* changes:
Initialize all allocated memory blocks to zero
Update cfi blacklist to include few more assembly functions
LDR changed to MOV instruction in armv8 and armv7 assemblies
This fixes un intialized data access in loudness equalizer selection
Memory allocation and distribution inside DRC module was cleaned up.
Memory clean-up changes were done inside the library and in test bench.
Similar changes were done in OMX and C2 plug-in as well.
Bug: 115509210
Test: vendor+poc
Change-Id: I6a2bf5fe6eeecc5d0fec395af020aef8221a5f93
pstr_drc_uni_sel_proc->drc_config.str_drc_instruction_str
and pstr_drc_uni_sel_proc->drc_config.str_drc_config_ext
.str_eq_instructions arrays were accessed with -1
indexes, which is implemented as default configuration for no
updation.
Since we have already initialized all the structures to zero
before itself, this assignment is not needed when the indexes
are -1, so the check has been added.
Bug: 122330975
Test: atest android.media.cts.DecoderTestAacDrc
Change-Id: I841c748c53c057db38379c97def6b28fb6421482
bs_gain_set_idx is a 6 bit field read from bitstream, which is used
to access gain_set_index_for_channel_group[] whose size is GAIN_SET_COUNT_MAX
which is 24.bs_gain_set_idx value greater than 23 is causing oob access.
As fix for this issue bound check is added for bs_gain_set_idx
Bug:119263784
Test: vendor
Change-Id: I26d3668c54a739016c1102158c73db49cb35f1c4
gain_set_index_for_channel_group[] is any array of size
CHANNEL_GROUP_COUNT_MAX i.e 24. This array is accessed using
str_drc_instruction_str->num_drc_ch_groups as index, whose
value can be more than 24.
Bound check is added for str_drc_instruction_str->num_drc_ch_groups
before accessing gain_set_index_for_channel_group[]
Bug:117832864
Test: vendor
Change-Id: I3799c2de6926f1193a5e0193bc3b5863c478d4ab
gain_seq_idx is a 6 bit value read from the bit stream.
it can get any value between 0 to 63. gain_seq_idx is used
to access gain_set_params_index_for_gain_sequence[] array
whose size is SEQUENCE_COUNT_MAX which is 24. if gain_seq_idx
value is greater than or equal to SEQUENCE_COUNT_MAX cause
oob write.
Bound check on gain_seq_idx is added to prevent oob access.
Bug:119117381
Test: vendor
Change-Id: I571e6e705489ae1c46c651f87491f15428719b30
drc_set_id is a 6 bit filed read from bitstream. This drc_set_id is
used to access drc_set_id_valid_flag[] array whose size is
DRC_INSTRUCTIONS_COUNT_MAX i.e. 36. drc_set_id value greater than or
equal to 36 is causing oob write.
Bound check has been added for drc_set_id
Bug:119261935
Test: vendor
Change-Id: Ib218f4d72d23a2cbf4e74eea6a2d71ae8a735c6d
str_eq_instructions->eq_set_id is a 7 bit field read from bit stream,
whose value can be between 0 to 127.eq_set_id_valid_flag[] is an array
of size EQ_INSTRUCTIONS_COUNT_MAX(8).eq_set_id_valid_flag[] array is
accessed using eq_set_id as offset. str_eq_instructions->eq_set_id
value greater than EQ_INSTRUCTIONS_COUNT_MAX is causing OOB write
Bound check is added for str_eq_instructions->eq_set_id
Bug:119263248
Test: vendor
Change-Id: I3e10e4769fd8db130ffed8e5c703480e6a8c4312
In DRC, one of the memcpy is called with uninitialized variable as size,
which is resulting a crash during memcpy.
As a fix all the members of structure str_bit_handler are set to zero.
Bug:115780779
Test: vendor
Change-Id: Ib991f7ca6fde9d448b975b4a9fa34234fa54231e
Added bound checks for all the parameters which are
derived from bit stream.
Bug:116760188
Bug:116019594
Bug:116114402
Test: vendor
Change-Id: I126cd520e7faf2281ab731da559b11c74a9e30b5
Add bounds checks for values delivered as N-bits in the bitstream
but that have smaller allowed range in this implementation.
Bug:116617847
Test: vendor
Change-Id: Iad0c020ceacd2226d8e1af688a52a46179a39a2d
