* changes:
Fix for stack buffer overflow in mps ecdata pair decode
Fix for OOB read in bit stream parsing in mps module
Clean an array bounds violation.
Fix for sanitizer multiplication overflow error
Fix for Segmentation fault in ixheaacd_mps_apply_pre_matrix
icc and cld index are calculated using parameters derived
from bit stream.There is no bound check for icc and cld index,
because of which OOB read is happening in mps parsing
After icc and cld index calculation,values are clamped to
avoid OOB read
Bug:112856493
Bug:112858430
Test: poc
Change-Id: I59905926d8a2d1a532bec33e5998a67531a99bd9
In tns, filtering is applied on spectral data.Based on
filter direction filtering is applied either from start of
spectral data or from end of spectral data. In this error
case filter order is coming more than spectral length,because
of which filter input(spectrum) is accessed more than
what is allocated.
Bug:112609715
Bug:112610994
Bug:113108416
Bug:113164693
Bug:113261927
Bug:113262855
Test: vendor
Change-Id: I8b5faf53bdf3e145f442fe2a029b0fffc5189a94
Nested loop used wrong subscript in inner loop, leading to bad
iteration count and haphazard clearing of data structure.
Bug: 113885537
Test: vendor
Change-Id: Ia9cb53205f4e91ee99268202114fc2001eae2de3
Maximum crc registers allowed is 7. Crc registers are accessed
and updated inside the function ixheaacd_adts_crc_start_reg().
Check has been added before the function call so that if the
register value is less than 7 then only the function gets called.
Bug:112551726
Bug:112551874
Bug:112609715
Bug:112713720
Bug:112715795
Bug:113261928
Test: poc
Change-Id: I3935546b8fb3dc5c82bee16639df771349e6d2b6
(cherry picked from commit 55c1da8c37)
Number of envelopes is equal to 2^n, where n obtained by
reading 2 bits from bit stream,so maximum value for number
of envelopes is 8. Time slot array table is accessed using
number of envelopes. The Minimum and Maximum values are 0
and 6,based on these values the table is modified.
Bug:112765917
Test: re-run poc
Change-Id: I42a44fc2376536d5119a8290a14726c9c5badd19
Reason for crash:
For the below reported issues input stream has only one
coupling channel element. As per the specification coupling
channel element should be associated with at least one main
channel element.
We have different output buffers for main channel
and coupling channel. In this error case the coupling
channel output buffer is not getting updated because
there is no main channel, so main decode is called with
output buffer pointing to NULL.
This is the reason for all the issues listed below.
Bug:112551721
Bug:112704700
Bug:112706520
Bug:112710190
Bug:112712274
Bug:112717301
Test: re-run poc
Change-Id: Ife593ca4ae21f05555b6a89092ff76b974e28a67
Number of elements allowed in usac profile are 16. Erroneous input
stream in this use case has 63336 elements.We have an error
check for this max number of elements while parsing the decoder
configuration.This returned error code was not handled properly.
Maximum 16 config elements can be used while codec creation,because
of number of elements values is coming as 63336, during
creation time OOB read is happening.
Bug:112766520
Bug:112857468
Bug:112913145
Bug:112918261
Test: re-ran poc
Change-Id: If9413546371f72a6896f5c7e7d22a314e484cf76
While parsing the input stream in mps_pre_matrix function,
there was an error.This error was not handled properly,
because of which further values which are read from bit stream
are getting wrong values.
We use these value in iteration in ixheaacd_mps_getstridemap()
which is causing stack-buffer-overflow
Bug:112857941
Test: poc+ASAN
Change-Id: I9549b06e0e4e362f517869aef75d579e3e4140a6
The maximum number of channels supported for usac profile in
libxaac decoder is two only.Input streams of the below reported
issues contain multi channel,because of multi channel the write
offset is incremented by greater 2, which causes out of bound
memory access while writing.
Bug:112858010
Bug:112859113
Test: re-run POC
Change-Id: Ide57cb8ee39d77d0f386298e899683d460a3c18b
