it is not used.
Bug: 136975538
Test: poc in bug
Change-Id: I7b976f9512ce3d940a43e94309e61ec780e096cc
pstr_dec_data->str_usac_data.pstr_esbr_dec is
initialised only when sbr_ratio_idx > 0. We use
this structure when stereo_config_index > 0,
without checking sbr_ratio_idx > 0. Hence a check
has been added as a fix.
Bug:136061116
Test: poc in bug
Change-Id: I7e8c687f4e77b51e81b3f4add752c37a63f09dbf
libxaac had few tables which were not declared as constants.
Added const and did corresponding changes to build and
execute.
Bug:128433649
Test: Manual Review
Change-Id: I1babf22a45fbd595c5a9c67804ecdc0317ebb96c
Initilized arrays in ixheaacd_imdct.c file responsible for
unitilized memory access at ixheaacd_add32_sat3.
Bug:131390601
Test: poc in bug
Change-Id: Iefea5ce309f95d3def733691a2351021bc6acec9
Added saturation checks across ixheaacd_imdct.c and
ixheaacd_basic_ops.c file to avoid integer overflow
based on fuzzer testing and code review.
Bug:130497287
Bug:137055524
Bug:131193902
Test: poc in bug
Change-Id: Ice86d1cc70edfb1831ae5f08942a2f834be25102
Added saturation checks in ixheaacd_mps_hyb_filt_type1 and
ixheaacd_mps_hyb_filt_type2 functions to avoid integer
overflows.
Bug:130493471
Bug:131296731
Test: poc in bug
Change-Id: I1e7febaf1cebc88652fa100a07d45bc3921951bc
Replaced 32*32 multiplication to 64*64 and moved right
shift operation to resultant 64 bit number, before storing it
back to 32 bit register.
Bug:130494634
Bug:131214091
Bug:132893904
Test: poc in bug
Change-Id: I8977f0df4891a2f6edcc1a360f707e34da5b54bd
