For erroneous stream, coupling channel initialization memory
was overlapping with SBR scratch memory usage, causing unwanted
reset of the some of the pointers.
All initialization should take place in persistent memory.
As a fix, replaced scratch with persistent memory for initialization.
Bug:145264510
Test:poc in bug
Change-Id: Iaa757d0e87fd3a0b2f75c5288cfe662f556c871f
Variable num_gain_max_values was used as index in
impd_init_table function without checked
for bounds. Added check to prevent out of bound array
access.
Bug:141524702
Test: poc in bug
Change-Id: Ia902153ef614db6dbd002572cdbdb62421580588
(cherry picked from commit 566b69f066)
Index k is incremented and used as an index of
selection_candidate_info_step_2 array. k can be
max (str_drc_instruction_str->dwnmix_id_count *
selection_candidate_step_2_count), this can be
more than max size of selection_candidate_info_step_2
array.
Hence added a check before assignment as fix.
Bug:147331996
Test:poc in bug
Change-Id: I1ffa88eddfcef93ab15a08599270924d54cdf1de
ptr_sbr_qmf->filter_states memory is initialized based on
down_sample_flag. But it's used irrespective of
down_sample_flag values for few testcases.
Therefore assigned maximum memory to
ptr_sbr_qmf->filter_states as a fix in the current CL.
Bug: 147028944
Test: poc in bug
Change-Id: I84f9976645a53e09d638d214730801af4156962e
Uninitialsed float arrays were initialised with -nan/nan values
which got propagated in the code flow and crashed in an "if"
statement where a varibale whose value was nan was compared to
a constant.
Bug: 140094983
Change-Id: I70a18ca213f00a6d6d75b5a64951ffc60205bfb2
(b == 0) case is not taken care in
ixheaacd_shr32_drc function. Hence
added here.
Bug:140980272
Test: poc in bug
Change-Id: Ie830855dd8dc4bebba0b1742f5aada4cdcb48e0d
target_channel_count read from bit stream is being
used as index without bound check. Hence the check
has been added.
Bug:142693847
Test: poc in bug
Change-Id: I9d6c832e75b9cb78fe4989516d13707f1ecf7f91
Max value of
str_p_loc_drc_coefficients_uni_drc->gain_set_count_plus
is used as index without checking for upper bound.
Hence added a check here.
Bug:144665190
Test:poc in bug
Change-Id: Ibd8dfe91910eb4d7548cf3236065eb38121b60c8
start_pos was used as an index to access a stack memory
before been checked for bounds. Hence, Added the check
Bug:144476750
Test: poc in bug
Change-Id: Ib019dab8d83bae0ba085a4c2c15a19631d3695df
During bitbuffer search for sync word, the buffer is incremented each
time in the loop. However, in the second initialization, this size
is not taken care of.
As a fix, reduced the size appropriately in the second init.
Bug:145727847
Test:poc in bug
Change-Id: Id1079d2feeba6841675562e0e1f7b7983acd1b35
pstr_gain_modifiers->shape_filter_idx is read from
bitstream and used as an index before been checked
for bound. Hence added a check.
Bug:145043907
Test:poc in bug
Change-Id: I9a46c4227017328f2c3aa6e7d911889c01efef91
str_node[k].time calculated here is used as an index
to access buf_interpolation->lpcm_gains array. Added a
check here so that the access does not go out of bound.
Bug:145043038
Test:poc in bug
Change-Id: I7620efcfb79e9a34b175b2cdf60c1674c279135d
drc_config->drc_instructions_uni_drc_count
+ drc_config->dwnmix_instructions_count is
used as index in the function
impd_drc_gen_instructions_for_drc_off,
without checked for bounds.
Hence the check has been added here.
Bug:143517852
Test: poc in bug
Change-Id: I1134236b421d97097a5deb25dbf889f25e7a29ef
Added saturation check after two 32 bit numbers
are added and stored in a 32 bit register
Bug: 144391058
Test: Poc in bug
Change-Id: I56c0c626bffb5ffa2bf36456115a093366b84332
Added few checks to avoid out of bound access and
and remove few redundant checks based on review.
Bug:130279444
Test: atest android.media.cts.DecoderTestXheAac
Test: atest android.media.cts.DecoderTestAacDrc
Change-Id: If9a7917eea5d68d4c484d02fca4c755ffa6a9123
str_spline_nodes->num_nodes was not checked for bound,
before using as index. Added bound check before access.
Bug:141215451
Test: poc in bug
Change-Id: I9cd78035521731a3f338dc52ebf0afc3a3e5d3ff
Removed the redundant part of code which initilizes
an array with -1 and uses it as index.
Bug:141524696
Test: poc in bug
Change-Id: Ie126ca257dc0f7276c46733b043a84d5a88a062d
channel_layout->base_channel_count was not checked
for bounds after it is read from bit stream.
Corresponding check has been added here.
Bug:140979418
Test: poc in bug
Change-Id: I57e6a4ea9a39c64e82c3add0d20a85716ad20cc1
Maximum CC CHANNEL element supported in xaac decoder
is only two, but we are getting more for this
error stream, leading to heap buffer overflow.
Hence a check is added.
Bug:141344322
Test: poc in bug
Change-Id: Ib63b4c74e66d9e37c85153c87341de0601044bec
Added break condition when no indexes are modified and
while loop enters infinite iterations.
Bug:140986186
Test: poc in bug
Change-Id: Ibf5953c0af7a0b96c50e3a2f1095b5cc30825711
Fatal error returned from previous init call was not handled
during subsequent init calls. This check has been added here.
Bug:140984035
Bug:140988475
Bug:140986175
Test: poc in bug
Change-Id: I37599ba304bbf137b1a590c1fec7e0da236f7308
This CL contains changes to make #include delimiters stying
consistent. For all system files inclusion we will use <> and
all user files we will use ""
Bug: 125443111
Test: compilation
Change-Id: Ie5f609b9bef8357877affb7f48d46df7c387d142
Output memory size initialised was not sufficient for the
case when audio preroll is 3 and core_sbr_framelength = 4.
Hence, it has been increased to accomodate for the same.
Bug: 136441188
Test: poc in bug
Change-Id: I4e21395f46f4b16c538bf5522b92ad0836ece67f
