Bug: http://b/116873221
Mark ixheaacd_init_sbr_tables and ixheaacd_filt_buf_update as static, so
clang emits an out-of-line definition for it. This fixes the coverage
build, that builds with O0, where the functions don't get inlined.
As an unrelated cleanup, remove an extra declaration of
ixheaacd_filt_buf_update.
Test: Build with coverage
Change-Id: Ia92f1d73c404193116fa3f269948027c771a43bf
gain_set_index_for_channel_group[] is any array of size
CHANNEL_GROUP_COUNT_MAX i.e 24. This array is accessed using
str_drc_instruction_str->num_drc_ch_groups as index, whose
value can be more than 24.
Bound check is added for str_drc_instruction_str->num_drc_ch_groups
before accessing gain_set_index_for_channel_group[]
Bug:117832864
Test: vendor
Change-Id: I3799c2de6926f1193a5e0193bc3b5863c478d4ab
Inside ia_sbr_frame_info_data_struct, limit table is defined as WORD32 lim_table[4][12 + 1];
lim_table is accessed using gate_mode which is defined as WORD32 gate_mode[4];
For all these below issues one of the value of gate_mode is greater than 12, when lim_table
is accessed with more than 12 we are getting some garbage value which is causing pointer
corruption for b/118386824, Heap buffer overflow for b/118389774 and stack buffer overflow
for b/118494588.
As a fix we are returning fatal error if value in gate_mode > 12
Bug:118386824
Bug:118389774
Bug:118494588
Test: vendor
Change-Id: I713c5438f56a13f06f0f76ed22ad96ff667741a4
In DRC, one of the memcpy is called with uninitialized variable as size,
which is resulting a crash during memcpy.
As a fix all the members of structure str_bit_handler are set to zero.
Bug:115780779
Test: vendor
Change-Id: Ib991f7ca6fde9d448b975b4a9fa34234fa54231e
Added bound checks for all the parameters which are
derived from bit stream.
Bug:116760188
Bug:116019594
Bug:116114402
Test: vendor
Change-Id: I126cd520e7faf2281ab731da559b11c74a9e30b5
Add bounds checks for values delivered as N-bits in the bitstream
but that have smaller allowed range in this implementation.
Bug:116617847
Test: vendor
Change-Id: Iad0c020ceacd2226d8e1af688a52a46179a39a2d
Number of envelopes is becoming zero because of erroneous input
stream.Inside SBR start band and stop band are calculated based
on number of envelope's.
In this case start bands is becoming negative. In sbr processing
buffer is accessed from start to stop band. This is causing OOB
read access
Bug:113037143
Test: poc
Change-Id: Iade10e8cb86676784703e7226b7e132761eb12b1
(cherry picked from commit 4e5b9cb8f6)
* changes:
Fix for stack buffer overflow in mps ecdata pair decode
Fix for OOB read in bit stream parsing in mps module
Clean an array bounds violation.
Fix for sanitizer multiplication overflow error
Fix for Segmentation fault in ixheaacd_mps_apply_pre_matrix
icc and cld index are calculated using parameters derived
from bit stream.There is no bound check for icc and cld index,
because of which OOB read is happening in mps parsing
After icc and cld index calculation,values are clamped to
avoid OOB read
Bug:112856493
Bug:112858430
Test: poc
Change-Id: I59905926d8a2d1a532bec33e5998a67531a99bd9
Validate drc coefficient counts as we parse them from the stream.
Bug: 116224432
Test: vendor
Change-Id: I5a78521b8acfcdc7af96b91e5687d4f02ce49e54
(cherry picked from commit 17825d4a75)
Nested loop used wrong subscript in inner loop, leading to bad
iteration count and haphazard clearing of data structure.
Bug: 113885537
Test: vendor
Change-Id: Ia9cb53205f4e91ee99268202114fc2001eae2de3
(cherry picked from commit 988f5bd17c)
