| Commit message (Collapse) | Author | Age | Files | Lines |
|
|
|
|
|
|
|
|
|
|
|
| |
Check validity of pSettings->noOfPatches to prevent out of bounds
access in lppTransposer(), which can also cause memSize to be
negative.
Bug: 112160868
Test: see poc in bug
Change-Id: I789030b116da7f8ea261001b43ef6c677dd58a3d
Merged-In: I6a2161865d9cb9b51dc37c09d6e3a4a8e5d11f86
(cherry picked from commit 56ef80d7fec1fd9e201262348a96b8660558105a)
|
|
|
|
|
|
|
| |
Bug: 112891564
Test: atest DecoderTestXheAac ; atest DecoderTestAacDrc
Change-Id: I35f02d23c0cfd620088291a52d9996a0d5a17199
(cherry picked from commit 3347cfb91a7ecabf5800d72e936f04ce44752bf3)
|
|
|
|
|
|
|
|
|
|
|
|
| |
While long-term test we discovered a bit counter overflow in the bit buffer.
The bit buffer state was only used by HCR and RVLC tool and can easily be substituted with FDKgetValidBits() call.
The following patch completely removes the bit counter and all its obsolete functions.
Bug: 112662184
Test: atest DecoderTestXheAac ; atest DecoderTestAacDrc
Change-Id: Icee0519d26a2aa62367d2dece59cd3d60ffcade7
(cherry picked from commit 15292f7e9620caf9e8df26a62efc2a2891ea822e)
|
|
|
|
|
|
|
| |
Bug: 112661641
Test: atest DecoderTestXheAac ; atest DecoderTestAacDrc
Change-Id: I8e416fb1501dabda20babd4a28a99ab06950b221
(cherry picked from commit ba003785774efe355bcac950158fc78a0cff0c2b)
|
|
|
|
|
|
|
|
|
|
| |
In CProgramConfig_ReadHeightExt prevent stack overflow
from invalid FrontElementHeightInfo array value.
Bug: 70637599
Test: see bug
Change-Id: I145414d81d7a7be711672c12f44b537c12eea308
(cherry picked from commit 772c7f5542e64f4a380e13e6263ab668694c7c4d)
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
In TRANSPOSER_SETTINGS, initialize the whole bwBorders array to a
reasonable value to guarantee correct termination in while loop
in lppTransposer function. This fixes the reported bug.
For completeness:
- clear the whole bwIndex array instead of noOfPatches entries only.
- abort criterion in while loop to prevent potential
infinite loop, and limit bwIndex[patch] to a valid range.
Test: see bug for malicious content, decoded with "stagefright -s -a"
Bug: 65280786
Change-Id: I16ed2e1c0f1601926239a652ca20a91284151843
(cherry picked from commit 6d3dd40e204bf550abcfa589bd9615df8778e118)
CVE-2017-13188
|
|
|
|
|
|
|
|
|
|
|
|
| |
In GetInvInt(int) function, malicious content can access memory
outside of the invCount array. Always bound access to valid
indices.
Test: see bug for malicious content, decoded with "stagefright -s -a"
Bug: 65025048
Change-Id: I92d4a14519f45d5a329d7f69f21f2aef0a8c6daa
(cherry picked from commit 9fb4261c43a2d15f3b77a7e56470ed6784f83d04)
CVE-2017-13206
|
|\ |
|
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
Parse DVB DRC data only when numThreads is below
MAX_DRC_THREADS. The post-increment is necessary as
it is used in fill element DRC data section.
This solution parses as many DRC payloads as allowed by
MAX_DRC_THREADS and skips all remaining DRC elements in the stream.
Bug 27792766
Bug 26751339
Change-Id: Ie1641888bac1757c4d1491119f977fc5d436eaea
(cherry picked from commit 97a1b8140d410ed3942006aa22b40ccb322f747b)
|
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
In the aacDecoder_drcExtractAndMap() function, self->numThreads
can be used after having exceeded its intended max value,
MAX_DRC_THREADS, causing memory to be cleared after the
threadBs[MAX_DRC_THREADS] array.
The crash is prevented by never using self->numThreads with
a value equal to or greater than MAX_DRC_THREADS.
A proper fix will be required as there seems to be an issue as
to which entry in the threadBs array is meant to be initialized
and used.
Bug 26751339
Change-Id: Ibd76e3877e75f246f4b5bf0f1cfd0da0373106df
|
| |\
| | |
| | |
| | | |
stage-aosp-mnc-mr1-release@48b330d303727e1f2671f844a1d541d596f6d5da
|
| |/
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
In the aacDecoder_drcExtractAndMap() function, self->numThreads
can be used after having exceeded its intended max value,
MAX_DRC_THREADS, causing memory to be cleared after the
threadBs[MAX_DRC_THREADS] array.
The crash is prevented by never using self->numThreads with
a value equal to or greater than MAX_DRC_THREADS.
A proper fix will be required as there seems to be an issue as
to which entry in the threadBs array is meant to be initialized
and used.
Bug 26751339
Change-Id: I655cc40c35d4206ab72e83b2bdb751be2fe52b5a
(cherry picked from commit a06d1c2b9af1621037b48557aac42b5ecbdb03b3)
|
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
Parse DVB DRC data only when numThreads is below
MAX_DRC_THREADS. The post-increment is necessary as
it is used in fill element DRC data section.
This solution parses as many DRC payloads as allowed by
MAX_DRC_THREADS and skips all remaining DRC elements in the stream.
Bug 27792766
Bug 26751339
Change-Id: Ie1641888bac1757c4d1491119f977fc5d436eaea
|
|/
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
In the aacDecoder_drcExtractAndMap() function, self->numThreads
can be used after having exceeded its intended max value,
MAX_DRC_THREADS, causing memory to be cleared after the
threadBs[MAX_DRC_THREADS] array.
The crash is prevented by never using self->numThreads with
a value equal to or greater than MAX_DRC_THREADS.
A proper fix will be required as there seems to be an issue as
to which entry in the threadBs array is meant to be initialized
and used.
Bug 26751339
Change-Id: I655cc40c35d4206ab72e83b2bdb751be2fe52b5a
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Building __DATE__/__TIME__ into the binaries means that every build will
create different binaries, even if all the sources are identical. This
also means that any libraries including this one will need to be patched
during every OTA.
Nothing appears to use the build_date/build_time fields, so just replace
them with empty strings.
Bug: 24204119
Change-Id: I9543eb388a1e8ab9284df9035a62fc8942cdc082
(cherry picked from commit 6e8330732f61d1da1485fc07b61444f490d5e623)
|
|\
| |
| |
| |
| | |
* commit 'b3c5a4bb8442ab3158fa1f52b790fadc64546f46':
Fix crash on invalid channel config
|
| |
| |
| |
| |
| | |
Bug: 23876444
Change-Id: I90ad197811ebabceb5b5d74d6d3f20716fbe2d45
|
|\ \
| | |
| | |
| | | |
* commit 'f2df045ae92ee655481f73b19986084308ae684c':
|
| |\ \ |
|
|\| | |
| |/ /
|/| |
| | |
| | | |
* commit '2b6bf8dc0941f3a4531030b950cf24fd31248b0b':
Do not include genericStds_linux.cpp.
|
| |\ \ |
|
| |/ /
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | | |
The __aeabi_memcpy functions are already defined in Android libc.
Redefining them to call memcpy will become recursive when clang/llvm
converts the memcpy call to __aeabi_memcpy.
With this change, we can enable clang/llvm by removing LOCAL_CLANG from Android.mk.
BUG: 12216385
Change-Id: I8b8b4ba7f3ff1e66f8110fc3b6356865a582c1d8
|
|\| |
| | |
| | |
| | |
| | | |
* commit '1c6ab7db30867f3eee0d550adb015b340fbbc668':
Use gcc for the AAC decoder
|
| |\ \ |
|
| |/ /
| | |
| | |
| | |
| | |
| | | |
clang generates crashing code for this.
Change-Id: I90355d6735403290e7c0d93ff4854520b7b80f4a
|
|\| |
| | |
| | |
| | |
| | | |
* commit '66091e46d7aae1b45ed96f5f39274954a296db71':
Fix checks for {Front,Side,Back}ElementIsCpe
|
| |\ \ |
|
| |/ /
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | | |
{Front,Side,Back}ElementIsCpe is an array (per-channel). The check for
pPce->{Front,Side,Back}ElementIsCpe without an index checks the address
of the array, and will always evaluate to true. The elTagSce++
statements are unreachable.
Change-Id: If530371788a44038c500d6f9f7ac67681f77cc71
|
|\| |
| | |
| | |
| | |
| | | |
* commit '84851b23d6f65ce03da4fa8ef2348b4f46c0ed0f':
Move back to C++98.
|
| |\ \ |
|
| |/ /
| | |
| | |
| | |
| | |
| | |
| | |
| | | |
This code depends on narrowing hex literals to a signed long, which
trips -Wc++11-narrowing (the fix would be to explicitly cast each
value to signed).
Change-Id: I581a02ef0eeee5a2d95ce0ff2ec6f7ff26f3a074
|
|\| |
| | |
| | |
| | |
| | |
| | | |
LOCAL_CLANG_CPPFLAGS."
* commit 'd149516e1a3a63549d2c654b1398544d5de46a3e':
|
| |\ \
| | | |
| | | |
| | | |
| | | | |
* commit '7e46495606bd66973a10565f932acee7bddcc003':
Move Clang only flags into LOCAL_CLANG_CPPFLAGS.
|
|\ \ \ \
| |/ / /
|/| / /
| |/ /
| | | |
* commit '7e46495606bd66973a10565f932acee7bddcc003':
Move Clang only flags into LOCAL_CLANG_CPPFLAGS.
|
| |\ \ |
|
| | | |
| | | |
| | | |
| | | |
| | | |
| | | | |
Gcc does not recognize -Wno-pointer-bool-conversion.
Change-Id: Ib6ffa321fff1947b6a098244f7d67fdeb45c2b41
|
|\| | |
| | | |
| | | |
| | | |
| | | | |
* commit '4803bf75f564e5c9304527a5b902711f78e9f621':
Ignore Clang warning on checking address of arrays.
|
| |\| | |
|
| |/ /
| | |
| | |
| | |
| | | |
BUG: 17356808
Change-Id: I464ffcfb3fc4f44ac8115f9ae98a8c46189b41cd
|
|\| |
| |/
|/|
| |
| | |
* commit '2decc77814e729df47464a504123f9b398ac7077':
[MIPSR6] Skip assembler code using MFHI/MFLO on mips32r6
|
| |\ |
|
| |/
| |
| |
| | |
Change-Id: I3dacd96cf9d5cf9c3d34d612ebb0456d64bc23bc
|
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
Revise decoder output delay determination. The output delay consisted of
concealment and limiter delay. SBR delay was not covered but must be
considered for gapless playback delay compensation.
Bug 9428126
Change-Id: I67483712c284de9b5378694f9db7acbed2547dd7
|
| |
| |
| |
| |
| |
| |
| |
| |
| | |
Provide relevant DRC metadata information via API needed for DRC
presentation mode wrapper.
Bug 9428126
Change-Id: I827cd6bdfd2a8799c21935ae32af23739c90a9b6
|
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
Improve flushing and seeking.
Add field to the API stream info structure signaling the additional output
delay for flushing and delay compensation.
Bug 9428126
Change-Id: I808412905563ea3de50a2e77a9b5dfee829cd2ed
|
|\|
| |
| |
| |
| | |
* commit '35f30c5ab8089f38681d2fdd416c00aebef5a7ff':
AArch64: Make LONG 4 bytes
|
| |\ |
|
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | | |
The libSYS/include/machine_type.h header file states LONG should be
"Data type representing 4 byte signed integer on all supported
platforms" but only provided for defining LONG as INT and ULONG as
UINT when __x86_64__ was defined. This has been changed to when
__LP64__ is defined, so that it also applies to AArch64. The change
to libFDK/include/common_fix.h is then needed to get the project to
compile.
Change-Id: Iea42d7eca97dcc9da772a05b207d134cb999a72a
Signed-off-by: Marcus Oakland <marcus.oakland@arm.com>
|
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | | |
Introduce time domain limiter. The module is per default enabled for all
AAC-LC and HE-AAC v1/2 streams. For all ER-AAC-LD and ER-AAC-ELD streams
the limiter is disabled per default. The feature can be en- or disabled
via dynamic API parameter. Note that the limiter introduces an additional
output delay which depends on the module parameters and the streams
sampling rate.
Bug 9428126
Change-Id: I299a072340b33e2c324facbd347a72c8de3d380e
|
|\| |
| | |
| | |
| | |
| | | |
* commit '3252951f61e011241ce6dd8fff775fe9b9aed97f':
Temporary workaround for 64-bit build error
|