From 6b573d2f3a47411359890490891692f9ab0b0311 Mon Sep 17 00:00:00 2001 From: Ritu Baldwa Date: Mon, 9 Oct 2017 13:52:45 +0530 Subject: Decoder: Fixed incorrect use of mmco parameters. Added extra structure to read mmco values and copied only once per picture. Bug: 65735716 Change-Id: I25b08a37bc78342042c52957774b089abce1a54b (cherry picked from commit 3c70b9a190875938fc57164d9295a3ec791554df) --- decoder/ih264d_dpb_mgr.c | 2 +- decoder/ih264d_parse_slice.c | 9 +++++++++ decoder/ih264d_structs.h | 1 + 3 files changed, 11 insertions(+), 1 deletion(-) diff --git a/decoder/ih264d_dpb_mgr.c b/decoder/ih264d_dpb_mgr.c index 303d4e8..f6417c7 100644 --- a/decoder/ih264d_dpb_mgr.c +++ b/decoder/ih264d_dpb_mgr.c @@ -843,7 +843,7 @@ WORD32 ih264d_ref_idx_reordering(dec_struct_t *ps_dec, UWORD8 uc_lx) WORD32 ih264d_read_mmco_commands(struct _DecStruct * ps_dec) { dec_bit_stream_t *ps_bitstrm = ps_dec->ps_bitstrm; - dpb_commands_t *ps_dpb_cmds = ps_dec->ps_dpb_cmds; + dpb_commands_t *ps_dpb_cmds = &(ps_dec->s_dpb_cmds_scratch); dec_slice_params_t * ps_slice = ps_dec->ps_cur_slice; WORD32 j; UWORD8 u1_buf_mode; diff --git a/decoder/ih264d_parse_slice.c b/decoder/ih264d_parse_slice.c index 2d8a9af..609c2fe 100644 --- a/decoder/ih264d_parse_slice.c +++ b/decoder/ih264d_parse_slice.c @@ -1858,6 +1858,15 @@ WORD32 ih264d_parse_decode_slice(UWORD8 u1_is_idr_slice, if(ret != OK) return ret; + if(u1_nal_ref_idc != 0) + { + if(!ps_dec->ps_dpb_cmds->u1_dpb_commands_read) + { + memcpy((void *)ps_dec->ps_dpb_cmds, (void *)(&(ps_dec->s_dpb_cmds_scratch)), + sizeof(dpb_commands_t)); + } + } + /* storing last Mb X and MbY of the slice */ ps_dec->i2_prev_slice_mbx = ps_dec->u2_mbx; ps_dec->i2_prev_slice_mby = ps_dec->u2_mby; diff --git a/decoder/ih264d_structs.h b/decoder/ih264d_structs.h index 6958a0c..706fe9d 100644 --- a/decoder/ih264d_structs.h +++ b/decoder/ih264d_structs.h @@ -968,6 +968,7 @@ typedef struct _DecStruct /* Variables for Decode Buffer Management */ dpb_manager_t *ps_dpb_mgr; dpb_commands_t *ps_dpb_cmds; + dpb_commands_t s_dpb_cmds_scratch; /* Variables Required for N MB design */ dec_mb_info_t *ps_nmb_info; -- cgit v1.2.3 From ba2f2fa15f068d115fd4a23a439b9ea5afbfe1e8 Mon Sep 17 00:00:00 2001 From: Hamsalekha S Date: Tue, 4 Jul 2017 17:06:50 +0530 Subject: Decoder: Increased allocation and added checks in sei parsing. This prevents heap overflow while parsing sei_message. Bug: 63122634 Test: ran PoC on unpatched/patched Change-Id: I61c1ff4ac053a060be8c24da4671db985cac628c (cherry picked from commit f2b70d353768af8d4ead7f32497be05f197925ef) --- decoder/ih264d_api.c | 3 ++- decoder/ih264d_defs.h | 3 +++ decoder/ih264d_sei.c | 7 ++++--- 3 files changed, 9 insertions(+), 4 deletions(-) diff --git a/decoder/ih264d_api.c b/decoder/ih264d_api.c index 0341389..bb5caf4 100644 --- a/decoder/ih264d_api.c +++ b/decoder/ih264d_api.c @@ -2052,7 +2052,8 @@ WORD32 ih264d_video_decode(iv_obj_t *dec_hdl, void *pv_api_ip, void *pv_api_op) void *pv_buf; void *pv_mem_ctxt = ps_dec->pv_mem_ctxt; size = MAX(256000, ps_dec->u2_pic_wd * ps_dec->u2_pic_ht * 3 / 2); - pv_buf = ps_dec->pf_aligned_alloc(pv_mem_ctxt, 128, size); + pv_buf = ps_dec->pf_aligned_alloc(pv_mem_ctxt, 128, + size + EXTRA_BS_OFFSET); RETURN_IF((NULL == pv_buf), IV_FAIL); ps_dec->pu1_bits_buf_dynamic = pv_buf; ps_dec->u4_dynamic_bits_buf_size = size; diff --git a/decoder/ih264d_defs.h b/decoder/ih264d_defs.h index 4622775..260e358 100644 --- a/decoder/ih264d_defs.h +++ b/decoder/ih264d_defs.h @@ -108,6 +108,9 @@ /* For 420SP */ #define YUV420SP_FACTOR 2 +/*To prevent buffer overflow access; in case the size of nal unit is + * greater than the allocated buffer size*/ +#define EXTRA_BS_OFFSET 16*16*2 /** *************************************************************************** diff --git a/decoder/ih264d_sei.c b/decoder/ih264d_sei.c index 800f2c9..098a1f3 100644 --- a/decoder/ih264d_sei.c +++ b/decoder/ih264d_sei.c @@ -336,7 +336,7 @@ WORD32 ih264d_parse_sei_message(dec_struct_t *ps_dec, ui4_payload_type = 0; u4_bits = ih264d_get_bits_h264(ps_bitstrm, 8); - while(0xff == u4_bits) + while(0xff == u4_bits && !EXCEED_OFFSET(ps_bitstrm)) { u4_bits = ih264d_get_bits_h264(ps_bitstrm, 8); ui4_payload_type += 255; @@ -345,7 +345,7 @@ WORD32 ih264d_parse_sei_message(dec_struct_t *ps_dec, ui4_payload_size = 0; u4_bits = ih264d_get_bits_h264(ps_bitstrm, 8); - while(0xff == u4_bits) + while(0xff == u4_bits && !EXCEED_OFFSET(ps_bitstrm)) { u4_bits = ih264d_get_bits_h264(ps_bitstrm, 8); ui4_payload_size += 255; @@ -370,7 +370,8 @@ WORD32 ih264d_parse_sei_message(dec_struct_t *ps_dec, { H264_DEC_DEBUG_PRINT("\nError in parsing SEI message"); } - while(0 == ih264d_check_byte_aligned(ps_bitstrm)) + while(0 == ih264d_check_byte_aligned(ps_bitstrm) + && !EXCEED_OFFSET(ps_bitstrm)) { u4_bits = ih264d_get_bit_h264(ps_bitstrm); if(u4_bits) -- cgit v1.2.3 From dcc10009e45138d0eaa4a17debf38bdcb5029ff4 Mon Sep 17 00:00:00 2001 From: Hamsalekha S Date: Wed, 9 Aug 2017 13:41:39 +0530 Subject: Decoder: Detect change of mbaff flag in SPS Change in Mbaff flag needs re-initialization of NMB group and other variables in decoder context. Bug: 64380237 Test: ran poc on ASAN before/after Change-Id: I0fc65e4dfc3cc2c15528ec52da1782ecec61feab (cherry picked from commit d524ba03101c0c662c9d365d7357536b42a0265e) --- decoder/ih264d_parse_headers.c | 14 ++++++++++++-- 1 file changed, 12 insertions(+), 2 deletions(-) diff --git a/decoder/ih264d_parse_headers.c b/decoder/ih264d_parse_headers.c index 4f3136f..f0d0d88 100644 --- a/decoder/ih264d_parse_headers.c +++ b/decoder/ih264d_parse_headers.c @@ -479,7 +479,7 @@ WORD32 ih264d_parse_sps(dec_struct_t *ps_dec, dec_bit_stream_t *ps_bitstrm) { UWORD8 i; dec_seq_params_t *ps_seq = NULL; - UWORD8 u1_profile_idc, u1_level_idc, u1_seq_parameter_set_id; + UWORD8 u1_profile_idc, u1_level_idc, u1_seq_parameter_set_id, u1_mb_aff_flag = 0; UWORD16 i2_max_frm_num; UWORD32 *pu4_bitstrm_buf = ps_bitstrm->pu4_buffer; UWORD32 *pu4_bitstrm_ofst = &ps_bitstrm->u4_ofst; @@ -801,10 +801,20 @@ WORD32 ih264d_parse_sps(dec_struct_t *ps_dec, dec_bit_stream_t *ps_bitstrm) COPYTHECONTEXT("SPS: frame_mbs_only_flag", u1_frm); + if(!u1_frm) + u1_mb_aff_flag = ih264d_get_bit_h264(ps_bitstrm); + + if((ps_dec->i4_header_decoded & 1) + && (ps_seq->u1_mb_aff_flag != u1_mb_aff_flag)) + { + ps_dec->u1_res_changed = 1; + return IVD_RES_CHANGED; + } + if(!u1_frm) { u2_pic_ht <<= 1; - ps_seq->u1_mb_aff_flag = ih264d_get_bit_h264(ps_bitstrm); + ps_seq->u1_mb_aff_flag = u1_mb_aff_flag; COPYTHECONTEXT("SPS: mb_adaptive_frame_field_flag", ps_seq->u1_mb_aff_flag); -- cgit v1.2.3 From 37387cd891b1b27988b4d5aae7d47153aa8d752e Mon Sep 17 00:00:00 2001 From: Harish Mahendrakar Date: Thu, 26 Oct 2017 16:13:50 +0530 Subject: Decoder: Handle dec_hdl memory allocation failure gracefully If memory allocation for dec_hdl fails, return gracefully with an error code. All other allocation failures are handled correctly. Bug: 68300072 Test: ran poc before/after Change-Id: I118ae71f4aded658441f1932bd4ede3536f5028b (cherry picked from commit 7720b3fe3de04523da3a9ecec2b42a3748529bbd) --- decoder/ih264d_api.c | 23 ++++++++++++++++++++--- 1 file changed, 20 insertions(+), 3 deletions(-) diff --git a/decoder/ih264d_api.c b/decoder/ih264d_api.c index bb5caf4..804fdb7 100644 --- a/decoder/ih264d_api.c +++ b/decoder/ih264d_api.c @@ -1490,20 +1490,37 @@ WORD32 ih264d_allocate_static_bufs(iv_obj_t **dec_hdl, void *pv_api_ip, void *pv /*****************************************************************************/ WORD32 ih264d_create(iv_obj_t *dec_hdl, void *pv_api_ip, void *pv_api_op) { + ih264d_create_ip_t *ps_create_ip; ih264d_create_op_t *ps_create_op; WORD32 ret; + ps_create_ip = (ih264d_create_ip_t *)pv_api_ip; ps_create_op = (ih264d_create_op_t *)pv_api_op; ps_create_op->s_ivd_create_op_t.u4_error_code = 0; - + dec_hdl = NULL; ret = ih264d_allocate_static_bufs(&dec_hdl, pv_api_ip, pv_api_op); /* If allocation of some buffer fails, then free buffers allocated till then */ - if((IV_FAIL == ret) && (NULL != dec_hdl)) + if(IV_FAIL == ret) { - ih264d_free_static_bufs(dec_hdl); + if(dec_hdl) + { + if(dec_hdl->pv_codec_handle) + { + ih264d_free_static_bufs(dec_hdl); + } + else + { + void (*pf_aligned_free)(void *pv_mem_ctxt, void *pv_buf); + void *pv_mem_ctxt; + + pf_aligned_free = ps_create_ip->s_ivd_create_ip_t.pf_aligned_free; + pv_mem_ctxt = ps_create_ip->s_ivd_create_ip_t.pv_mem_ctxt; + pf_aligned_free(pv_mem_ctxt, dec_hdl); + } + } ps_create_op->s_ivd_create_op_t.u4_error_code = IVD_MEM_ALLOC_FAILED; ps_create_op->s_ivd_create_op_t.u4_error_code = 1 << IVD_FATALERROR; -- cgit v1.2.3 From 3ab2d3299834713bcda1d982ad9bed2cbe4286e8 Mon Sep 17 00:00:00 2001 From: Ritu Baldwa Date: Tue, 28 Nov 2017 18:38:18 +0530 Subject: Decoder: Modified loop condition while parsing ref_list_reordering. When ref_pic_list_reordering_flag_l1 is equal to 1, the number of times that reordering_of_pic_nums_idc is not equal to 3 following ref_pic_list_reordering_flag_l1 should not exceed num_ref_idx_l1_active_minus1 + 1. Bug: 69478425 Change-Id: I031bb744869ac8a57f85bb97574832efd0eefc25 (cherry picked from commit 7ea47d575d26d4d5356670092af26fb6915e75bf) --- decoder/ih264d_dpb_mgr.c | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/decoder/ih264d_dpb_mgr.c b/decoder/ih264d_dpb_mgr.c index f6417c7..525adef 100644 --- a/decoder/ih264d_dpb_mgr.c +++ b/decoder/ih264d_dpb_mgr.c @@ -722,7 +722,7 @@ WORD32 ih264d_ref_idx_reordering(dec_struct_t *ps_dec, UWORD8 uc_lx) UWORD16 ui_max_frame_num = ps_dec->ps_cur_sps->u2_u4_max_pic_num_minus1 + 1; - WORD32 i; + WORD32 i, count = 0; UWORD32 ui_remapIdc, ui_nextUev; WORD16 u2_pred_frame_num = u4_cur_pic_num; WORD32 i_temp; @@ -743,7 +743,8 @@ WORD32 ih264d_ref_idx_reordering(dec_struct_t *ps_dec, UWORD8 uc_lx) ui_remapIdc = ih264d_uev(pu4_bitstrm_ofst, pu4_bitstrm_buf); - while(ui_remapIdc != 3) + while((ui_remapIdc != 3) + && (count < ps_cur_slice->u1_num_ref_idx_lx_active[uc_lx])) { ui_nextUev = ih264d_uev(pu4_bitstrm_ofst, pu4_bitstrm_buf); if(ui_remapIdc != 2) @@ -812,6 +813,7 @@ WORD32 ih264d_ref_idx_reordering(dec_struct_t *ps_dec, UWORD8 uc_lx) ui_remapIdc = ih264d_uev(pu4_bitstrm_ofst, pu4_bitstrm_buf); /* Get the remapping_idc - 0/1/2/3 */ + count++; } //Handle the ref indices that were not remapped -- cgit v1.2.3 From acb5837d89daf8b5afed8b47d2832b0e2714d082 Mon Sep 17 00:00:00 2001 From: Ritu Baldwa Date: Fri, 22 Dec 2017 14:20:20 +0530 Subject: Decoder: Adding Error Check for Output Buffer Size in Shared Display Mode. The output buffer size given by the application, needs to be checked in every process call. This is required in the case of resolution change in shared display mode. Bug: 70294343 Bug: 70350193 Bug: 70526411 Bug: 70526485 Test: manual Change-Id: I2c1e59425e84ac62a874e5ee180e1b98f0a4058f (cherry picked from commit 3692aceb1b244be3e1b36d8e7b804986f593bb69) --- decoder/ih264d_api.c | 65 +++++++++++++++++++++++++++++++++++++++++++++------- 1 file changed, 57 insertions(+), 8 deletions(-) diff --git a/decoder/ih264d_api.c b/decoder/ih264d_api.c index 804fdb7..c6999a6 100644 --- a/decoder/ih264d_api.c +++ b/decoder/ih264d_api.c @@ -1698,8 +1698,8 @@ WORD32 check_app_out_buf_size(dec_struct_t *ps_dec) } else { - /* In case of shared mode, do not check validity of ps_dec->ps_out_buffer */ - return (IV_SUCCESS); + pic_wd = ps_dec->u2_frm_wd_y; + pic_ht = ps_dec->u2_frm_ht_y; } if(ps_dec->u4_app_disp_width > pic_wd) @@ -1709,14 +1709,34 @@ WORD32 check_app_out_buf_size(dec_struct_t *ps_dec) ps_dec->u1_chroma_format, &au4_min_out_buf_size[0]); - if(ps_dec->ps_out_buffer->u4_num_bufs < u4_min_num_out_bufs) - return IV_FAIL; - for(i = 0; i < u4_min_num_out_bufs; i++) + if(0 == ps_dec->u4_share_disp_buf) { - if(ps_dec->ps_out_buffer->u4_min_out_buf_size[i] - < au4_min_out_buf_size[i]) - return (IV_FAIL); + if(ps_dec->ps_out_buffer->u4_num_bufs < u4_min_num_out_bufs) + return IV_FAIL; + + for(i = 0; i < u4_min_num_out_bufs; i++) + { + if(ps_dec->ps_out_buffer->u4_min_out_buf_size[i] + < au4_min_out_buf_size[i]) + return (IV_FAIL); + } + } + else + { + if(ps_dec->disp_bufs[0].u4_num_bufs < u4_min_num_out_bufs) + return IV_FAIL; + + for(i = 0; i < u4_min_num_out_bufs; i++) + { + /* We need to check only with the disp_buffer[0], because we have + * already ensured that all the buffers are of the same size in + * ih264d_set_display_frame. + */ + if(ps_dec->disp_bufs[0].u4_bufsize[i] < au4_min_out_buf_size[i]) + return (IV_FAIL); + } + } return (IV_SUCCESS); @@ -2666,6 +2686,7 @@ WORD32 ih264d_set_display_frame(iv_obj_t *dec_hdl, void *pv_api_op) { + UWORD32 u4_disp_buf_size[3], u4_num_disp_bufs; ivd_set_display_frame_ip_t *dec_disp_ip; ivd_set_display_frame_op_t *dec_disp_op; @@ -2685,8 +2706,36 @@ WORD32 ih264d_set_display_frame(iv_obj_t *dec_hdl, u4_num_bufs = MIN(u4_num_bufs, MAX_DISP_BUFS_NEW); ps_dec->u4_num_disp_bufs = u4_num_bufs; + + /* Get the number and sizes of the first buffer. Compare this with the + * rest to make sure all the buffers are of the same size. + */ + u4_num_disp_bufs = dec_disp_ip->s_disp_buffer[0].u4_num_bufs; + + u4_disp_buf_size[0] = + dec_disp_ip->s_disp_buffer[0].u4_min_out_buf_size[0]; + u4_disp_buf_size[1] = + dec_disp_ip->s_disp_buffer[0].u4_min_out_buf_size[1]; + u4_disp_buf_size[2] = + dec_disp_ip->s_disp_buffer[0].u4_min_out_buf_size[2]; + for(i = 0; i < u4_num_bufs; i++) { + if(dec_disp_ip->s_disp_buffer[i].u4_num_bufs != u4_num_disp_bufs) + { + return IV_FAIL; + } + + if((dec_disp_ip->s_disp_buffer[i].u4_min_out_buf_size[0] + != u4_disp_buf_size[0]) + || (dec_disp_ip->s_disp_buffer[i].u4_min_out_buf_size[1] + != u4_disp_buf_size[1]) + || (dec_disp_ip->s_disp_buffer[i].u4_min_out_buf_size[2] + != u4_disp_buf_size[2])) + { + return IV_FAIL; + } + ps_dec->disp_bufs[i].u4_num_bufs = dec_disp_ip->s_disp_buffer[i].u4_num_bufs; -- cgit v1.2.3 From a4564138bda346b1ae2ee508b6c96076ccc134e2 Mon Sep 17 00:00:00 2001 From: Ritu Baldwa Date: Wed, 27 Dec 2017 17:45:30 +0530 Subject: Decoder: Fixed memory overflow in shared display mode. The factor multiplication should happen only at the source, not at the destination. Bug: 71375536 Test: manual Change-Id: Ib5f00b87150a0533880346fac5464b0b1a802c36 (cherry picked from commit c3b026a87d7da17ca5196e1973137b8691e60bde) --- decoder/ih264d_utils.c | 7 +++++-- 1 file changed, 5 insertions(+), 2 deletions(-) diff --git a/decoder/ih264d_utils.c b/decoder/ih264d_utils.c index e85daba..edfb8f1 100644 --- a/decoder/ih264d_utils.c +++ b/decoder/ih264d_utils.c @@ -1020,12 +1020,15 @@ WORD32 ih264d_get_next_display_field(dec_struct_t * ps_dec, buf = ps_dec->disp_bufs[i].buf[1]; buf += ps_dec->disp_bufs[i].u4_ofst[1]; pv_disp_op->s_disp_frm_buf.pv_u_buf = buf - + pic_buf->u2_crop_offset_uv; + + (pic_buf->u2_crop_offset_uv + / YUV420SP_FACTOR); buf = ps_dec->disp_bufs[i].buf[2]; buf += ps_dec->disp_bufs[i].u4_ofst[2]; pv_disp_op->s_disp_frm_buf.pv_v_buf = buf - + pic_buf->u2_crop_offset_uv; + + (pic_buf->u2_crop_offset_uv + / YUV420SP_FACTOR); + } } } -- cgit v1.2.3 From 093814793da87c14ff9e8370dc29dd6300629096 Mon Sep 17 00:00:00 2001 From: Ritu Baldwa Date: Tue, 16 Jan 2018 13:41:30 +0530 Subject: Decoder: Fixed reset values in parse sps. Memset to zero whenever new sps occurs. Bug: 70897394 Test: manual Change-Id: I5936fd55265ff8ad2b275a72b175cdb540bb7933 (cherry picked from commit 9c32ad7126890dfaa79fd29affaaf07de335fa3a) --- decoder/ih264d_parse_headers.c | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/decoder/ih264d_parse_headers.c b/decoder/ih264d_parse_headers.c index f0d0d88..03ed508 100644 --- a/decoder/ih264d_parse_headers.c +++ b/decoder/ih264d_parse_headers.c @@ -30,6 +30,8 @@ * \author AI ************************************************************************** */ +#include + #include "ih264_typedefs.h" #include "ih264_macros.h" #include "ih264_platform_macros.h" @@ -564,6 +566,8 @@ WORD32 ih264d_parse_sps(dec_struct_t *ps_dec, dec_bit_stream_t *ps_bitstrm) /*--------------------------------------------------------------------*/ ps_seq = ps_dec->pv_scratch_sps_pps; + memset(ps_seq, 0, sizeof(dec_seq_params_t)); + if(ps_dec->i4_header_decoded & 1) { *ps_seq = *ps_dec->ps_cur_sps; -- cgit v1.2.3 From c208fd7dcc0aebf6f3fe85de53cf9f66825a5188 Mon Sep 17 00:00:00 2001 From: Ritu Baldwa Date: Tue, 16 Jan 2018 13:48:41 +0530 Subject: Decoder: Set prev slice type for I slice. Fixed initialization of u1_pr_sl_type for I slice. Bug: 70897454 Test: ran PoC before/after patch Change-Id: I0c37317513b72236be98c2b25482a67bf2b56052 (cherry picked from commit aecdfd1aff2505da11ad48ad4f9f918054ce0c97) --- decoder/ih264d_parse_slice.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/decoder/ih264d_parse_slice.c b/decoder/ih264d_parse_slice.c index 609c2fe..db02bfe 100644 --- a/decoder/ih264d_parse_slice.c +++ b/decoder/ih264d_parse_slice.c @@ -1826,7 +1826,7 @@ WORD32 ih264d_parse_decode_slice(UWORD8 u1_is_idr_slice, ps_dec->ps_cur_pic->u4_pack_slc_typ |= I_SLC_BIT; ret = ih264d_parse_islice(ps_dec, u2_first_mb_in_slice); - + ps_dec->u1_pr_sl_type = u1_slice_type; if(ps_dec->i4_pic_type != B_SLICE && ps_dec->i4_pic_type != P_SLICE) ps_dec->i4_pic_type = I_SLICE; -- cgit v1.2.3 From 14c4de5f25e05a17f0b62521055c9d21ca3d2a0a Mon Sep 17 00:00:00 2001 From: Akshata Jadhav Date: Wed, 21 Feb 2018 11:39:52 +0530 Subject: Encoder: Return error for odd resolution Bug: 73625898 Test: ran POC before/after under ASAN Change-Id: I9765b57f4afc6a2b6ad9cd19c8c7c5000beb9de9 (cherry picked from commit 9fa58d4db3ef176ed54af5f602970b48624be413) --- encoder/ih264e_api.c | 18 ++++++++++++++++++ 1 file changed, 18 insertions(+) diff --git a/encoder/ih264e_api.c b/encoder/ih264e_api.c index 2ecfdf5..a996303 100644 --- a/encoder/ih264e_api.c +++ b/encoder/ih264e_api.c @@ -1147,6 +1147,24 @@ static IV_STATUS_T api_check_struct_sanity(iv_obj_t *ps_handle, return (IV_FAIL); } + if(ps_ip->s_ive_ip.u4_wd & 1) + { + ps_op->s_ive_op.u4_error_code |= 1 + << IVE_UNSUPPORTEDPARAM; + ps_op->s_ive_op.u4_error_code |= + IH264E_WIDTH_NOT_SUPPORTED; + return (IV_FAIL); + } + + if(ps_ip->s_ive_ip.u4_ht & 1) + { + ps_op->s_ive_op.u4_error_code |= 1 + << IVE_UNSUPPORTEDPARAM; + ps_op->s_ive_op.u4_error_code |= + IH264E_HEIGHT_NOT_SUPPORTED; + return (IV_FAIL); + } + break; } -- cgit v1.2.3 From b39b3bbfbbe87fa8ec1d1ef1f123d449b0ce7aeb Mon Sep 17 00:00:00 2001 From: Ritu Baldwa Date: Fri, 9 Mar 2018 16:39:07 +0530 Subject: Decoder: Modify setting short term reference field flag Do not mark bottom field as short term in case of error. Bug: 73553038 Bug: 73552574 Bug: 73552999 Test: poc before/after Change-Id: I8576861af36996a361a81f48ba9b251f0ae4e660 (cherry picked from commit 47cc04b40c94b14841d27eb3ac0b01c3f1739180) --- decoder/ih264d_dpb_mgr.c | 5 ++--- 1 file changed, 2 insertions(+), 3 deletions(-) diff --git a/decoder/ih264d_dpb_mgr.c b/decoder/ih264d_dpb_mgr.c index 525adef..b7ee498 100644 --- a/decoder/ih264d_dpb_mgr.c +++ b/decoder/ih264d_dpb_mgr.c @@ -375,9 +375,6 @@ WORD32 ih264d_insert_st_node(dpb_manager_t *ps_dpb_mgr, if((ps_dpb_info[i].ps_pic_buf == ps_pic_buf) && ps_dpb_info[i].u1_used_as_ref) { - /* Can occur only for field bottom pictures */ - ps_dpb_info[i].s_bot_field.u1_reference_info = IS_SHORT_TERM; - /*signal an error in the case of frame pic*/ if(ps_dpb_info[i].ps_pic_buf->u1_pic_type == FRM_PIC) { @@ -385,6 +382,8 @@ WORD32 ih264d_insert_st_node(dpb_manager_t *ps_dpb_mgr, } else { + /* Can occur only for field bottom pictures */ + ps_dpb_info[i].s_bot_field.u1_reference_info = IS_SHORT_TERM; return OK; } } -- cgit v1.2.3 From e7c67d512a36c18d1bb3f8d16b5e2b0a05904c97 Mon Sep 17 00:00:00 2001 From: Harish Mahendrakar Date: Wed, 24 Oct 2018 17:42:25 -0700 Subject: decoder: Signal IVD_RES_CHANGED error for change in crop params IVD_RES_CHANGED was not signaled when crop parameters changed, i.e. display dimensions changed without change in decode dimensions. In such cases, if output buffer was allocated as per the current dimension being decoded, without IVD_RES_CHANGED signalled, there can be an OOB write if the new buffer is smaller than the frame being returned as output Bug: 118399205 Test: vendor Change-Id: Ia750a99cda08a3254a6f8ea8b55d07e655b34d05 (cherry picked from commit 442a01bf37d5bd97bb6d13b382f00265051abbe8) --- decoder/ih264d_parse_headers.c | 13 +++++++++++++ 1 file changed, 13 insertions(+) diff --git a/decoder/ih264d_parse_headers.c b/decoder/ih264d_parse_headers.c index 03ed508..d9f50f4 100644 --- a/decoder/ih264d_parse_headers.c +++ b/decoder/ih264d_parse_headers.c @@ -924,12 +924,25 @@ WORD32 ih264d_parse_sps(dec_struct_t *ps_dec, dec_bit_stream_t *ps_bitstrm) ps_dec->u1_res_changed = 1; return IVD_RES_CHANGED; } + + if((ps_dec->i4_header_decoded & 1) && (ps_dec->u2_disp_width != i4_cropped_wd)) + { + ps_dec->u1_res_changed = 1; + return IVD_RES_CHANGED; + } + if((ps_dec->i4_header_decoded & 1) && (ps_dec->u2_pic_ht != u2_pic_ht)) { ps_dec->u1_res_changed = 1; return IVD_RES_CHANGED; } + if((ps_dec->i4_header_decoded & 1) && (ps_dec->u2_disp_height != i4_cropped_ht)) + { + ps_dec->u1_res_changed = 1; + return IVD_RES_CHANGED; + } + /* Check for unsupported resolutions */ if((u2_pic_wd > H264_MAX_FRAME_WIDTH) || (u2_pic_ht > H264_MAX_FRAME_HEIGHT) || (u2_pic_wd < H264_MIN_FRAME_WIDTH) || (u2_pic_ht < H264_MIN_FRAME_HEIGHT) -- cgit v1.2.3 From a1f15719f1b153f49cffcab67f5d85f05c01e347 Mon Sep 17 00:00:00 2001 From: Rakesh Kumar Date: Mon, 9 Jul 2018 21:58:44 +0530 Subject: Decoder: Delete node from st if lt and st point to same If lt_list and st_list point to same node then delete it from st. If there is error while adding a node in bottom field of lt_list (top is already added) then this node will be pointed by st_list also. So we need to remove it from st_list bug: 73552574 Test: poc before/after on Android N security branch Change-Id: I95304c242c5854b18c5c7220d114ce6215760124 (cherry picked from commit f312a1d305dae23f9f6f663d2157bf9cf47bb92c) --- decoder/ih264d_parse_slice.c | 67 ++++++++++++++++++++++++++++++++++++++++++++ decoder/ih264d_parse_slice.h | 1 + 2 files changed, 68 insertions(+) diff --git a/decoder/ih264d_parse_slice.c b/decoder/ih264d_parse_slice.c index db02bfe..b477c10 100644 --- a/decoder/ih264d_parse_slice.c +++ b/decoder/ih264d_parse_slice.c @@ -979,6 +979,69 @@ WORD32 ih264d_end_of_pic(dec_struct_t *ps_dec) return OK; } + +/*! + ************************************************************************** + * \if Function name : ih264d_fix_error_in_dpb \endif + * + * \brief + * fix error in DPB + * + * \return + * Number of node(s) deleted + ************************************************************************** + */ + +WORD32 ih264d_fix_error_in_dpb(dec_struct_t *ps_dec) +{ + /*--------------------------------------------------------------------*/ + /* If there is common node in lt_list and st_list then delete it from */ + /* st_list */ + /*--------------------------------------------------------------------*/ + UWORD8 no_of_nodes_deleted = 0; + UWORD8 lt_ref_num = ps_dec->ps_dpb_mgr->u1_num_lt_ref_bufs; + struct dpb_info_t *ps_lt_curr_dpb = ps_dec->ps_dpb_mgr->ps_dpb_ht_head; + while(lt_ref_num && ps_lt_curr_dpb) + { + if(ps_dec->ps_dpb_mgr->ps_dpb_st_head + && ((ps_lt_curr_dpb->s_bot_field.u1_reference_info + | ps_lt_curr_dpb->s_top_field.u1_reference_info) + == (IS_SHORT_TERM | IS_LONG_TERM))) + { + struct dpb_info_t *ps_st_next_dpb = ps_dec->ps_dpb_mgr->ps_dpb_st_head; + struct dpb_info_t *ps_st_curr_dpb = ps_dec->ps_dpb_mgr->ps_dpb_st_head; + UWORD8 st_ref_num = ps_dec->ps_dpb_mgr->u1_num_st_ref_bufs; + while(st_ref_num && ps_st_curr_dpb) + { + if(ps_st_curr_dpb == ps_lt_curr_dpb) + { + if(st_ref_num == ps_dec->ps_dpb_mgr->u1_num_st_ref_bufs) + { + ps_dec->ps_dpb_mgr->ps_dpb_st_head = + ps_dec->ps_dpb_mgr->ps_dpb_st_head->ps_prev_short; + ps_st_curr_dpb = ps_dec->ps_dpb_mgr->ps_dpb_st_head; + } + else + { + ps_st_next_dpb->ps_prev_short = ps_st_curr_dpb->ps_prev_short; + } + ps_dec->ps_dpb_mgr->u1_num_st_ref_bufs--; + ps_dec->ps_dpb_mgr->u1_num_lt_ref_bufs++; + no_of_nodes_deleted++; + break; + } + ps_st_next_dpb = ps_st_curr_dpb; + ps_st_curr_dpb = ps_st_curr_dpb->ps_prev_short; + st_ref_num--; + } + } + ps_lt_curr_dpb = ps_lt_curr_dpb->ps_prev_long; + lt_ref_num--; + } + return no_of_nodes_deleted; +} + + /*! ************************************************************************** * \if Function name : DecodeSlice \endif @@ -1821,6 +1884,10 @@ WORD32 ih264d_parse_decode_slice(UWORD8 u1_is_idr_slice, ps_dec->pv_proc_tu_coeff_data = ps_dec->pv_parse_tu_coeff_data; } + ret = ih264d_fix_error_in_dpb(ps_dec); + if(ret < 0) + return ERROR_DBP_MANAGER_T; + if(u1_slice_type == I_SLICE) { ps_dec->ps_cur_pic->u4_pack_slc_typ |= I_SLC_BIT; diff --git a/decoder/ih264d_parse_slice.h b/decoder/ih264d_parse_slice.h index c012062..0f82ec9 100644 --- a/decoder/ih264d_parse_slice.h +++ b/decoder/ih264d_parse_slice.h @@ -37,6 +37,7 @@ #include "ih264_platform_macros.h" #include "ih264d_structs.h" #include "ih264d_error_handler.h" +WORD32 ih264d_fix_error_in_dpb(dec_struct_t * ps_dec); WORD32 ih264d_parse_decode_slice(UWORD8 u1_is_idr_slice, UWORD8 u1_nal_ref_idc, dec_struct_t * ps_dec ); -- cgit v1.2.3 From 89af851902cc10de30cc0b522934597ab8ea95df Mon Sep 17 00:00:00 2001 From: Harish Mahendrakar Date: Tue, 22 Oct 2019 16:01:37 -0700 Subject: decoder: Move initialization of dbp_mgr entries to init_decoder() Earlier these were only initialized during static buffer allocations. Initializing them in init_decoder() will ensure that these get initialized to default values during reset() as well. Without this, in some error cases, there is a possibility of heap-use-after free, when resolution changes and these pointers point to memory that is freed Bug: 142602711 Test: poc in bug Change-Id: Ie39fee0eca56bf32cdc558099bf167d05eb89620 (cherry picked from commit 01da7b5a52a76aee615b4e32eeceb4887d3662f0) --- decoder/ih264d_api.c | 47 ++++++++++++++++++++++++----------------------- 1 file changed, 24 insertions(+), 23 deletions(-) diff --git a/decoder/ih264d_api.c b/decoder/ih264d_api.c index c6999a6..2ebf386 100644 --- a/decoder/ih264d_api.c +++ b/decoder/ih264d_api.c @@ -963,6 +963,30 @@ void ih264d_init_decoder(void * ps_dec_params) /* Free any dynamic buffers that are allocated */ ih264d_free_dynamic_bufs(ps_dec); + { + UWORD8 i; + struct pic_buffer_t *ps_init_dpb; + ps_init_dpb = ps_dec->ps_dpb_mgr->ps_init_dpb[0][0]; + for(i = 0; i < 2 * MAX_REF_BUFS; i++) + { + ps_init_dpb->pu1_buf1 = NULL; + ps_init_dpb->u1_long_term_frm_idx = MAX_REF_BUFS + 1; + ps_dec->ps_dpb_mgr->ps_init_dpb[0][i] = ps_init_dpb; + ps_dec->ps_dpb_mgr->ps_mod_dpb[0][i] = ps_init_dpb; + ps_init_dpb++; + } + + ps_init_dpb = ps_dec->ps_dpb_mgr->ps_init_dpb[1][0]; + for(i = 0; i < 2 * MAX_REF_BUFS; i++) + { + ps_init_dpb->pu1_buf1 = NULL; + ps_init_dpb->u1_long_term_frm_idx = MAX_REF_BUFS + 1; + ps_dec->ps_dpb_mgr->ps_init_dpb[1][i] = ps_init_dpb; + ps_dec->ps_dpb_mgr->ps_mod_dpb[1][i] = ps_init_dpb; + ps_init_dpb++; + } + } + ps_cur_slice = ps_dec->ps_cur_slice; ps_dec->init_done = 0; @@ -1439,29 +1463,6 @@ WORD32 ih264d_allocate_static_bufs(iv_obj_t **dec_hdl, void *pv_api_ip, void *pv ps_dec->ps_col_mv_base = pv_buf; memset(ps_dec->ps_col_mv_base, 0, size); - { - UWORD8 i; - struct pic_buffer_t *ps_init_dpb; - ps_init_dpb = ps_dec->ps_dpb_mgr->ps_init_dpb[0][0]; - for(i = 0; i < 2 * MAX_REF_BUFS; i++) - { - ps_init_dpb->pu1_buf1 = NULL; - ps_init_dpb->u1_long_term_frm_idx = MAX_REF_BUFS + 1; - ps_dec->ps_dpb_mgr->ps_init_dpb[0][i] = ps_init_dpb; - ps_dec->ps_dpb_mgr->ps_mod_dpb[0][i] = ps_init_dpb; - ps_init_dpb++; - } - - ps_init_dpb = ps_dec->ps_dpb_mgr->ps_init_dpb[1][0]; - for(i = 0; i < 2 * MAX_REF_BUFS; i++) - { - ps_init_dpb->pu1_buf1 = NULL; - ps_init_dpb->u1_long_term_frm_idx = MAX_REF_BUFS + 1; - ps_dec->ps_dpb_mgr->ps_init_dpb[1][i] = ps_init_dpb; - ps_dec->ps_dpb_mgr->ps_mod_dpb[1][i] = ps_init_dpb; - ps_init_dpb++; - } - } ih264d_init_decoder(ps_dec); return IV_SUCCESS; -- cgit v1.2.3