| Commit message (Collapse) | Author | Age | Files | Lines |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
IVD_RES_CHANGED was not signaled when crop parameters changed, i.e.
display dimensions changed without change in decode dimensions.
In such cases, if output buffer was allocated as per the current
dimension being decoded, without IVD_RES_CHANGED signalled, there can be
an OOB write if the new buffer is smaller than the frame being returned
as output
Bug: 118453553
Test: vendor
Change-Id: Ic74c6fb9612403f75a8f9ddb3a93861bca82cf16
(cherry picked from commit fdbbd60bfebe48c0539897d7eeeeb5816e59ce1b)
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Bug: 113260892
Bug: 113261108
Bug: 113261310
The decoder does not support tile position > 255.
Added error checks to ensure the same.
Test: re-run POC
Change-Id: Id359c172c8630ded2fb3f47c447f373cd2d1bc34
(cherry picked from commit 5a3dafc3248edcd2df5e2fdafaca61b6acbc44b1)
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Bug: 73965890
Test: run poc before/after
According to the hevc specification, max_transform_hierarchy_depth_inter
and max_transform_hierarchy_depth_intra cannot be greater than
difference between log2_ctb_size and log2_min_transform_block_size.
Change-Id: I9a6f56b029957cead3e81bd07d7fb8392a1a98a2
(cherry picked from commit f7287c7993a0d61abccfdc530f388b366139ac1d)
CVE-2018-9353
|
|
|
|
|
|
|
|
|
|
|
| |
Return error for negative values of max_dec_pic_buffering and
num_reorder_pics sps parameters.
Bug: 73965867
Test: Ittiam
Change-Id: I6035b3b2fcbd29c6bbb1223f4714ba04b4bca6b3
(cherry picked from commit f4486cdb2ff81368baa1d6e7afcf2c06ba64e666)
CVE-2018-9352
|
|
|
|
|
|
|
|
| |
Bug: 62689208
Test: before/after process PoC on ASAN builds.
Change-Id: Ib1404bdf512fba28c2641f3f2022811a2a2d7751
(cherry picked from commit 4286d31e9e121e1005ad8986bcbf9ba3f62122ee)
CVE-2018-9352
|
|
|
|
|
|
|
|
|
|
| |
Bug: 71766721
According to the spec, the value of log2_max_pic_order_cnt_lsb_minus4
shall be in the range of 0 to 12, inclusive.
Change-Id: Ibd199b6dea246c2fac6214c21e49f27d95c07659
(cherry picked from commit 4d32ff55cf3eeeb3a319517176ed2a2c6c376fe1)
|
|
|
|
|
|
|
|
|
|
|
| |
Bug: 72165027
Test: ran poc before/after
For output buffer size check, the parameter wd is set to larger
of disp_wd and disp_strd.
Change-Id: I1fc745753762b8a8e943165d0bf6525c500fb020
(cherry picked from commit ce8a8db32e9b2054c5dc119fbbec542bf8e848b6)
|
|
|
|
|
|
|
|
|
|
|
|
| |
The update in I slice is required for P/B slices in the same
frame for accessing neighbor pus.
Bug: 62851602
Bug: 63522067
Test: re-run PoC from b/62851602
Change-Id: Ie5e43f1cd5649b2745b6527654bc24d8c7d42932
(cherry picked from commit 43f126112a8f2000cd0744f2fc5d545ff1a9a70c)
CVE-2017-13233
|
|
|
|
|
|
|
|
|
|
|
| |
Bug: 65483665
Instead of aligning width and height to 8, it is now
checked for being a multiple of min CB size
Change-Id: I99bf60e19d490fd06933aa01fa6a34f47fe58bb4
(cherry picked from commit ccfd1ea5c4cf9cf0a55088506ae5f312663f8792)
CVE-2017-13230
|
|
|
|
|
|
|
|
|
|
|
|
| |
If memory allocation for ps_codec_obj fails, return gracefully
with an error code. All other allocation failures are
handled correctly.
Bug: 68299873
Test: before/after with always-failing malloc
Change-Id: I5e6c07b147b13df81e65476851662d4b55d33b83
(cherry picked from commit a966e2a65dd901151ce7f4481d0084840c9a0f7e)
CVE-2017-13190
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Bug: 64552185
Bug: 65034175
Move the decision to signal missing ctbs as skipped ctbs of
previous slice to the end of current slice hdr parsing to
ensure no error in slice hdr parsing.
Change-Id: Ia33b4be31dad6225b04e7b20b9000059c87941c4
(cherry picked from commit 74f35f191022c06863dacd33a3651a33be3ef08d)
(cherry picked from commit 9c24714e25d6ba713549a573df1d496479dce2b1)
CVE-2017-13187
|
|
|
|
|
|
|
|
|
|
| |
Bug: 65123471
This is required for incomplete ctbs at the frame
boundaries
Change-Id: I7e41a3ac2f6e35a929ba4ff3ca4cfcc859a7b867
CVE-2017-13185
|
|
|
|
|
|
|
|
|
|
|
|
| |
Remove the check that returns before joining the slave threads
if there is an error in the first frame. And in slice error mode
do not parse bitstream.
Bug: 64784973
Test: no longer hangs on POC
Change-Id: I3c2e2d9f84304bcb34831d7d796da710154774fa
(cherry picked from commit 8fff219facbecceee193e823d4faf7866524e92a)
CVE-2017-13197
|
|
|
|
|
|
|
|
| |
Bug: 65398821
Change-Id: I18a94d40d77504bb9c9d5a5e7bf41207aed28712
Signed-off-by: Sungtak Lee <taklee@google.com>
(cherry picked from commit 978d3320ef3dc60f69f8c4ba215b869d11b03944)
CVE-2017-13195
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Bug: 65718319
Test: ran POC before/after
For an sps with unsupported resolution, consume the bytes.
Otherwise application will feed the same sps again
and again.
Change-Id: I02295e813f37a963d7f6216bb8a7e86648485681
(cherry picked from commit b1d2f31cfa81304460f577667a5332b53ec15404)
CVE-2017-13193
|
|
|
|
|
|
|
|
|
|
|
| |
The parameter slice address is parsed only slices that are not
first slice in the pic and the value cannot be zero.
Bug: 64380202
Test: ran PoC on master
Change-Id: Ic21c40cf67c916806113d2425790a27cb658b5d2
(cherry picked from commit ed3f6bb877ae9e241afd6a6a13d5a6afd692ddc0)
CVE-2017-13192
|
|
|
|
|
|
|
|
|
| |
Bug: 63522067
Bug: 64380403
Test: ran POC before/after
Change-Id: If22f2ed8936e0ead9fcfa64ddde99e85c10cecd2
(cherry picked from commit ee0e003a0fd2280ecd0eeecd2e2f19250a96c3af)
CVE-2017-13191 / CVE-2017-13196
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
According to ARM calling conventions, D8-D15 are callee saved
registers. Hence have to be pushed before used as scratch.
Added Push Pop in inter_pred, intra_pred, deblk_luma, itrans,
itrans_recon, sao, weighted_pred ARM NEON 32 bit functions.
Bug: 68320413
Test: Tested hevcdec
Change-Id: I71f8868ac4205b0a3680d7ce5b82511653e9c747
(cherry picked from commit a47cb8865a33a87f163d87781f417884d30d46ed)
CVE-2017-13177
|
|
|
|
|
|
|
| |
There were few mismatches seen because of wrong clipping and wrong increments
in SAO assemblies
Change-Id: I8ab28d847b1708b6949eac514f99e475e792cde1
|
|
|
|
|
|
| |
Stack now points to top
Change-Id: I8605b2cb16a6ed67bdfded9cca6eb8b03c657601
|
|
|
|
|
|
|
|
|
|
| |
Without this extra allocation, if a nal fills entire bits
buffer, there will be out of bound memory read access.
Bug: 65719872
Test: ran poc before/after on ASAN of master
Change-Id: I1c36821505bdc4fe6c23f30a02ab2fb0fb657946
CVE-2017-13149
|
|
|
|
|
|
|
|
|
| |
ps_dec_ip->s_out_buffer.u4_num_bufs was missing out of bound checks
Bug: 35430570
Change-Id: Ibbf9891a885f69e208107725e34e7217147b891e
(cherry picked from commit 8221313d58ad4ebe9875760f065d999928172d6e)
CVE-2017-0851
|
|
|
|
|
|
|
| |
Bug: 64893226
Change-Id: Iec02f6a7b65804cc3daadf6e29d57a7ad955d517
CVE-2017-0836
|
|
|
|
|
|
|
|
| |
Test: run the poc with and without the patch
Bug: 63045918
Change-Id: I27804d42c55480c25303d1a5dbb43b1d86d7fa94
(cherry picked from commit 272f2c23c8ba8579adb0618b4124163b9bf086fb)
CVE-2017-0819
|
|
|
|
|
|
|
|
|
|
|
|
| |
For clips with tiles and dimensions >= 4096,
CTB size of 16 can result in tile position > 255.
This is not supported by the decoder
Bug: 37930177
Test: ran poc w/o crashing
Change-Id: I2f223a124c4ea9bfd98343343fd010d80a5dd8bd
(cherry picked from commit 248e72c7a8c7c382ff4397868a6c7453a6453141)
CVE-2017-0811
|
|
|
|
|
|
|
|
|
|
|
| |
In case of error clips, some PUs are marked as skip.
Ensure such PUs stay within the picture
Bug: 37615911
Test: ran POC included with the bug.
Change-Id: Ie0aeccc752cf556f9dea84de61c15a7906e1060b
(cherry picked from commit 62830d130b33ab196245e8fbda63639fe9420c18)
CVE-2017-0773
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
change hard-coded array sizes to use appropriate defined constant
Bug: 62534693
Bug: 62534786
Bug: 62534806
Bug: 62533909
Test: run POC before/after on master
Change-Id: I999545c42d3321570e931991076a942a9134a17d
(cherry picked from commit 4146e81c6dd50634b28b566adda5ac797f47c374)
CVE-2017-0763
|
|
|
|
|
|
|
|
| |
Test: run poc with and without the patch
Bug: 62214264
Change-Id: If627ee9a8f0dbd65963897966e1c2d39f5fbd428
(cherry picked from commit e8c26c16d78c5accec081c8f4516918eee679c4c)
CVE-2017-0762
|
|
|
|
|
|
|
|
|
| |
Bug: 37435531
Bug: 36817631
Bug: 36492741
Change-Id: I85e3da9a8aaefaac0b494868fdc94d858e4cf8e6
(cherry picked from commit 1ffb19f7ae4c9622a270ad87f950ce8ffe622783)
CVE-2017-0758
|
|
|
|
|
|
|
| |
Bug: 37712181
Test: ran patched against POC on nyc-mr2
Change-Id: I5408b3afd898db99265f94573d1163ef83c9b99c
(cherry picked from commit 62ebc3276199bef53c4b87cfcd8c8586af255fee)
|
|
|
|
|
|
|
|
|
|
|
|
| |
Bug: 37469795
In pic_init, pic_present was set in the beggining. If pic_present
was set, process and buffer managment were done. For an error
stream, a crash occured when pic_init returned with error after setting
pic_present.
Change-Id: Iea42e6ad2bc5a74517188fa5e4cc434bb96d46c7
(cherry picked from commit d012a1ffc0a260de924b7af5e3ba30eb65526f8a)
|
|
|
|
|
|
|
| |
Bug: 37430213
Change-Id: I77f5973db54edccc0972649035b0fbde961c10dd
(cherry picked from commit 16c8c8cceeb74c7f4634803723a0b8b1f4881dc9)
(cherry picked from commit 453587489900c62280aadd1d1c8e3899dc57e965)
|
|
|
|
|
|
|
|
|
|
| |
Bug: 37094889
Test: Tested POC on ASAN build
AOSP-Change-Id: Id4e52cd10a4d5eac015efe4b752162dc39cc30b8
(cherry picked from commit 520465122804c4022edd0c8c3c54a93fb4cba613)
CVE-2017-0695
Change-Id: Ia50299381e19b6f6f4b278de3028f98b7aa296be
|
|
|
|
|
|
|
|
|
|
|
|
| |
Bug: 36215950
Bug: 36215953
Bug: 36216719
AOSP-Change-Id: Ibdc05e1d5aa21d060d7c683fd9af4bed8537053f
(cherry picked from commit d61d5e5f6aa0e5f80b8ae793aca4a4085d015c06)
CVE-2017-0689
Change-Id: Ie8fb16141103647514880a8274100141ba0391fc
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Bug: 34896431
The arrays in hrd are of size MAX_CPB_CNT. If cpb cnt is more
than MAX_CPB_CNT, more data is parsed and the subsequent buffer
is corrupted.
AOSP-Change-Id: I74c01b8c7142b67a358eb5e36b160a7fbf2b69e4
(cherry picked from commit 3e194e0edde1d9ceb71d18f6f0e0bf156a76a650)
CVE-2017-0676
Change-Id: Ied5f6ecf2ad2c2ab6f2f9d054ef64db5e80b4892
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
This works for mnc-dr-dev and later.
Bug: 34779227
Test: re-ran POC before/after patch to verify behavior
AOSP-Change-Id: Ida0bf6bcc236494c3c89b228039501e287839fbe
(cherry picked from commit 99df61bb9a89cdd123d4f515c44238b48d62642a)
CVE-2017-0675
Change-Id: I4d0b147b6a8c30ac80174adfd2e950a3fb7e2285
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
without resolution change
backported from master as part of fixing a security issue on
nyc-*.
Bug: 34779227
Test: successful re-run of POC after patch
AOSP-Change-Id: I404099ac24439b5f6eddc9265dc571929433b3ee
(cherry picked from commit 27ad0d7bffb18dc47ab420789ca45f5481906903)
CVE-2017-0675
Change-Id: I32be2ce0ec44acf60224f67d7d5b51c64ec87d90
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
SPS structure is memset to zero in parse_sps()
Bug: 33966031
Bug: 37458993
AOSP-Change-Id: I7d4c04d2d25d7e9c8f581bd470260fc4394a564b
(cherry picked from commit 2e0e75aedef322baeb829bf5151aba312840ed40)
CVE-2017-0540
Change-Id: I6f3f6a16b3b985124459133683dcd7ce29af76de
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
When checking mv bufs for releasing from reference, unallocated
mv bufs were also checked. This issue was fixed by restricting
the loop count to allocated number of mv bufs.
Bug: 34896906
Bug: 34819017
AOSP-Change-Id: If832f590b301f414d4cd5206414efc61a70c17cb
(cherry picked from commit 23bfe3e06d53ea749073a5d7ceda84239742b2c2)
CVE-2017-0642
Change-Id: I6bc4ce3298df94d288211bd642db49e67ece42ee
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
If previous slice is not completed, update the current slice
ctb_x and ctb_y so that while filling the previous slice,
the parse slice code can break properly.
Bug: 32322258
Test: boot, ran POC supplied with bug
AOSP-Change-Id: Ie9090694514a018268851560a3f056194ff6fc91
(cherry picked from commit 830858436bb31036d4260f30c25fa83fd351ed40)
CVE-2017-0391
Change-Id: I5fada9d8f5e2afb7cfd7aa5e82ed1a6d5c2b6808
|
|
|
|
|
|
|
|
|
|
| |
Bug: 36231493
Bug: 34064500
AOSP-Change-Id: Ib17b2c68360685c5a2c019e1497612a130f9f76a
(cherry picked from commit 07ef4e7138e0e13d61039530358343a19308b188)
CVE-2017-0637
Change-Id: Iba716c70f07fb070fa221eb1f5a3779df6e1d7cc
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
The error returned by ref_list function was not handled by the
caller parse_slice_header.
Bug: 34672748
AOSP-Change-Id: I55f6cb0e651746e77f7ff3375115894ec3964203
(cherry picked from commit 25206ffa6eeb25f32103e69f893287425ab1bd10)
CVE-2017-0599
Change-Id: Idab5c9503268d099c60b0d996312b0e774d61cb3
(cherry picked from commit a1424724a00d62ac5efa0e27953eed66850d662f)
|
|
|
|
|
|
|
|
|
|
|
|
| |
Bug: 35039946
AOSP-Change-Id: Ia97fa8711f313d0029d2b13e6d150d5e46b2bb99
(cherry picked from commit a6c58e18a49a1ea4929f8345b3c59f900d5813f5)
(cherry picked from commit 232bbe1908d1dd9f10513d7b8065ecaf5c9a11a6)
CVE-2017-0590
Change-Id: I95f922a2c6fc96253b1b3cecb2f6a9b4acb06077
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
When the offset was greater than range, the bitstream was read
more than the valid range in leaf-level cabac parsing modules.
Error check was added to cabac init to fix this issue. Additionally
end of slice and slice error were signalled to suppress further
parsing of current slice.
Bug: 34897036
AOSP-Change-Id: I1263f1d1219684ffa6e952c76e5a08e9a933c9d2
(cherry picked from commit 3b175da88a1807d19cdd248b74bce60e57f05c6a)
(cherry picked from commit b92314c860d01d754ef579eafe55d7377962b3ba)
CVE-2017-0589
Change-Id: I0eb2baaa0db50ca02ecc1498a14c5fd948760baf
|
|
|
|
|
|
|
|
|
|
|
|
| |
cu_qp_delta is now checked for the range as specified in the spec
Bug: 33966031
AOSP-Change-Id: I00420bf68081af92e9f2be9af7ce58d0683094ca
CVE-2017-0540
Change-Id: I3f50e370e43489d9f6c003ad03cddac47796f7af
(cherry picked from commit 01ca88bb6c5bdd44e071f8effebe12f1d7da9853)
|
|
|
|
|
|
|
|
|
|
| |
Bug: 33864300
AOSP-Change-Id: I920e45c3420a1a41a366ad45bd4186c5f6af6d6b
CVE-2017-0539
Change-Id: Ibd55790a3b31ee345240f263e4a83d20d8f3120a
(cherry picked from commit 1ab5ce7e42feccd49e49752e6f58f9097ac5d254)
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Bug: 33918236
Bug: 33964497
Bug: 33965905
Bug: 33862021
CVE-2017-0472
AOSP Change-Id: If121221d0f6e983c05d95d123af9bed378d1961f
Change-Id: Ib3ef6e3abc584ed1d797f18fc47b22d13129beda
(cherry picked from commit b5cae8181efbb9649ffddb659305a0da59ed445a)
(cherry picked from commit dfa7251ff270ae7e12a019e6735542e36b2a47e0)
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Limit func_idx to valid range to ensure invalid functions are not
called when wrong TU size is signalled for chroma due to error in
parsing
Bug: 32915871
CVE-2017-0406
AOSP Change-Id: I662212eb2e9b8994e7e85780e667f14df73b5905
Change-Id: I254bb3ffab57bc24e97f99d4d4f0ce4764802c50
(cherry picked from commit a76773ab749bd57f3467c79aa60c16c1f2c87380)
(cherry picked from commit 3da3ec6441c9694391efd9b758473c3f9c33f360)
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Out of bound reads in the following variables are fixed
scaling_mat_offset in ihevcd_iquant_itrans_recon_ctb()
ai1_offset_y, ai1_offset_cb and ai1_offset_cr in ihevcd_sao_shift_ctb()
These values were read but not used
b/32915871
CVE-2017-0406
AOSP Change-Id: Ib07e2ed1bdcc600700d4e9e5d970f6cc2164ab1b
Change-Id: Id3e335941d6f015a55085d2592f92974b3225976
(cherry picked from commit 4def2dfabf8afcb185942131c1e67bb3ff211f05)
(cherry picked from commit 5e7a6141e9e7a165b1234a3fd24ea4b176c3d016)
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
A register was not loaded correctly which was resulting in a crash
for a certain combination of availability flags and block height
Bug: 32873375
Test: Tested manually for the clip associated with the bug
CVE-2017-0407
AOSP Change-Id: I6e0969a1e51c8149853bae226b527411b45ec370
Change-Id: I373d9d862988fc8fed65b1c07cba50d22702bb14
(cherry picked from commit 68215fd9ed309d1f1cc204e96bd788f5c865525c)
(cherry picked from commit 02bcb7ddec84cc08af907231706b0e03e7138cbf)
|