stere_config_index was not intialised to 0 whenever
a codec re-configure happened which lead to current
frame being processed with stereo_config_index of
frame before codec re-configure which lead to a
mismatch of usac_ele_type[] & stere_config_index
in this case which lead to setting mps_sbr_flag even
in its absence which further went on to crash in
memcpy for ch = 2 which was not set for current
usac_ele_type[].
So, stereo_config_index is cleared in init_config
for USAC_SCE & USAC_LFE cases where it is not used.
Bug: 136975538
Test: poc in bug
Change-Id: I7b976f9512ce3d940a43e94309e61ec780e096cc
pstr_dec_data->str_usac_data.pstr_esbr_dec is
initialised only when sbr_ratio_idx > 0. We use
this structure when stereo_config_index > 0,
without checking sbr_ratio_idx > 0. Hence a check
has been added as a fix.
Bug:136061116
Test: poc in bug
Change-Id: I7e8c687f4e77b51e81b3f4add752c37a63f09dbf
libxaac had few tables which were not declared as constants.
Added const and did corresponding changes to build and
execute.
Bug:128433649
Test: Manual Review
Change-Id: I1babf22a45fbd595c5a9c67804ecdc0317ebb96c
Added saturation checks across ixheaacd_imdct.c and
ixheaacd_basic_ops.c file to avoid integer overflow
based on fuzzer testing and code review.
Bug:130497287
Bug:137055524
Bug:131193902
Test: poc in bug
Change-Id: Ice86d1cc70edfb1831ae5f08942a2f834be25102
We found that error return was not being handled properly
in ixheaacd_applysbr() function. This led to a wrong value
being propagated which led to a stack buffer overflow.
Also, a flag for checking if any previous frames encountered
a fatal error has been added to ensure that further processing
of frames doesn't happen after encountering a fatal error.
Bug:130219994
Bug:131307285
Test: vendor
Change-Id: If7b3887afcb375dda292082438f61d156027b60e
In ixheaacd_applysbr(), down_samp_sbr was coming as 1 during init
and 0 during execute, which lead to a down sampled(smaller array)
being intialised but memcpy at line 633 in ixheaacd_sbrdecoder.c
tried to do it for a non down sampled array(larger array) causing
a memcpy param overlap.
As a fix a check has been added in ixheaacd_dec_execute() for
down_spamp_sbr flag which should be 0 for AOT 42(USAC).
Bug:130273553
Bug:131278612
Test: vendor
Change-Id: Ide3af2da26fdceb8fa51b2e976ff96a0dba9b7a5
MPEG-D DRC integrated with USAC does work only in
time domain.
Hence removed the above related code in this patch.
Bug:130262151
Test: atest android.media.cts.DecoderTestXheAac
Test: atest android.media.cts.DecoderTestAacDrc
Change-Id: Ib51ef29fb7a1fe7a09718d48e2c9e7cda268ae7b
Added missing push and pop instructions of D8-D15 neon registers
for armv7 assembly functions.
Bug:121357211
Test: vendor app
Change-Id: I669df71eff05fd0c693f2bf569a66ed781a02f20
In ixheaacd_arith_decode(), ixheaacd_read_bidireciton()
was being called even when bitbuffer was exhausted which
in turn made cnt_bits and bit_pos more and more negative
which overflowed eventually and resulted in heap buffer
overlow. We also observed the variable "cumulative"
value to be zero even after reaching the end of bitbuffer
and this in turn lead to an infinte for loop
"for (lev = esc_nb = 0;;)" in ixheaacd_arth_decoding_level2()
as "cumulative" value would not be updated after reaching
end of bitbuffer.
As a fix , we return whenever "cumulative" value remains
zero even after bitbuffer is exhausted.
And this patch adds a check for (cnt_bits < 0) in
ixheaacd_bitbuffer.c and removes bitbuffer wrap around
in ixheaacd_read_bidirection().
Added cnt_bits > 25 check in ixheaacd_read_bits_buf() &
ixheaacd_show_bits_buf() as these functions cannot handle
read of more than 25 bits at a time.
Bug:123976878
Test: poc
Change-Id: I4ec729fddb859ddd0add0045532e20fbfffd2e5c
The stream used for this issue had parametric stereo switched off
for first few frames and decoder is configured to give mono output.
After few frames even though codec has detected PS content in the stream
channel configuration is not getting updated which caused breaks in
audio.
As a fix we are checking future possibility on PS content in the stream
based on AOT and using that information to update output channel count.
Bug:114329895
Test: vendor
Change-Id: I0faa47ff234b8651e2c42f9e4423fe9bf1c3908c
In ixheaacd_dec_main(),ixheaacd_config() returned from ixheaacd_read_bit_buf()
due to setjmp/longjmp changes which resulted in ixheeacd_decode_create() not
being called which is needed to initialize many pointers which in turn resulted in
Segementation fault.
As a fix, added a flag decode_create_done which will tell the status of
ixheeacd_decode_create() func and ixheaacd_usac_process will be called
based on this flag.
Bug: 123908264
Bug: 123908335
Bug: 123975056
Test: poc
Change-Id: I929f70650ddc963c11e5d674b12abc0100e1b076
pstr_drc_dec->is_longblock once initialized was never used,
so this section of code is redundant. Hence removed.
Bug:124022176
Test: vendor+poc
Change-Id: I30f785764a7031b546f01803720dbfccba75d023
Code written under the condition
if (mod[0] == 0 && len_subfrm != LEN_FRAME) are redundant.
We were filling garbage at st->fd_synth[ORDER - len_subfrm + i]
and doing some calculations but never using it.
So removed the redundant part here.
Bug:122728400
Test: vendor + poc
Change-Id: If55eeec1e21b2874c1cfd8eee8c71dc7da962a72
* changes:
Initialize all allocated memory blocks to zero
Update cfi blacklist to include few more assembly functions
LDR changed to MOV instruction in armv8 and armv7 assemblies
Removes memory accesses to constant values and replaces
them with mov instructions. This would allow this library
to be compatible with execute-only memory layouts.
Bug: 124323156
Test: poc
Change-Id: I801d4cfff953b9d13b80a97be04a3223117df29f
Decode init fatal error was not handled at upper level in
ixheaacd_common_lpfuncs.c. Hence, corresponding check has
been added.
Bug:126154782
Test: poc
Change-Id: I5332f5fd0260110f426cfe176e6d64f5989cfb08
When ixheaacd_num_bands = 0, "while (patch_bands > 0)" goes
into infinite looping since patch_bands remains unchanged in the
loop.
So as a fix added the corresponding check to break the loop when
ixheaacd_num_bands becomes 0.
Bug: 123974524
Test: poc
Change-Id: Ie6364ad0b3cfd92df1a2664ec5850408aecce21b
