| Commit message (Collapse) | Author | Age | Files | Lines |
|
|
|
|
|
|
|
|
|
| |
While adding the decoded buffer to display queue, allow buffer with
poc set to 0x7FFFFFFF
Bug: 145364230
Test: poc in bug
Change-Id: I2a15f73b8422cfa4fd3360bc21c0cea4542a3375
(cherry picked from commit ffcf2a87d66f935210ebd011eed474514d086b40)
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Earlier these were only initialized during static buffer allocations.
Initializing them in init_decoder() will ensure that these get
initialized to default values during reset() as well. Without this,
in some error cases, there is a possibility of heap-use-after free,
when resolution changes and these pointers point to memory that is freed
Bug: 142602711
Test: poc in bug
Change-Id: Ie39fee0eca56bf32cdc558099bf167d05eb89620
(cherry picked from commit 01da7b5a52a76aee615b4e32eeceb4887d3662f0)
|
|
|
|
|
|
|
|
|
|
|
|
| |
If lt_list and st_list point to same node then delete it from st.
If there is error while adding a node in bottom field of lt_list (top is
already added) then this node will be pointed by st_list also. So we need
to remove it from st_list
bug: 73552574
Test: poc before/after on Android N security branch
Change-Id: I95304c242c5854b18c5c7220d114ce6215760124
(cherry picked from commit f312a1d305dae23f9f6f663d2157bf9cf47bb92c)
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
IVD_RES_CHANGED was not signaled when crop parameters changed, i.e.
display dimensions changed without change in decode dimensions.
In such cases, if output buffer was allocated as per the current
dimension being decoded, without IVD_RES_CHANGED signalled, there can be
an OOB write if the new buffer is smaller than the frame being returned
as output
Bug: 118399205
Test: vendor
Change-Id: Ia750a99cda08a3254a6f8ea8b55d07e655b34d05
(cherry picked from commit 442a01bf37d5bd97bb6d13b382f00265051abbe8)
|
|
|
|
|
|
|
|
|
|
| |
We now return fail and get out of flush mode to accept bitstream in the next call.
Bug: 35585952
Bug: 63521984
Test: test case does not hang
Change-Id: Id22cc98d4a47714475a67918990a181a805c4c9f
(cherry picked from commit 10c1176f1bb631c8b082634170da8ce2d1144d30)
|
|
|
|
|
|
|
|
| |
Bug: 73625898
Test: ran POC before/after under ASAN
Change-Id: I9765b57f4afc6a2b6ad9cd19c8c7c5000beb9de9
(cherry picked from commit 9fa58d4db3ef176ed54af5f602970b48624be413)
CVE-2018-9351
|
|
|
|
|
|
|
|
|
|
|
|
| |
Do not mark bottom field as short term in case of error.
Bug: 73553038
Bug: 73552574
Bug: 73552999
Test: poc before/after
Change-Id: I8576861af36996a361a81f48ba9b251f0ae4e660
(cherry picked from commit 47cc04b40c94b14841d27eb3ac0b01c3f1739180)
CVE-2018-9350
|
|
|
|
|
|
|
|
|
|
| |
Fixed initialization of u1_pr_sl_type for I slice.
Bug: 70897454
Test: ran PoC before/after patch
Change-Id: I0c37317513b72236be98c2b25482a67bf2b56052
(cherry picked from commit aecdfd1aff2505da11ad48ad4f9f918054ce0c97)
(cherry picked from commit 3e3e81ede5229c5a9c6b7bf6a63844ecf07ae3ae)
|
|
|
|
|
|
|
|
|
|
| |
Memset to zero whenever new sps occurs.
Bug: 70897394
Test: manual
Change-Id: I5936fd55265ff8ad2b275a72b175cdb540bb7933
(cherry picked from commit 9c32ad7126890dfaa79fd29affaaf07de335fa3a)
(cherry picked from commit 3e3e81ede5229c5a9c6b7bf6a63844ecf07ae3ae)
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
The output buffer size given by the application, needs to be checked
in every process call. This is required in the case of resolution
change in shared display mode.
Bug: 70294343
Bug: 70350193
Bug: 70526411
Bug: 70526485
Test: manual
Change-Id: I2c1e59425e84ac62a874e5ee180e1b98f0a4058f
(cherry picked from commit 3692aceb1b244be3e1b36d8e7b804986f593bb69)
|
|
|
|
|
|
|
|
|
|
| |
The factor multiplication should happen only at the source,
not at the destination.
Bug: 71375536
Test: manual
Change-Id: Ib5f00b87150a0533880346fac5464b0b1a802c36
(cherry picked from commit c3b026a87d7da17ca5196e1973137b8691e60bde)
|
|
|
|
|
|
|
|
|
|
|
| |
When ref_pic_list_reordering_flag_l1 is equal to 1, the number of times
that reordering_of_pic_nums_idc is not equal to 3 following
ref_pic_list_reordering_flag_l1 should not exceed
num_ref_idx_l1_active_minus1 + 1.
Bug: 69478425
Change-Id: I031bb744869ac8a57f85bb97574832efd0eefc25
(cherry picked from commit 7ea47d575d26d4d5356670092af26fb6915e75bf)
|
|
|
|
|
|
|
|
|
|
|
| |
If memory allocation for dec_hdl fails, return gracefully
with an error code. All other allocation failures are
handled correctly.
Bug: 68300072
Test: ran poc before/after
Change-Id: I118ae71f4aded658441f1932bd4ede3536f5028b
(cherry picked from commit 7720b3fe3de04523da3a9ecec2b42a3748529bbd)
|
|
|
|
|
|
|
|
|
|
| |
Added extra structure to read mmco values and copied only once per
picture.
Bug: 65735716
Change-Id: I25b08a37bc78342042c52957774b089abce1a54b
(cherry picked from commit 3c70b9a190875938fc57164d9295a3ec791554df)
|
|
|
|
|
|
|
|
|
|
| |
Change in Mbaff flag needs re-initialization of NMB group
and other variables in decoder context.
Bug: 64380237
Test: ran poc on ASAN before/after
Change-Id: I0fc65e4dfc3cc2c15528ec52da1782ecec61feab
(cherry picked from commit d524ba03101c0c662c9d365d7357536b42a0265e)
|
|
|
|
|
|
|
|
|
| |
This prevents heap overflow while parsing sei_message.
Bug: 63122634
Test: ran PoC on unpatched/patched
Change-Id: I61c1ff4ac053a060be8c24da4671db985cac628c
(cherry picked from commit f2b70d353768af8d4ead7f32497be05f197925ef)
|
|
|
|
|
|
|
|
|
|
| |
The u1_top_bottom_decoded flag in the decoder context has been fixed
to be updated correctly in the case of dangling field
Bug: 63315932
Test: ran POC after patching
Change-Id: I8db4ebeb94fba735ba45f365c37e52a202ea84cd
(cherry picked from commit 252628cffba8702e36b98c193bcd2fe67d8237ee)
|
|
|
|
|
|
|
|
|
|
| |
Added an error check on the lower limit of u1_num_ref_idx_lx_active,
while parsing slice header. The minimum possible value is 1.
Bug: 64836894
Change-Id: I57056851fc135ed00f7a10af5c81eb560e9e12de
(cherry picked from commit 208c74d62a3e1039dc87818306e057877760fbaa)
|
|
|
|
|
|
|
|
|
|
|
| |
The difference between two 32 signed numbers was getting assigned
to 16 bits, leading to a divide by zero arithmetic execption.
Modified variable names to match their datatypes.
Bug: 65122447
Change-Id: I45ade1945f10b4d7660bd09fb564e60fd29d40dc
(cherry picked from commit 3eb692de916c3576a18990e3e4193fce93c016dc)
|
|
|
|
|
|
|
|
| |
ps_dec_ip->s_out_buffer.u4_num_bufs was missing out of bound checks
Bug: 62688399
Change-Id: Ic5e5c002d29fcb18064550d5a5f9289bb68b448e
(cherry picked from commit aa11ab9fdbb63766703a6280f4fc778f2f2c91ed)
|
|
|
|
|
|
|
|
|
|
|
|
| |
If all the slices in the current pic were invalid, then
the decoder would not have received a valid picture buffer
in the current call. In such cases there is no need to conceal or
deblock the picture.
Bug: 62896384
Test: run ASAN-enabled PoC before/after the patch
Change-Id: I3cf6e871592826f93b0dcd2b06fff80677bc8338
(cherry picked from commit 5df744afde273bc4d0f7a499581dd2fb2ae6cb45)
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Increased allocation to include reference list1 also by
default. In the case of error, we could get B_SLICES
even in BASE_PROFILE. The initialization in the
dec_slice_struct_t slice structure has also been
modified accordingly.
Test: run poc with and without this patch
Bug: 38496660
Change-Id: I3451d79bbcd9f0d7a80981a9897f877b7f0812bd
(cherry picked from commit a925a6b539642c8749c91a6f33e362eda8c4a5b6)
|
|
|
|
|
|
|
|
|
|
| |
Since the maximum value of long term index is 255,
the loop control variable needs to be 32 bit.
Bug: 38448381
Test: ran POC before/after applying fix
Change-Id: Iae3ecff38d4a922bde10fde33f1cfcafd2ea2680
(cherry picked from commit cbcd2846fa837e4be6d35f5c1211b070bc8d26da)
|
|
|
|
|
|
|
|
|
|
| |
When the first frame is a B frame, the colocated picture
will now point to the current frame.
Test: run poc with and without this patch
Bug: 38115076
Change-Id: I48a8f128740551d6a9252931dafcf8c629ecad0d
(cherry picked from commit b8d362561e48dde8898eb0415f298d64e76f2b7c)
|
|
|
|
|
|
|
|
|
|
|
| |
The output buffer size given by the application, needs to be checked
in every process call. This is required in the case of resolution
change.
Bug: 36006815
Test: avcdec -i poc.bin
Change-Id: I16a92cdad23eb7b1e12c1a67c1b2599204f29249
(cherry picked from commit 3f6c941de5cd959072fa046c9d6cb26fa0f01dc6)
|
|\
| |
| |
| |
| |
| | |
2413850, 2413851, 2413793, 2413866, 2413738, 2413659, 2413660, 2413867, 2413868, 2413885, 2413829, 2413814, 2413886, 2413921, 2413777, 2413887, 2413854, 2413889, 2413890, 2413855, 2413869, 2413740, 2413816, 2413831, 2413832, 2413817, 2413892, 2413797, 2413779] into nyc-mr2-pixel-monthly-release
Change-Id: I5b48a135366c1b3e5171eddfb634362a240dc234
|
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
The sps parameters used to detect change in
resolution/sps were incorrect. Made a fix to
use current sps from decoder context.
Bug: 38239864
Change-Id: I2d110e635ced32b3dc7f364e08a97d672fcbae37
(cherry picked from commit 8c6fe35f6d28f3e8c3a9f9458eea89eba858bded)
(cherry picked from commit ec3f58500066edee259942057e21489621fca9dd)
|
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
Added an error check in the case of MMCO 6
(SET_LT_INDEX)
Bug: 38014992
Test: POC fails before / works after patch
Change-Id: I76e38a8e2ff0bab043b47f44f1f7b1d4fe60d416
(cherry picked from commit 9e4f0ce7042078aeffaa16f2773cc2d1b82cdb12)
(cherry picked from commit 41489f9ece970df8530e28d7a24710b1beb755e2)
|
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
Postponed the initializations to decoder context
till the end of the parse sps function, after
all the error checks are done.
Bug: 37968755
Test: ran poc on ASAN-enabled build before/after
Change-Id: Ibee3383c28cede3edb68d2459565d6ce10683bbd
(cherry picked from commit 4eb72f7c935595817026b4cf4aed5ef2ff579ab5)
|
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
Reference list needs to be initialized for every P/B
slice, to ensure colocated picture always points to a
valid picture buffer, even in the case of error.
Bug: 36279112
Change-Id: I051d7e725b0af209cc7bb333db8da3518adf78a0
(cherry picked from commit f9d3f9af8fc113acda28e1a4e48d85736ee29c75)
|
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
If resolution changes within a decode call,due to multiple
sps, the decoder hangs as the the application will
give the same data again in the next decode call. This
results in a hang. Fixed this by flaging an error,
when sps/resoultion changes within a process call.
Bug: 38487564
Test: ran POC on patched O-based system w/o hanging
Change-Id: I30095b2e8bf573c1a58a316a23b1a5e6a4af589b
(cherry picked from commit fe18375850fe04b8c4ff2f1b20069e161f718e53)
|
| |
| |
| |
| |
| |
| |
| |
| |
| | |
Buffer allocation size for pred info was increased
in the case number reference frames equal to 1.
Bug: 36998372
Change-Id: I1f84a16703422109d40bed8436f35d0c2069c088
(cherry picked from commit 9008aed514f7211f6fcad328277ce464b042f622)
|
|/
|
|
|
|
|
|
|
|
|
|
| |
Modified the way i4_header_decoded in decoder context
is used, to ensure that resolution change is detected
even if PPS has not been decoded.
Bug: 35583675
Test: ran POC, no longer hangs
Change-Id: Ibb3f8dfbeb66a999fd81720a7d2a02dd951a55c4
(cherry picked from commit 1d06027c69e31d450b1e837c81073362d41084d3)
|
|\
| |
| |
| |
| |
| | |
2307743, 2307635, 2307799, 2307577, 2307800, 2307707, 2307803, 2307781, 2307773, 2307637, 2307804, 2307618, 2307734, 2307708, 2307805, 2307709, 2307806, 2307820, 2307746, 2307774, 2307839, 2307735, 2307782, 2307808, 2307840, 2307738, 2307783, 2307749, 2307775, 2307860, 2307899, 2307822, 2307823, 2307880, 2307778, 2307825, 2307882, 2307787, 2307919, 2307844, 2307905, 2307883, 2307829, 2307907, 2307832, 2307944, 2307945, 2307911] into nyc-mr2-pixel-monthly-release
Change-Id: I2f6f7dc53161c8c75844fe88de78f620af4a6b94
|
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
The end of bistream error check was fixed for
odd number of macroblocks in Mbaff frames.
Bug: 37008096
Test: Ittiam-verified
Change-Id: I058d74a3c1d1511968c2b36802dfc5c102947919
(cherry picked from commit 2e01924cd692191c970c64ec3f358e53dccb9e54)
|
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
Increased the allocation size for Mbaff weight
matrix buffer
Bug: 36996978
Change-Id: I21cf2cb1010abdc6346f743f5237ae1730c4bf41
(cherry picked from commit 07db35ad5af8c4ee2308f983650d9a1b811841ea)
|
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
Initialize the buffer used to store inter mb info
(reference index, weights etc) to zero.
Bug: 36035683
Change-Id: I23561a6a7fe852c0563a631d7ec6ab022cd78ccc
(cherry picked from commit 2575ae6c989b133554f9b1267cf5dd694cf2aae6)
|
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
Fixed initialization of flag u1_top_bottom_decoded
in decoder context. This flag indicates if top
field and botton field is decoded.
Bug: 36993291
Test: avcdec --input poc.h264 --output /dev/null
Change-Id: I9f8a2620683abd8b15e4780d76d4849394710716
(cherry picked from commit 7703822731a3e5425390ba1d177d061a699c367d)
|
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
Added an error check while parsing PPS syntax element
second_chroma_qp_index_offset.
Bug: 37207120
Change-Id: Icba6b7bcf5940505717ee61134ed801c221b6e26
(cherry picked from commit 62f98981ffc29082dd4bbf173a043a5bcbb86652)
|
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
Aligned the sizes of au1_ngbr_pels to ensure SSE42 functions do not
result in stack buffer overflow
Bug: 36490809
Change-Id: I0bfe493f94647046013759b3ec9db3c627ac471e
(cherry picked from commit f69e34419b267be7285a7e0e85a019294118ae03)
|
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
In the case of error, initialize the new reference list1 with the first
picture in default list0 instead of default list1, as first picture in
list1 could still be invalid.
Bug: 36035074
Change-Id: I7ab493ee7a157cbefcd4da8389ff1ff899c16b7f
(cherry picked from commit 93954f5e9a5d727e402921ac6fa100e6dcc1d4e8)
|
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
ps_dec->ps_cur_slice->u1_mbaff_frame_flag is updated in ih264d_start_of_pic().
So updated value should be used after calling ih264d_start_of_pic()
Bug: 33974623
Test: ran POC from bug
Change-Id: I0f1ff5e01ed39767f493f197791e51b0da74952f
(cherry picked from commit 3f6937a0031e4acadc9228559ae2ae47b992b16a)
(cherry picked from commit 0f2f2b5fde873b8badee949561c17692588647e8)
|
|/
|
|
|
|
|
|
|
|
|
|
|
|
| |
Increment number of long term reference buffers only when both top field
and bottom field have been set as long term.
[backport for M/N from master]
Bug: 35584425
Test: ran POC - no hang, no segfault.
Change-Id: I94e3857944da675eda38f8e1a9bd887f48bff524
(cherry picked from commit 6fa5df8811ea0b8e8459f86dd3c30bf7a9b39482)
(cherry picked from commit 46e96d40dbca2896b5e20cf48d14798231c97663)
|
|
|
|
|
|
|
|
|
|
|
|
| |
In case of dangling fields with gaps in frames enabled,
field pic in cur_slice was wrongly set to 0.
This would cause dangling field to be concealed as a frame, which would
result in a number of MB mismatch and hence a hang.
Bug: 34097672
Change-Id: Ia9b7f72c4676188c45790b2dfbb4fe2c2d2c01f8
(cherry picked from commit 1a13168ca3510ba91274d10fdee46b3642cc9554)
|
|\
| |
| |
| |
| |
| |
| |
| | |
33d9d00a3c am: 858542d83e am: 2e4b53cfb4 am: 7c50684ef0 am: 834462327b
am: 1d999b7cdf
Change-Id: Ie8600c23f61f3300cfe31e623f8c330115a6a7ef
|
| |\
| | |
| | |
| | |
| | |
| | |
| | |
| | | |
33d9d00a3c am: 858542d83e am: 2e4b53cfb4 am: 7c50684ef0
am: 834462327b
Change-Id: I14a897695081fad3099ca3e49abf1af8f8ac5cff
|
| | |\
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | | |
33d9d00a3c am: 858542d83e am: 2e4b53cfb4
am: 7c50684ef0
Change-Id: I6d1c0a83bd9a265df26620121d805b8c1fb42e67
|
| | | |\
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | | |
33d9d00a3c am: 858542d83e
am: 2e4b53cfb4
Change-Id: I36252dfb66db49049efbc6fe9a8e59aaf90fae35
|
| | | | |\
| | | | | |
| | | | | |
| | | | | |
| | | | | |
| | | | | | |
am: 858542d83e
Change-Id: I8376533d60ce908a6a08e260f57cb6163a7fa2dd
|
| | | | | |\
| | | | | | |
| | | | | | |
| | | | | | |
| | | | | | |
| | | | | | | |
am: 33d9d00a3c
Change-Id: Ie055bb48e15a3edaef34a9dc30dd65c0769bc1ea
|