We found that error return was not being handled properly
in ixheaacd_applysbr() function. This led to a wrong value
being propagated which led to a stack buffer overflow.
Also, a flag for checking if any previous frames encountered
a fatal error has been added to ensure that further processing
of frames doesn't happen after encountering a fatal error.
Bug:130219994
Bug:131307285
Test: vendor
Change-Id: If7b3887afcb375dda292082438f61d156027b60e
In ixheaacd_applysbr(), down_samp_sbr was coming as 1 during init
and 0 during execute, which lead to a down sampled(smaller array)
being intialised but memcpy at line 633 in ixheaacd_sbrdecoder.c
tried to do it for a non down sampled array(larger array) causing
a memcpy param overlap.
As a fix a check has been added in ixheaacd_dec_execute() for
down_spamp_sbr flag which should be 0 for AOT 42(USAC).
Bug:130273553
Bug:131278612
Test: vendor
Change-Id: Ide3af2da26fdceb8fa51b2e976ff96a0dba9b7a5
MPEG-D DRC integrated with USAC does work only in
time domain.
Hence removed the above related code in this patch.
Bug:130262151
Test: atest android.media.cts.DecoderTestXheAac
Test: atest android.media.cts.DecoderTestAacDrc
Change-Id: Ib51ef29fb7a1fe7a09718d48e2c9e7cda268ae7b
Added missing push and pop instructions of D8-D15 neon registers
for armv7 assembly functions.
Bug:121357211
Test: vendor app
Change-Id: I669df71eff05fd0c693f2bf569a66ed781a02f20
In ixheaacd_arith_decode(), ixheaacd_read_bidireciton()
was being called even when bitbuffer was exhausted which
in turn made cnt_bits and bit_pos more and more negative
which overflowed eventually and resulted in heap buffer
overlow. We also observed the variable "cumulative"
value to be zero even after reaching the end of bitbuffer
and this in turn lead to an infinte for loop
"for (lev = esc_nb = 0;;)" in ixheaacd_arth_decoding_level2()
as "cumulative" value would not be updated after reaching
end of bitbuffer.
As a fix , we return whenever "cumulative" value remains
zero even after bitbuffer is exhausted.
And this patch adds a check for (cnt_bits < 0) in
ixheaacd_bitbuffer.c and removes bitbuffer wrap around
in ixheaacd_read_bidirection().
Added cnt_bits > 25 check in ixheaacd_read_bits_buf() &
ixheaacd_show_bits_buf() as these functions cannot handle
read of more than 25 bits at a time.
Bug:123976878
Test: poc
Change-Id: I4ec729fddb859ddd0add0045532e20fbfffd2e5c
The stream used for this issue had parametric stereo switched off
for first few frames and decoder is configured to give mono output.
After few frames even though codec has detected PS content in the stream
channel configuration is not getting updated which caused breaks in
audio.
As a fix we are checking future possibility on PS content in the stream
based on AOT and using that information to update output channel count.
Bug:114329895
Test: vendor
Change-Id: I0faa47ff234b8651e2c42f9e4423fe9bf1c3908c
In ixheaacd_dec_main(),ixheaacd_config() returned from ixheaacd_read_bit_buf()
due to setjmp/longjmp changes which resulted in ixheeacd_decode_create() not
being called which is needed to initialize many pointers which in turn resulted in
Segementation fault.
As a fix, added a flag decode_create_done which will tell the status of
ixheeacd_decode_create() func and ixheaacd_usac_process will be called
based on this flag.
Bug: 123908264
Bug: 123908335
Bug: 123975056
Test: poc
Change-Id: I929f70650ddc963c11e5d674b12abc0100e1b076
pstr_drc_dec->is_longblock once initialized was never used,
so this section of code is redundant. Hence removed.
Bug:124022176
Test: vendor+poc
Change-Id: I30f785764a7031b546f01803720dbfccba75d023
Code written under the condition
if (mod[0] == 0 && len_subfrm != LEN_FRAME) are redundant.
We were filling garbage at st->fd_synth[ORDER - len_subfrm + i]
and doing some calculations but never using it.
So removed the redundant part here.
Bug:122728400
Test: vendor + poc
Change-Id: If55eeec1e21b2874c1cfd8eee8c71dc7da962a72
* changes:
Initialize all allocated memory blocks to zero
Update cfi blacklist to include few more assembly functions
LDR changed to MOV instruction in armv8 and armv7 assemblies
Removes memory accesses to constant values and replaces
them with mov instructions. This would allow this library
to be compatible with execute-only memory layouts.
Bug: 124323156
Test: poc
Change-Id: I801d4cfff953b9d13b80a97be04a3223117df29f
Decode init fatal error was not handled at upper level in
ixheaacd_common_lpfuncs.c. Hence, corresponding check has
been added.
Bug:126154782
Test: poc
Change-Id: I5332f5fd0260110f426cfe176e6d64f5989cfb08
When ixheaacd_num_bands = 0, "while (patch_bands > 0)" goes
into infinite looping since patch_bands remains unchanged in the
loop.
So as a fix added the corresponding check to break the loop when
ixheaacd_num_bands becomes 0.
Bug: 123974524
Test: poc
Change-Id: Ie6364ad0b3cfd92df1a2664ec5850408aecce21b
for latm stream other_data_length is read from the bit stream.
For this stream this value is becoming very high, which is beyond
bit buffer boundaries.
As a fix if the value is more than bit buffer size we are returning
fatal error.
Bug:124210105
Test: poc
Change-Id: Id93e5dbdbbd4aab428401da0ea72422d192bcdec
