summaryrefslogtreecommitdiffstats
Commit message (Collapse)AuthorAgeFilesLines
* decoder: Fix minimum poc calculation check while adding to displaycm-14.1Harish Mahendrakar2020-03-031-4/+8
| | | | | | | | | | While adding the decoded buffer to display queue, allow buffer with poc set to 0x7FFFFFFF Bug: 145364230 Test: poc in bug Change-Id: I2a15f73b8422cfa4fd3360bc21c0cea4542a3375 (cherry picked from commit ffcf2a87d66f935210ebd011eed474514d086b40)
* decoder: Move initialization of dbp_mgr entries to init_decoder()Harish Mahendrakar2020-01-071-23/+24
| | | | | | | | | | | | | Earlier these were only initialized during static buffer allocations. Initializing them in init_decoder() will ensure that these get initialized to default values during reset() as well. Without this, in some error cases, there is a possibility of heap-use-after free, when resolution changes and these pointers point to memory that is freed Bug: 142602711 Test: poc in bug Change-Id: Ie39fee0eca56bf32cdc558099bf167d05eb89620 (cherry picked from commit 01da7b5a52a76aee615b4e32eeceb4887d3662f0)
* Decoder: Delete node from st if lt and st point to sameRakesh Kumar2019-08-072-0/+68
| | | | | | | | | | | | If lt_list and st_list point to same node then delete it from st. If there is error while adding a node in bottom field of lt_list (top is already added) then this node will be pointed by st_list also. So we need to remove it from st_list bug: 73552574 Test: poc before/after on Android N security branch Change-Id: I95304c242c5854b18c5c7220d114ce6215760124 (cherry picked from commit f312a1d305dae23f9f6f663d2157bf9cf47bb92c)
* decoder: Signal IVD_RES_CHANGED error for change in crop paramsHarish Mahendrakar2019-03-041-0/+13
| | | | | | | | | | | | | | | IVD_RES_CHANGED was not signaled when crop parameters changed, i.e. display dimensions changed without change in decode dimensions. In such cases, if output buffer was allocated as per the current dimension being decoded, without IVD_RES_CHANGED signalled, there can be an OOB write if the new buffer is smaller than the frame being returned as output Bug: 118399205 Test: vendor Change-Id: Ia750a99cda08a3254a6f8ea8b55d07e655b34d05 (cherry picked from commit 442a01bf37d5bd97bb6d13b382f00265051abbe8)
* Bug fix for flush without valid framesHamsalekha S2018-08-071-1/+9
| | | | | | | | | | We now return fail and get out of flush mode to accept bitstream in the next call. Bug: 35585952 Bug: 63521984 Test: test case does not hang Change-Id: Id22cc98d4a47714475a67918990a181a805c4c9f (cherry picked from commit 10c1176f1bb631c8b082634170da8ce2d1144d30)
* Encoder: Return error for odd resolutionAkshata Jadhav2018-06-081-0/+18
| | | | | | | | Bug: 73625898 Test: ran POC before/after under ASAN Change-Id: I9765b57f4afc6a2b6ad9cd19c8c7c5000beb9de9 (cherry picked from commit 9fa58d4db3ef176ed54af5f602970b48624be413) CVE-2018-9351
* Decoder: Modify setting short term reference field flagRitu Baldwa2018-06-081-3/+2
| | | | | | | | | | | | Do not mark bottom field as short term in case of error. Bug: 73553038 Bug: 73552574 Bug: 73552999 Test: poc before/after Change-Id: I8576861af36996a361a81f48ba9b251f0ae4e660 (cherry picked from commit 47cc04b40c94b14841d27eb3ac0b01c3f1739180) CVE-2018-9350
* Decoder: Set prev slice type for I slice.Ritu Baldwa2018-04-061-1/+1
| | | | | | | | | | Fixed initialization of u1_pr_sl_type for I slice. Bug: 70897454 Test: ran PoC before/after patch Change-Id: I0c37317513b72236be98c2b25482a67bf2b56052 (cherry picked from commit aecdfd1aff2505da11ad48ad4f9f918054ce0c97) (cherry picked from commit 3e3e81ede5229c5a9c6b7bf6a63844ecf07ae3ae)
* Decoder: Fixed reset values in parse sps.Ritu Baldwa2018-04-061-0/+4
| | | | | | | | | | Memset to zero whenever new sps occurs. Bug: 70897394 Test: manual Change-Id: I5936fd55265ff8ad2b275a72b175cdb540bb7933 (cherry picked from commit 9c32ad7126890dfaa79fd29affaaf07de335fa3a) (cherry picked from commit 3e3e81ede5229c5a9c6b7bf6a63844ecf07ae3ae)
* Decoder: Adding Error Check for Output Buffer Size in Shared Display Mode.Ritu Baldwa2018-03-081-8/+57
| | | | | | | | | | | | | | The output buffer size given by the application, needs to be checked in every process call. This is required in the case of resolution change in shared display mode. Bug: 70294343 Bug: 70350193 Bug: 70526411 Bug: 70526485 Test: manual Change-Id: I2c1e59425e84ac62a874e5ee180e1b98f0a4058f (cherry picked from commit 3692aceb1b244be3e1b36d8e7b804986f593bb69)
* Decoder: Fixed memory overflow in shared display mode.Ritu Baldwa2018-03-081-2/+5
| | | | | | | | | | The factor multiplication should happen only at the source, not at the destination. Bug: 71375536 Test: manual Change-Id: Ib5f00b87150a0533880346fac5464b0b1a802c36 (cherry picked from commit c3b026a87d7da17ca5196e1973137b8691e60bde)
* Decoder: Modified loop condition while parsing ref_list_reordering.Ritu Baldwa2018-02-081-2/+4
| | | | | | | | | | | When ref_pic_list_reordering_flag_l1 is equal to 1, the number of times that reordering_of_pic_nums_idc is not equal to 3 following ref_pic_list_reordering_flag_l1 should not exceed num_ref_idx_l1_active_minus1 + 1. Bug: 69478425 Change-Id: I031bb744869ac8a57f85bb97574832efd0eefc25 (cherry picked from commit 7ea47d575d26d4d5356670092af26fb6915e75bf)
* Decoder: Handle dec_hdl memory allocation failure gracefullyHarish Mahendrakar2018-01-131-3/+20
| | | | | | | | | | | If memory allocation for dec_hdl fails, return gracefully with an error code. All other allocation failures are handled correctly. Bug: 68300072 Test: ran poc before/after Change-Id: I118ae71f4aded658441f1932bd4ede3536f5028b (cherry picked from commit 7720b3fe3de04523da3a9ecec2b42a3748529bbd)
* Decoder: Fixed incorrect use of mmco parameters.Ritu Baldwa2018-01-133-1/+11
| | | | | | | | | | Added extra structure to read mmco values and copied only once per picture. Bug: 65735716 Change-Id: I25b08a37bc78342042c52957774b089abce1a54b (cherry picked from commit 3c70b9a190875938fc57164d9295a3ec791554df)
* Decoder: Detect change of mbaff flag in SPSHamsalekha S2018-01-131-2/+12
| | | | | | | | | | Change in Mbaff flag needs re-initialization of NMB group and other variables in decoder context. Bug: 64380237 Test: ran poc on ASAN before/after Change-Id: I0fc65e4dfc3cc2c15528ec52da1782ecec61feab (cherry picked from commit d524ba03101c0c662c9d365d7357536b42a0265e)
* Decoder: Increased allocation and added checks in sei parsing.Hamsalekha S2018-01-133-4/+9
| | | | | | | | | This prevents heap overflow while parsing sei_message. Bug: 63122634 Test: ran PoC on unpatched/patched Change-Id: I61c1ff4ac053a060be8c24da4671db985cac628c (cherry picked from commit f2b70d353768af8d4ead7f32497be05f197925ef)
* Decoder: Fixed hang in the case of dangling fieldHamsalekha S2017-12-061-2/+1
| | | | | | | | | | The u1_top_bottom_decoded flag in the decoder context has been fixed to be updated correctly in the case of dangling field Bug: 63315932 Test: ran POC after patching Change-Id: I8db4ebeb94fba735ba45f365c37e52a202ea84cd (cherry picked from commit 252628cffba8702e36b98c193bcd2fe67d8237ee)
* Decoder: Updated error check while parsing num_ref_idx_lx_active.Hamsalekha S2017-11-152-2/+3
| | | | | | | | | | Added an error check on the lower limit of u1_num_ref_idx_lx_active, while parsing slice header. The minimum possible value is 1. Bug: 64836894 Change-Id: I57056851fc135ed00f7a10af5c81eb560e9e12de (cherry picked from commit 208c74d62a3e1039dc87818306e057877760fbaa)
* Decoder: Corrected variable datatypes in ih264d_get_implicit_weights.Hamsalekha S2017-11-151-15/+16
| | | | | | | | | | | The difference between two 32 signed numbers was getting assigned to 16 bits, leading to a divide by zero arithmetic execption. Modified variable names to match their datatypes. Bug: 65122447 Change-Id: I45ade1945f10b4d7660bd09fb564e60fd29d40dc (cherry picked from commit 3eb692de916c3576a18990e3e4193fce93c016dc)
* Added an out of bound check on u4_num_bufs in input argumentHarish Mahendrakar2017-11-151-1/+2
| | | | | | | | ps_dec_ip->s_out_buffer.u4_num_bufs was missing out of bound checks Bug: 62688399 Change-Id: Ic5e5c002d29fcb18064550d5a5f9289bb68b448e (cherry picked from commit aa11ab9fdbb63766703a6280f4fc778f2f2c91ed)
* Decoder: Conceal picture only if valid picture buffer is obtained.Hamsalekha S2017-11-151-4/+3
| | | | | | | | | | | | If all the slices in the current pic were invalid, then the decoder would not have received a valid picture buffer in the current call. In such cases there is no need to conceal or deblock the picture. Bug: 62896384 Test: run ASAN-enabled PoC before/after the patch Change-Id: I3cf6e871592826f93b0dcd2b06fff80677bc8338 (cherry picked from commit 5df744afde273bc4d0f7a499581dd2fb2ae6cb45)
* Decoder: Fixed allocation of pv_map_ref_idx_to_poc_buf.Hamsalekha S2017-09-154-20/+7
| | | | | | | | | | | | | Increased allocation to include reference list1 also by default. In the case of error, we could get B_SLICES even in BASE_PROFILE. The initialization in the dec_slice_struct_t slice structure has also been modified accordingly. Test: run poc with and without this patch Bug: 38496660 Change-Id: I3451d79bbcd9f0d7a80981a9897f877b7f0812bd (cherry picked from commit a925a6b539642c8749c91a6f33e362eda8c4a5b6)
* Decoder: Fixed overflow in refernce list creation.Hamsalekha S2017-09-152-16/+18
| | | | | | | | | | Since the maximum value of long term index is 255, the loop control variable needs to be 32 bit. Bug: 38448381 Test: ran POC before/after applying fix Change-Id: Iae3ecff38d4a922bde10fde33f1cfcafd2ea2680 (cherry picked from commit cbcd2846fa837e4be6d35f5c1211b070bc8d26da)
* Initialize DPB structures to valid values.Hamsalekha S2017-09-151-1/+13
| | | | | | | | | | When the first frame is a B frame, the colocated picture will now point to the current frame. Test: run poc with and without this patch Bug: 38115076 Change-Id: I48a8f128740551d6a9252931dafcf8c629ecad0d (cherry picked from commit b8d362561e48dde8898eb0415f298d64e76f2b7c)
* Added error check for output buffer size.Hamsalekha S2017-09-152-44/+106
| | | | | | | | | | | The output buffer size given by the application, needs to be checked in every process call. This is required in the case of resolution change. Bug: 36006815 Test: avcdec -i poc.bin Change-Id: I16a92cdad23eb7b1e12c1a67c1b2599204f29249 (cherry picked from commit 3f6c941de5cd959072fa046c9d6cb26fa0f01dc6)
* Merge cherrypicks of [2413849, 2413760, 2413901, 2413776, 2413658, 2413792, ↵android-build-team Robot2017-06-158-73/+60
|\ | | | | | | | | | | 2413850, 2413851, 2413793, 2413866, 2413738, 2413659, 2413660, 2413867, 2413868, 2413885, 2413829, 2413814, 2413886, 2413921, 2413777, 2413887, 2413854, 2413889, 2413890, 2413855, 2413869, 2413740, 2413816, 2413831, 2413832, 2413817, 2413892, 2413797, 2413779] into nyc-mr2-pixel-monthly-release Change-Id: I5b48a135366c1b3e5171eddfb634362a240dc234
| * Fixed hang in the case of multiple sps id.Hamsalekha S2017-06-151-1/+4
| | | | | | | | | | | | | | | | | | | | | | | | The sps parameters used to detect change in resolution/sps were incorrect. Made a fix to use current sps from decoder context. Bug: 38239864 Change-Id: I2d110e635ced32b3dc7f364e08a97d672fcbae37 (cherry picked from commit 8c6fe35f6d28f3e8c3a9f9458eea89eba858bded) (cherry picked from commit ec3f58500066edee259942057e21489621fca9dd)
| * Decoder: Fix in the case of MMCO 6Hamsalekha S2017-06-151-5/+16
| | | | | | | | | | | | | | | | | | | | | | Added an error check in the case of MMCO 6 (SET_LT_INDEX) Bug: 38014992 Test: POC fails before / works after patch Change-Id: I76e38a8e2ff0bab043b47f44f1f7b1d4fe60d416 (cherry picked from commit 9e4f0ce7042078aeffaa16f2773cc2d1b82cdb12) (cherry picked from commit 41489f9ece970df8530e28d7a24710b1beb755e2)
| * Decoder: Cleaned up parse sps function.Hamsalekha S2017-06-151-14/+15
| | | | | | | | | | | | | | | | | | | | | | Postponed the initializations to decoder context till the end of the parse sps function, after all the error checks are done. Bug: 37968755 Test: ran poc on ASAN-enabled build before/after Change-Id: Ibee3383c28cede3edb68d2459565d6ce10683bbd (cherry picked from commit 4eb72f7c935595817026b4cf4aed5ef2ff579ab5)
| * Initializing reference list for every P/B slice.Hamsalekha S2017-06-155-42/+5
| | | | | | | | | | | | | | | | | | | | | | Reference list needs to be initialized for every P/B slice, to ensure colocated picture always points to a valid picture buffer, even in the case of error. Bug: 36279112 Change-Id: I051d7e725b0af209cc7bb333db8da3518adf78a0 (cherry picked from commit f9d3f9af8fc113acda28e1a4e48d85736ee29c75)
| * Fix resolution change within a decode call.Hamsalekha S2017-06-153-0/+12
| | | | | | | | | | | | | | | | | | | | | | | | | | If resolution changes within a decode call,due to multiple sps, the decoder hangs as the the application will give the same data again in the next decode call. This results in a hang. Fixed this by flaging an error, when sps/resoultion changes within a process call. Bug: 38487564 Test: ran POC on patched O-based system w/o hanging Change-Id: I30095b2e8bf573c1a58a316a23b1a5e6a4af589b (cherry picked from commit fe18375850fe04b8c4ff2f1b20069e161f718e53)
| * Decoder: Fixed allocation size of pred info bufferHamsalekha S2017-06-151-4/+1
| | | | | | | | | | | | | | | | | | Buffer allocation size for pred info was increased in the case number reference frames equal to 1. Bug: 36998372 Change-Id: I1f84a16703422109d40bed8436f35d0c2069c088 (cherry picked from commit 9008aed514f7211f6fcad328277ce464b042f622)
| * DO NOT MERGE Fixed bug in the case of resolution change.Hamsalekha S2017-06-151-7/+7
|/ | | | | | | | | | | | Modified the way i4_header_decoded in decoder context is used, to ensure that resolution change is detected even if PPS has not been decoded. Bug: 35583675 Test: ran POC, no longer hangs Change-Id: Ibb3f8dfbeb66a999fd81720a7d2a02dd951a55c4 (cherry picked from commit 1d06027c69e31d450b1e837c81073362d41084d3)
* Merge cherrypicks of [2307556, 2307630, 2307631, 2307557, 2307632, 2307656, ↵android-build-team Robot2017-05-249-24/+53
|\ | | | | | | | | | | 2307743, 2307635, 2307799, 2307577, 2307800, 2307707, 2307803, 2307781, 2307773, 2307637, 2307804, 2307618, 2307734, 2307708, 2307805, 2307709, 2307806, 2307820, 2307746, 2307774, 2307839, 2307735, 2307782, 2307808, 2307840, 2307738, 2307783, 2307749, 2307775, 2307860, 2307899, 2307822, 2307823, 2307880, 2307778, 2307825, 2307882, 2307787, 2307919, 2307844, 2307905, 2307883, 2307829, 2307907, 2307832, 2307944, 2307945, 2307911] into nyc-mr2-pixel-monthly-release Change-Id: I2f6f7dc53161c8c75844fe88de78f620af4a6b94
| * Decoder: Fix end of bitstream error.Hamsalekha S2017-05-242-5/+24
| | | | | | | | | | | | | | | | | | | | The end of bistream error check was fixed for odd number of macroblocks in Mbaff frames. Bug: 37008096 Test: Ittiam-verified Change-Id: I058d74a3c1d1511968c2b36802dfc5c102947919 (cherry picked from commit 2e01924cd692191c970c64ec3f358e53dccb9e54)
| * Decoder: Fix allocation for Mbaff weight matrixHamsalekha S2017-05-241-3/+2
| | | | | | | | | | | | | | | | | | | | Increased the allocation size for Mbaff weight matrix buffer Bug: 36996978 Change-Id: I21cf2cb1010abdc6346f743f5237ae1730c4bf41 (cherry picked from commit 07db35ad5af8c4ee2308f983650d9a1b811841ea)
| * Decoder: Initialize MB info buffer to zero.Hamsalekha S2017-05-241-0/+1
| | | | | | | | | | | | | | | | | | | | Initialize the buffer used to store inter mb info (reference index, weights etc) to zero. Bug: 36035683 Change-Id: I23561a6a7fe852c0563a631d7ec6ab022cd78ccc (cherry picked from commit 2575ae6c989b133554f9b1267cf5dd694cf2aae6)
| * Decoder: Fixed flag u1_top_bottom_decoded.Hamsalekha S2017-05-242-4/+4
| | | | | | | | | | | | | | | | | | | | | | Fixed initialization of flag u1_top_bottom_decoded in decoder context. This flag indicates if top field and botton field is decoded. Bug: 36993291 Test: avcdec --input poc.h264 --output /dev/null Change-Id: I9f8a2620683abd8b15e4780d76d4849394710716 (cherry picked from commit 7703822731a3e5425390ba1d177d061a699c367d)
| * Decoder: Added an error check while parsing PPS.Hamsalekha S2017-05-241-2/+4
| | | | | | | | | | | | | | | | | | | | Added an error check while parsing PPS syntax element second_chroma_qp_index_offset. Bug: 37207120 Change-Id: Icba6b7bcf5940505717ee61134ed801c221b6e26 (cherry picked from commit 62f98981ffc29082dd4bbf173a043a5bcbb86652)
| * Fix stack buffer overflow in ih264d_process_intra_mbHarish Mahendrakar2017-05-241-3/+9
| | | | | | | | | | | | | | | | | | | | Aligned the sizes of au1_ngbr_pels to ensure SSE42 functions do not result in stack buffer overflow Bug: 36490809 Change-Id: I0bfe493f94647046013759b3ec9db3c627ac471e (cherry picked from commit f69e34419b267be7285a7e0e85a019294118ae03)
| * Decoder: Fix in reference list initialization.Hamsalekha S2017-05-241-2/+2
| | | | | | | | | | | | | | | | | | | | | | In the case of error, initialize the new reference list1 with the first picture in default list0 instead of default list1, as first picture in list1 could still be invalid. Bug: 36035074 Change-Id: I7ab493ee7a157cbefcd4da8389ff1ff899c16b7f (cherry picked from commit 93954f5e9a5d727e402921ac6fa100e6dcc1d4e8)
| * Decoder: Fixes in accessing mbaff flag in error casesHarish Mahendrakar2017-05-241-4/+4
| | | | | | | | | | | | | | | | | | | | | | ps_dec->ps_cur_slice->u1_mbaff_frame_flag is updated in ih264d_start_of_pic(). So updated value should be used after calling ih264d_start_of_pic() Bug: 33974623 Test: ran POC from bug Change-Id: I0f1ff5e01ed39767f493f197791e51b0da74952f (cherry picked from commit 3f6937a0031e4acadc9228559ae2ae47b992b16a) (cherry picked from commit 0f2f2b5fde873b8badee949561c17692588647e8)
| * Fix in the case of MMCO 3 (long term reference idx).Hamsalekha S2017-05-241-1/+3
|/ | | | | | | | | | | | | | Increment number of long term reference buffers only when both top field and bottom field have been set as long term. [backport for M/N from master] Bug: 35584425 Test: ran POC - no hang, no segfault. Change-Id: I94e3857944da675eda38f8e1a9bd887f48bff524 (cherry picked from commit 6fa5df8811ea0b8e8459f86dd3c30bf7a9b39482) (cherry picked from commit 46e96d40dbca2896b5e20cf48d14798231c97663)
* Decoder: Fixed error handling for dangling fieldsHarish Mahendrakar2017-03-221-1/+0
| | | | | | | | | | | | In case of dangling fields with gaps in frames enabled, field pic in cur_slice was wrongly set to 0. This would cause dangling field to be concealed as a frame, which would result in a number of MB mismatch and hence a hang. Bug: 34097672 Change-Id: Ia9b7f72c4676188c45790b2dfbb4fe2c2d2c01f8 (cherry picked from commit 1a13168ca3510ba91274d10fdee46b3642cc9554)
* resolve merge conflicts of 3654ad0 to mnc-dr-dev am: 37345554fe am: ↵Marco Nelissen2017-02-141-0/+9
|\ | | | | | | | | | | | | | | 33d9d00a3c am: 858542d83e am: 2e4b53cfb4 am: 7c50684ef0 am: 834462327b am: 1d999b7cdf Change-Id: Ie8600c23f61f3300cfe31e623f8c330115a6a7ef
| * resolve merge conflicts of 3654ad0 to mnc-dr-dev am: 37345554fe am: ↵Marco Nelissen2017-02-141-0/+9
| |\ | | | | | | | | | | | | | | | | | | | | | 33d9d00a3c am: 858542d83e am: 2e4b53cfb4 am: 7c50684ef0 am: 834462327b Change-Id: I14a897695081fad3099ca3e49abf1af8f8ac5cff
| | * resolve merge conflicts of 3654ad0 to mnc-dr-dev am: 37345554fe am: ↵Marco Nelissen2017-02-141-0/+9
| | |\ | | | | | | | | | | | | | | | | | | | | | | | | | | | | 33d9d00a3c am: 858542d83e am: 2e4b53cfb4 am: 7c50684ef0 Change-Id: I6d1c0a83bd9a265df26620121d805b8c1fb42e67
| | | * resolve merge conflicts of 3654ad0 to mnc-dr-dev am: 37345554fe am: ↵Marco Nelissen2017-02-141-0/+9
| | | |\ | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | 33d9d00a3c am: 858542d83e am: 2e4b53cfb4 Change-Id: I36252dfb66db49049efbc6fe9a8e59aaf90fae35
| | | | * resolve merge conflicts of 3654ad0 to mnc-dr-dev am: 37345554fe am: 33d9d00a3cMarco Nelissen2017-02-141-0/+9
| | | | |\ | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | am: 858542d83e Change-Id: I8376533d60ce908a6a08e260f57cb6163a7fa2dd
| | | | | * resolve merge conflicts of 3654ad0 to mnc-dr-dev am: 37345554feMarco Nelissen2017-02-141-0/+9
| | | | | |\ | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | am: 33d9d00a3c Change-Id: Ie055bb48e15a3edaef34a9dc30dd65c0769bc1ea
generated by cgit v1.2.3 (git 2.25.1) at 2024-04-25 11:08:02 +0000