summaryrefslogtreecommitdiffstats
Commit message (Collapse)AuthorAgeFilesLines
* Prevent out of bounds accesses in lppTransposer()replicant-6.0-0004-transitionreplicant-6.0-0004-rc6replicant-6.0-0004-rc5-transitionreplicant-6.0-0004-rc5replicant-6.0-0004-rc4replicant-6.0-0004-rc3replicant-6.0-0004-rc2replicant-6.0-0004cm-13.0Jean-Michel Trivi2019-02-022-13/+26
| | | | | | | | | | | | Check validity of pSettings->noOfPatches to prevent out of bounds access in lppTransposer(), which can also cause memSize to be negative. Bug: 112160868 Test: see poc in bug Change-Id: I789030b116da7f8ea261001b43ef6c677dd58a3d Merged-In: I6a2161865d9cb9b51dc37c09d6e3a4a8e5d11f86 (cherry picked from commit 56ef80d7fec1fd9e201262348a96b8660558105a)
* Break audio element loop in case element_count becomes too large.Fraunhofer IIS FDK2019-01-151-1/+13
| | | | | | | Bug: 112891564 Test: atest DecoderTestXheAac ; atest DecoderTestAacDrc Change-Id: I35f02d23c0cfd620088291a52d9996a0d5a17199 (cherry picked from commit 3347cfb91a7ecabf5800d72e936f04ce44752bf3)
* Prevent bit buffer counter overflow.Fraunhofer IIS FDK2019-01-1512-108/+47
| | | | | | | | | | | | While long-term test we discovered a bit counter overflow in the bit buffer. The bit buffer state was only used by HCR and RVLC tool and can easily be substituted with FDKgetValidBits() call. The following patch completely removes the bit counter and all its obsolete functions. Bug: 112662184 Test: atest DecoderTestXheAac ; atest DecoderTestAacDrc Change-Id: Icee0519d26a2aa62367d2dece59cd3d60ffcade7 (cherry picked from commit 15292f7e9620caf9e8df26a62efc2a2891ea822e)
* Add sampling rate sanity checkFraunhofer IIS FDK2019-01-151-1/+3
| | | | | | | Bug: 112661641 Test: atest DecoderTestXheAac ; atest DecoderTestAacDrc Change-Id: I8e416fb1501dabda20babd4a28a99ab06950b221 (cherry picked from commit ba003785774efe355bcac950158fc78a0cff0c2b)
* MPEG-4 AAC Decoder: check against invalid height inforeplicant-6.0-0004-rc1Jean-Michel Trivi2018-04-061-4/+19
| | | | | | | | | | In CProgramConfig_ReadHeightExt prevent stack overflow from invalid FrontElementHeightInfo array value. Bug: 70637599 Test: see bug Change-Id: I145414d81d7a7be711672c12f44b537c12eea308 (cherry picked from commit 772c7f5542e64f4a380e13e6263ab668694c7c4d)
* Fix out of bound memory access in lppTransposerJean-Michel Trivi2018-01-121-4/+7
| | | | | | | | | | | | | | | | | In TRANSPOSER_SETTINGS, initialize the whole bwBorders array to a reasonable value to guarantee correct termination in while loop in lppTransposer function. This fixes the reported bug. For completeness: - clear the whole bwIndex array instead of noOfPatches entries only. - abort criterion in while loop to prevent potential infinite loop, and limit bwIndex[patch] to a valid range. Test: see bug for malicious content, decoded with "stagefright -s -a" Bug: 65280786 Change-Id: I16ed2e1c0f1601926239a652ca20a91284151843 (cherry picked from commit 6d3dd40e204bf550abcfa589bd9615df8778e118) CVE-2017-13188
* DO NOT MERGE Prevent out of bound memory access in GetInvIntJean-Michel Trivi2018-01-121-4/+8
| | | | | | | | | | | | In GetInvInt(int) function, malicious content can access memory outside of the invCount array. Always bound access to valid indices. Test: see bug for malicious content, decoded with "stagefright -s -a" Bug: 65025048 Change-Id: I92d4a14519f45d5a329d7f69f21f2aef0a8c6daa (cherry picked from commit 9fb4261c43a2d15f3b77a7e56470ed6784f83d04) CVE-2017-13206
* Merge remote-tracking branch 'goog/security-aosp-mnc-mr1-release' into HEADandroid-6.0.1_r81android-6.0.1_r80Bill Yi2017-03-150-0/+0
|\
| * Fix aacDecoder_drcExtractAndMap()Jean-Michel Trivi2016-04-211-9/+1
| | | | | | | | | | | | | | | | | | | | | | | | | | | | Parse DVB DRC data only when numThreads is below MAX_DRC_THREADS. The post-increment is necessary as it is used in fill element DRC data section. This solution parses as many DRC payloads as allowed by MAX_DRC_THREADS and skips all remaining DRC elements in the stream. Bug 27792766 Bug 26751339 Change-Id: Ie1641888bac1757c4d1491119f977fc5d436eaea (cherry picked from commit 97a1b8140d410ed3942006aa22b40ccb322f747b)
| * Fix stack corruption happening in aacDecoder_drcExtractAndMap()Jean-Michel Trivi2016-04-201-1/+9
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | In the aacDecoder_drcExtractAndMap() function, self->numThreads can be used after having exceeded its intended max value, MAX_DRC_THREADS, causing memory to be cleared after the threadBs[MAX_DRC_THREADS] array. The crash is prevented by never using self->numThreads with a value equal to or greater than MAX_DRC_THREADS. A proper fix will be required as there seems to be an issue as to which entry in the threadBs array is meant to be initialized and used. Bug 26751339 Change-Id: Ibd76e3877e75f246f4b5bf0f1cfd0da0373106df
| * Merge in history after reset to ↵Xin Li2016-04-140-0/+0
| |\ | | | | | | | | | stage-aosp-mnc-mr1-release@48b330d303727e1f2671f844a1d541d596f6d5da
| | * Fix stack corruption happening in aacDecoder_drcExtractAndMap()Jean-Michel Trivi2016-03-221-1/+9
| |/ | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | In the aacDecoder_drcExtractAndMap() function, self->numThreads can be used after having exceeded its intended max value, MAX_DRC_THREADS, causing memory to be cleared after the threadBs[MAX_DRC_THREADS] array. The crash is prevented by never using self->numThreads with a value equal to or greater than MAX_DRC_THREADS. A proper fix will be required as there seems to be an issue as to which entry in the threadBs array is meant to be initialized and used. Bug 26751339 Change-Id: I655cc40c35d4206ab72e83b2bdb751be2fe52b5a (cherry picked from commit a06d1c2b9af1621037b48557aac42b5ecbdb03b3)
* | Fix aacDecoder_drcExtractAndMap()android-6.0.1_r79android-6.0.1_r78android-6.0.1_r77android-6.0.1_r74android-6.0.1_r72android-6.0.1_r70android-6.0.1_r66android-6.0.1_r61android-6.0.1_r60android-6.0.1_r59android-6.0.1_r58android-6.0.1_r52android-6.0.1_r51android-6.0.1_r50android-6.0.1_r49android-6.0.1_r46Jean-Michel Trivi2016-04-211-9/+1
| | | | | | | | | | | | | | | | | | | | | | | | | | Parse DVB DRC data only when numThreads is below MAX_DRC_THREADS. The post-increment is necessary as it is used in fill element DRC data section. This solution parses as many DRC payloads as allowed by MAX_DRC_THREADS and skips all remaining DRC elements in the stream. Bug 27792766 Bug 26751339 Change-Id: Ie1641888bac1757c4d1491119f977fc5d436eaea
* | Fix stack corruption happening in aacDecoder_drcExtractAndMap()android-6.0.1_r43android-6.0.1_r42android-6.0.1_r41android-6.0.1_r40Jean-Michel Trivi2016-03-251-1/+9
|/ | | | | | | | | | | | | | | | In the aacDecoder_drcExtractAndMap() function, self->numThreads can be used after having exceeded its intended max value, MAX_DRC_THREADS, causing memory to be cleared after the threadBs[MAX_DRC_THREADS] array. The crash is prevented by never using self->numThreads with a value equal to or greater than MAX_DRC_THREADS. A proper fix will be required as there seems to be an issue as to which entry in the threadBs array is meant to be initialized and used. Bug 26751339 Change-Id: I655cc40c35d4206ab72e83b2bdb751be2fe52b5a
* Remove __DATE__/__TIME__android-6.0.1_r9android-6.0.1_r8android-6.0.1_r7android-6.0.1_r30android-6.0.1_r3android-6.0.1_r20android-6.0.1_r17android-6.0.1_r13android-6.0.1_r12android-6.0.1_r11android-6.0.1_r10android-6.0.1_r1android-6.0.0_r41Dan Willemsen2015-11-0311-0/+55
| | | | | | | | | | | | | Building __DATE__/__TIME__ into the binaries means that every build will create different binaries, even if all the sources are identical. This also means that any libraries including this one will need to be patched during every OTA. Nothing appears to use the build_date/build_time fields, so just replace them with empty strings. Bug: 24204119 Change-Id: I9543eb388a1e8ab9284df9035a62fc8942cdc082 (cherry picked from commit 6e8330732f61d1da1485fc07b61444f490d5e623)
* am b3c5a4bb: Fix crash on invalid channel configandroid-6.0.0_r26android-6.0.0_r25android-6.0.0_r24android-6.0.0_r23android-6.0.0_r13android-6.0.0_r12android-6.0.0_r11Marco Nelissen2015-09-151-2/+5
|\ | | | | | | | | * commit 'b3c5a4bb8442ab3158fa1f52b790fadc64546f46': Fix crash on invalid channel config
| * Fix crash on invalid channel configMarco Nelissen2015-09-081-2/+5
| | | | | | | | | | Bug: 23876444 Change-Id: I90ad197811ebabceb5b5d74d6d3f20716fbe2d45
* | am f2df045a: Merge commit \'10d211b84a5f0790b28fcc8b3db66884d5f9c729\' into HEADandroid-cts-6.0_r1android-6.0.0_r1Bill Yi2015-02-200-0/+0
|\ \ | | | | | | | | | * commit 'f2df045ae92ee655481f73b19986084308ae684c':
| * \ Merge commit '10d211b84a5f0790b28fcc8b3db66884d5f9c729' into HEADandroid-wear-5.1.1_r1android-wear-5.1.0_r1android-m-preview-1android-m-previewBill Yi2015-02-190-0/+0
| |\ \
* | | | am 2b6bf8dc: Merge "Do not include genericStds_linux.cpp."Chih-Hung Hsieh2015-02-182-3/+1
|\| | | | |/ / |/| | | | | | | | * commit '2b6bf8dc0941f3a4531030b950cf24fd31248b0b': Do not include genericStds_linux.cpp.
| * | Merge "Do not include genericStds_linux.cpp."Chih-Hung Hsieh2015-02-182-3/+1
| |\ \
| | * | Do not include genericStds_linux.cpp.Chih-Hung Hsieh2015-02-122-3/+1
| |/ / | | | | | | | | | | | | | | | | | | | | | | | | | | | The __aeabi_memcpy functions are already defined in Android libc. Redefining them to call memcpy will become recursive when clang/llvm converts the memcpy call to __aeabi_memcpy. With this change, we can enable clang/llvm by removing LOCAL_CLANG from Android.mk. BUG: 12216385 Change-Id: I8b8b4ba7f3ff1e66f8110fc3b6356865a582c1d8
* | | am 1c6ab7db: Merge "Use gcc for the AAC decoder"Marco Nelissen2015-02-111-0/+2
|\| | | | | | | | | | | | | | * commit '1c6ab7db30867f3eee0d550adb015b340fbbc668': Use gcc for the AAC decoder
| * | Merge "Use gcc for the AAC decoder"Marco Nelissen2015-02-111-0/+2
| |\ \
| | * | Use gcc for the AAC decoderMarco Nelissen2015-02-101-0/+2
| |/ / | | | | | | | | | | | | | | | clang generates crashing code for this. Change-Id: I90355d6735403290e7c0d93ff4854520b7b80f4a
* | | am 66091e46: Merge "Fix checks for {Front,Side,Back}ElementIsCpe"Chih-Hung Hsieh2014-12-012-7/+3
|\| | | | | | | | | | | | | | * commit '66091e46d7aae1b45ed96f5f39274954a296db71': Fix checks for {Front,Side,Back}ElementIsCpe
| * | Merge "Fix checks for {Front,Side,Back}ElementIsCpe"android-wear-5.0.0_r1Chih-Hung Hsieh2014-12-012-7/+3
| |\ \
| | * | Fix checks for {Front,Side,Back}ElementIsCpeChih-Hung Hsieh2014-12-012-7/+3
| |/ / | | | | | | | | | | | | | | | | | | | | | | | | {Front,Side,Back}ElementIsCpe is an array (per-channel). The check for pPce->{Front,Side,Back}ElementIsCpe without an index checks the address of the array, and will always evaluate to true. The elTagSce++ statements are unreachable. Change-Id: If530371788a44038c500d6f9f7ac67681f77cc71
* | | am 84851b23: Merge "Move back to C++98."Dan Albert2014-12-011-1/+2
|\| | | | | | | | | | | | | | * commit '84851b23d6f65ce03da4fa8ef2348b4f46c0ed0f': Move back to C++98.
| * | Merge "Move back to C++98."Dan Albert2014-12-011-1/+2
| |\ \
| | * | Move back to C++98.Dan Albert2014-11-281-1/+2
| |/ / | | | | | | | | | | | | | | | | | | | | | This code depends on narrowing hex literals to a signed long, which trips -Wc++11-narrowing (the fix would be to explicitly cast each value to signed). Change-Id: I581a02ef0eeee5a2d95ce0ff2ec6f7ff26f3a074
* | | am d149516e: am 7e464956: Merge "Move Clang only flags into ↵Chih-Hung Hsieh2014-10-250-0/+0
|\| | | | | | | | | | | | | | | | | LOCAL_CLANG_CPPFLAGS." * commit 'd149516e1a3a63549d2c654b1398544d5de46a3e':
| * | am 7e464956: Merge "Move Clang only flags into LOCAL_CLANG_CPPFLAGS."Chih-Hung Hsieh2014-09-231-1/+1
| |\ \ | | | | | | | | | | | | | | | | * commit '7e46495606bd66973a10565f932acee7bddcc003': Move Clang only flags into LOCAL_CLANG_CPPFLAGS.
* | \ \ am 7e464956: Merge "Move Clang only flags into LOCAL_CLANG_CPPFLAGS."Chih-Hung Hsieh2014-09-231-1/+1
|\ \ \ \ | |/ / / |/| / / | |/ / | | | * commit '7e46495606bd66973a10565f932acee7bddcc003': Move Clang only flags into LOCAL_CLANG_CPPFLAGS.
| * | Merge "Move Clang only flags into LOCAL_CLANG_CPPFLAGS."android-l-preview_r2Chih-Hung Hsieh2014-09-231-1/+1
| |\ \
| | * | Move Clang only flags into LOCAL_CLANG_CPPFLAGS.Chih-Hung Hsieh2014-09-221-1/+1
| | | | | | | | | | | | | | | | | | | | | | | | Gcc does not recognize -Wno-pointer-bool-conversion. Change-Id: Ib6ffa321fff1947b6a098244f7d67fdeb45c2b41
* | | | am 4803bf75: Merge "Ignore Clang warning on checking address of arrays."Glenn Kasten2014-09-091-0/+5
|\| | | | | | | | | | | | | | | | | | | * commit '4803bf75f564e5c9304527a5b902711f78e9f621': Ignore Clang warning on checking address of arrays.
| * | | Merge "Ignore Clang warning on checking address of arrays."Glenn Kasten2014-09-091-0/+5
| |\| |
| | * | Ignore Clang warning on checking address of arrays.Chih-Hung Hsieh2014-09-031-0/+5
| |/ / | | | | | | | | | | | | BUG: 17356808 Change-Id: I464ffcfb3fc4f44ac8115f9ae98a8c46189b41cd
* | / am 2decc778: Merge "[MIPSR6] Skip assembler code using MFHI/MFLO on mips32r6"Keun-young Park2014-08-142-2/+2
|\| | | |/ |/| | | | | * commit '2decc77814e729df47464a504123f9b398ac7077': [MIPSR6] Skip assembler code using MFHI/MFLO on mips32r6
| * Merge "[MIPSR6] Skip assembler code using MFHI/MFLO on mips32r6"Keun-young Park2014-08-142-2/+2
| |\
| | * [MIPSR6] Skip assembler code using MFHI/MFLO on mips32r6Duane Sand2014-07-312-2/+2
| |/ | | | | | | Change-Id: I3dacd96cf9d5cf9c3d34d612ebb0456d64bc23bc
* | AAC-Decoder: SBR delay for gaplessandroid-cts-5.1_r3android-cts-5.1_r2android-cts-5.1_r1android-cts-5.0_r9android-cts-5.0_r8android-cts-5.0_r7android-cts-5.0_r6android-cts-5.0_r5android-cts-5.0_r4android-cts-5.0_r3android-5.1.1_r9android-5.1.1_r8android-5.1.1_r7android-5.1.1_r6android-5.1.1_r5android-5.1.1_r4android-5.1.1_r3android-5.1.1_r24android-5.1.1_r23android-5.1.1_r22android-5.1.1_r20android-5.1.1_r2android-5.1.1_r19android-5.1.1_r18android-5.1.1_r17android-5.1.1_r16android-5.1.1_r15android-5.1.1_r14android-5.1.1_r13android-5.1.1_r12android-5.1.1_r10android-5.1.1_r1android-5.1.0_r5android-5.1.0_r4android-5.1.0_r3android-5.1.0_r1android-5.0.2_r3android-5.0.2_r1android-5.0.1_r1android-5.0.0_r7android-5.0.0_r6android-5.0.0_r5.1android-5.0.0_r5android-5.0.0_r4android-5.0.0_r3android-5.0.0_r2android-5.0.0_r1staging/cm-12.0-cafstaging/cm-12.0Jean-Michel Trivi2014-05-206-8/+60
| | | | | | | | | | | | | | | | | | | | Revise decoder output delay determination. The output delay consisted of concealment and limiter delay. SBR delay was not covered but must be considered for gapless playback delay compensation. Bug 9428126 Change-Id: I67483712c284de9b5378694f9db7acbed2547dd7
* | AAC-Decoder: DRC metadata in stream infoJean-Michel Trivi2014-05-206-7/+77
| | | | | | | | | | | | | | | | | | Provide relevant DRC metadata information via API needed for DRC presentation mode wrapper. Bug 9428126 Change-Id: I827cd6bdfd2a8799c21935ae32af23739c90a9b6
* | AAC Decoder: flush/seek improvementsJean-Michel Trivi2014-05-207-26/+108
| | | | | | | | | | | | | | | | | | | | Improve flushing and seeking. Add field to the API stream info structure signaling the additional output delay for flushing and delay compensation. Bug 9428126 Change-Id: I808412905563ea3de50a2e77a9b5dfee829cd2ed
* | am 35f30c5a: Merge "AArch64: Make LONG 4 bytes"Glenn Kasten2014-04-092-5/+5
|\| | | | | | | | | * commit '35f30c5ab8089f38681d2fdd416c00aebef5a7ff': AArch64: Make LONG 4 bytes
| * Merge "AArch64: Make LONG 4 bytes"Glenn Kasten2014-04-092-5/+5
| |\
| | * AArch64: Make LONG 4 bytesMarcus Oakland2014-03-112-5/+5
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | The libSYS/include/machine_type.h header file states LONG should be "Data type representing 4 byte signed integer on all supported platforms" but only provided for defining LONG as INT and ULONG as UINT when __x86_64__ was defined. This has been changed to when __LP64__ is defined, so that it also applies to AArch64. The change to libFDK/include/common_fix.h is then needed to get the project to compile. Change-Id: Iea42d7eca97dcc9da772a05b207d134cb999a72a Signed-off-by: Marcus Oakland <marcus.oakland@arm.com>
* | | AAC Decoder: introduce time domain limiterJean-Michel Trivi2014-03-3111-2078/+3053
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Introduce time domain limiter. The module is per default enabled for all AAC-LC and HE-AAC v1/2 streams. For all ER-AAC-LD and ER-AAC-ELD streams the limiter is disabled per default. The feature can be en- or disabled via dynamic API parameter. Note that the limiter introduces an additional output delay which depends on the module parameters and the streams sampling rate. Bug 9428126 Change-Id: I299a072340b33e2c324facbd347a72c8de3d380e
* | | am 3252951f: Merge "Temporary workaround for 64-bit build error"Glenn Kasten2014-03-191-1/+1
|\| | | | | | | | | | | | | | * commit '3252951f61e011241ce6dd8fff775fe9b9aed97f': Temporary workaround for 64-bit build error
generated by cgit v1.2.3 (git 2.25.1) at 2024-04-20 03:57:29 +0000