summaryrefslogtreecommitdiffstats
Commit message (Collapse)AuthorAgeFilesLines
* Decoder: Signal IVD_RES_CHANGED error for change in crop paramsHEADreplicant-6.0-0004-transitionreplicant-6.0-0004-rc6replicant-6.0-0004-rc5-transitionreplicant-6.0-0004-rc5replicant-6.0-0004-rc4replicant-6.0-0004-rc3replicant-6.0-0004-rc2replicant-6.0-0004cm-13.0Rakesh Kumar2019-04-131-0/+12
| | | | | | | | | | | | | | | IVD_RES_CHANGED was not signaled when crop parameters changed, i.e. display dimensions changed without change in decode dimensions. In such cases, if output buffer was allocated as per the current dimension being decoded, without IVD_RES_CHANGED signalled, there can be an OOB write if the new buffer is smaller than the frame being returned as output Bug: 118453553 Test: vendor Change-Id: Ic74c6fb9612403f75a8f9ddb3a93861bca82cf16 (cherry picked from commit fdbbd60bfebe48c0539897d7eeeeb5816e59ce1b)
* Add limits check for the CTB position in a frameShubham Tandle2019-01-131-7/+23
| | | | | | | | | | | | | Bug: 113260892 Bug: 113261108 Bug: 113261310 The decoder does not support tile position > 255. Added error checks to ensure the same. Test: re-run POC Change-Id: Id359c172c8630ded2fb3f47c447f373cd2d1bc34 (cherry picked from commit 5a3dafc3248edcd2df5e2fdafaca61b6acbc44b1)
* Add limits check for depth hierarchy sps parametersreplicant-6.0-0004-rc1Naveen Kumar P2018-06-081-0/+8
| | | | | | | | | | | | | Bug: 73965890 Test: run poc before/after According to the hevc specification, max_transform_hierarchy_depth_inter and max_transform_hierarchy_depth_intra cannot be greater than difference between log2_ctb_size and log2_min_transform_block_size. Change-Id: I9a6f56b029957cead3e81bd07d7fb8392a1a98a2 (cherry picked from commit f7287c7993a0d61abccfdc530f388b366139ac1d) CVE-2018-9353
* Return error for invalid sps sub layers parametersNaveen Kumar P2018-06-081-2/+2
| | | | | | | | | | | Return error for negative values of max_dec_pic_buffering and num_reorder_pics sps parameters. Bug: 73965867 Test: Ittiam Change-Id: I6035b3b2fcbd29c6bbb1223f4714ba04b4bca6b3 (cherry picked from commit f4486cdb2ff81368baa1d6e7afcf2c06ba64e666) CVE-2018-9352
* Return error for invalid reorder parameterNaveen Kumar P2018-06-081-6/+4
| | | | | | | | Bug: 62689208 Test: before/after process PoC on ASAN builds. Change-Id: Ib1404bdf512fba28c2641f3f2022811a2a2d7751 (cherry picked from commit 4286d31e9e121e1005ad8986bcbf9ba3f62122ee) CVE-2018-9352
* Check limits for log2_max_pic_order_cnt_lsb_minus4 in spsNaveen Kumar P2018-04-061-0/+2
| | | | | | | | | | Bug: 71766721 According to the spec, the value of log2_max_pic_order_cnt_lsb_minus4 shall be in the range of 0 to 12, inclusive. Change-Id: Ibd199b6dea246c2fac6214c21e49f27d95c07659 (cherry picked from commit 4d32ff55cf3eeeb3a319517176ed2a2c6c376fe1)
* Fix output buffer size checkNaveen Kumar P2018-04-061-0/+3
| | | | | | | | | | | Bug: 72165027 Test: ran poc before/after For output buffer size check, the parameter wd is set to larger of disp_wd and disp_strd. Change-Id: I1fc745753762b8a8e943165d0bf6525c500fb020 (cherry picked from commit ce8a8db32e9b2054c5dc119fbbec542bf8e848b6)
* Update ctb pu map for I sliceNaveen Kumar P2018-02-082-16/+44
| | | | | | | | | | | | The update in I slice is required for P/B slices in the same frame for accessing neighbor pus. Bug: 62851602 Bug: 63522067 Test: re-run PoC from b/62851602 Change-Id: Ie5e43f1cd5649b2745b6527654bc24d8c7d42932 (cherry picked from commit 43f126112a8f2000cd0744f2fc5d545ff1a9a70c) CVE-2017-13233
* Check if luma wd and ht are multiple of min cb sizeNaveen Kumar P2018-02-081-7/+3
| | | | | | | | | | | Bug: 65483665 Instead of aligning width and height to 8, it is now checked for being a multiple of min CB size Change-Id: I99bf60e19d490fd06933aa01fa6a34f47fe58bb4 (cherry picked from commit ccfd1ea5c4cf9cf0a55088506ae5f312663f8792) CVE-2017-13230
* Decoder: Handle ps_codec_obj memory allocation failure gracefullyHarish Mahendrakar2018-01-101-4/+20
| | | | | | | | | | | | If memory allocation for ps_codec_obj fails, return gracefully with an error code. All other allocation failures are handled correctly. Bug: 68299873 Test: before/after with always-failing malloc Change-Id: I5e6c07b147b13df81e65476851662d4b55d33b83 (cherry picked from commit a966e2a65dd901151ce7f4481d0084840c9a0f7e) CVE-2017-13190
* Fix prev slice incomplete checkNaveen Kumar P2018-01-101-11/+12
| | | | | | | | | | | | | | Bug: 64552185 Bug: 65034175 Move the decision to signal missing ctbs as skipped ctbs of previous slice to the end of current slice hdr parsing to ensure no error in slice hdr parsing. Change-Id: Ia33b4be31dad6225b04e7b20b9000059c87941c4 (cherry picked from commit 74f35f191022c06863dacd33a3651a33be3ef08d) (cherry picked from commit 9c24714e25d6ba713549a573df1d496479dce2b1) CVE-2017-13187
* Set error skip ctbs as multiple 8x8 pusNaveen Kumar P2018-01-101-88/+94
| | | | | | | | | | Bug: 65123471 This is required for incomplete ctbs at the frame boundaries Change-Id: I7e41a3ac2f6e35a929ba4ff3ca4cfcc859a7b867 CVE-2017-13185
* Fix first frame error returnNaveen Kumar P2018-01-102-26/+22
| | | | | | | | | | | | Remove the check that returns before joining the slave threads if there is an error in the first frame. And in slice error mode do not parse bitstream. Bug: 64784973 Test: no longer hangs on POC Change-Id: I3c2e2d9f84304bcb34831d7d796da710154774fa (cherry picked from commit 8fff219facbecceee193e823d4faf7866524e92a) CVE-2017-13197
* Return error for negative crop parametersNaveen Kumar P2018-01-101-4/+4
| | | | | | | | Bug: 65398821 Change-Id: I18a94d40d77504bb9c9d5a5e7bf41207aed28712 Signed-off-by: Sungtak Lee <taklee@google.com> (cherry picked from commit 978d3320ef3dc60f69f8c4ba215b869d11b03944) CVE-2017-13195
* Consume bytes for sps with unsupported resolutionNaveen Kumar P2018-01-101-2/+1
| | | | | | | | | | | | | Bug: 65718319 Test: ran POC before/after For an sps with unsupported resolution, consume the bytes. Otherwise application will feed the same sps again and again. Change-Id: I02295e813f37a963d7f6216bb8a7e86648485681 (cherry picked from commit b1d2f31cfa81304460f577667a5332b53ec15404) CVE-2017-13193
* Fix slice address zero for not first slice in picNaveen Kumar P2018-01-101-1/+1
| | | | | | | | | | | The parameter slice address is parsed only slices that are not first slice in the pic and the value cannot be zero. Bug: 64380202 Test: ran PoC on master Change-Id: Ic21c40cf67c916806113d2425790a27cb658b5d2 (cherry picked from commit ed3f6bb877ae9e241afd6a6a13d5a6afd692ddc0) CVE-2017-13192
* Fix incomplete frame errorNaveen Kumar P2018-01-101-0/+17
| | | | | | | | | Bug: 63522067 Bug: 64380403 Test: ran POC before/after Change-Id: If22f2ed8936e0ead9fcfa64ddde99e85c10cecd2 (cherry picked from commit ee0e003a0fd2280ecd0eeecd2e2f19250a96c3af) CVE-2017-13191 / CVE-2017-13196
* Add PUSH-POP of D registers in Arm Neon 32 bit functionsRakesh Kumar2018-01-1057-463/+835
| | | | | | | | | | | | | According to ARM calling conventions, D8-D15 are callee saved registers. Hence have to be pushed before used as scratch. Added Push Pop in inter_pred, intra_pred, deblk_luma, itrans, itrans_recon, sao, weighted_pred ARM NEON 32 bit functions. Bug: 68320413 Test: Tested hevcdec Change-Id: I71f8868ac4205b0a3680d7ce5b82511653e9c747 (cherry picked from commit a47cb8865a33a87f163d87781f417884d30d46ed) CVE-2017-13177
* Fixed few issues in SAO arm assembliesHarish Mahendrakar2018-01-107-0/+60
| | | | | | | There were few mismatches seen because of wrong clipping and wrong increments in SAO assemblies Change-Id: I8ab28d847b1708b6949eac514f99e475e792cde1
* Fixed stack pointer increment in ihevc_itrans_recon_8x8.sHarish Mahendrakar2018-01-101-7/+7
| | | | | | Stack now points to top Change-Id: I8605b2cb16a6ed67bdfded9cca6eb8b03c657601
* Alloc extra bytes for bits buf for parse optimzationNaveen Kumar P2017-12-091-2/+2
| | | | | | | | | | Without this extra allocation, if a nal fills entire bits buffer, there will be out of bound memory read access. Bug: 65719872 Test: ran poc before/after on ASAN of master Change-Id: I1c36821505bdc4fe6c23f30a02ab2fb0fb657946 CVE-2017-13149
* Added an out of bound check on u4_num_bufs in input argumentreplicant-6.0-0003Harish Mahendrakar2017-11-101-1/+2
| | | | | | | | | ps_dec_ip->s_out_buffer.u4_num_bufs was missing out of bound checks Bug: 35430570 Change-Id: Ibbf9891a885f69e208107725e34e7217147b891e (cherry picked from commit 8221313d58ad4ebe9875760f065d999928172d6e) CVE-2017-0851
* Fix tile index buf alloc sizeNaveen Kumar P2017-11-101-3/+3
| | | | | | | Bug: 64893226 Change-Id: Iec02f6a7b65804cc3daadf6e29d57a7ad955d517 CVE-2017-0836
* Fix slice decrement for skipped slicesNaveen Kumar P2017-10-041-1/+0
| | | | | | | | Test: run the poc with and without the patch Bug: 63045918 Change-Id: I27804d42c55480c25303d1a5dbb43b1d86d7fa94 (cherry picked from commit 272f2c23c8ba8579adb0618b4124163b9bf086fb) CVE-2017-0819
* Ensure CTB size > 16 for clips with tiles and width/height >= 4096Harish Mahendrakar2017-10-041-0/+13
| | | | | | | | | | | | For clips with tiles and dimensions >= 4096, CTB size of 16 can result in tile position > 255. This is not supported by the decoder Bug: 37930177 Test: ran poc w/o crashing Change-Id: I2f223a124c4ea9bfd98343343fd010d80a5dd8bd (cherry picked from commit 248e72c7a8c7c382ff4397868a6c7453a6453141) CVE-2017-0811
* Limit boundary PU sizes in case of errorsHarish Mahendrakar2017-09-141-2/+13
| | | | | | | | | | | In case of error clips, some PUs are marked as skip. Ensure such PUs stay within the picture Bug: 37615911 Test: ran POC included with the bug. Change-Id: Ie0aeccc752cf556f9dea84de61c15a7906e1060b (cherry picked from commit 62830d130b33ab196245e8fbda63639fe9420c18) CVE-2017-0773
* Fix array size for hrd parametersNaveen Kumar P2017-09-141-6/+6
| | | | | | | | | | | | | change hard-coded array sizes to use appropriate defined constant Bug: 62534693 Bug: 62534786 Bug: 62534806 Bug: 62533909 Test: run POC before/after on master Change-Id: I999545c42d3321570e931991076a942a9134a17d (cherry picked from commit 4146e81c6dd50634b28b566adda5ac797f47c374) CVE-2017-0763
* Return error for invalid crop parametersNaveen Kumar P2017-09-141-0/+16
| | | | | | | | Test: run poc with and without the patch Bug: 62214264 Change-Id: If627ee9a8f0dbd65963897966e1c2d39f5fbd428 (cherry picked from commit e8c26c16d78c5accec081c8f4516918eee679c4c) CVE-2017-0762
* Check number of output buffers and sizesNaveen Kumar P2017-09-142-0/+106
| | | | | | | | | Bug: 37435531 Bug: 36817631 Bug: 36492741 Change-Id: I85e3da9a8aaefaac0b494868fdc94d858e4cf8e6 (cherry picked from commit 1ffb19f7ae4c9622a270ad87f950ce8ffe622783) CVE-2017-0758
* Fix OOB issue in nal unit parsingreplicant-6.0-0002Naveen Kumar P2017-08-131-3/+4
| | | | | | | Bug: 37712181 Test: ran patched against POC on nyc-mr2 Change-Id: I5408b3afd898db99265f94573d1163ef83c9b99c (cherry picked from commit 62ebc3276199bef53c4b87cfcd8c8586af255fee)
* Set pic_present at end of pic_init instead of beginningNaveen Kumar P2017-08-131-2/+2
| | | | | | | | | | | | Bug: 37469795 In pic_init, pic_present was set in the beggining. If pic_present was set, process and buffer managment were done. For an error stream, a crash occured when pic_init returned with error after setting pic_present. Change-Id: Iea42e6ad2bc5a74517188fa5e4cc434bb96d46c7 (cherry picked from commit d012a1ffc0a260de924b7af5e3ba30eb65526f8a)
* Handle error return in parse sliceNaveen Kumar P2017-08-131-20/+110
| | | | | | | Bug: 37430213 Change-Id: I77f5973db54edccc0972649035b0fbde961c10dd (cherry picked from commit 16c8c8cceeb74c7f4634803723a0b8b1f4881dc9) (cherry picked from commit 453587489900c62280aadd1d1c8e3899dc57e965)
* Fix heap buffer overflow while searching for valid PPSHarish Mahendrakar2017-07-071-3/+4
| | | | | | | | | | Bug: 37094889 Test: Tested POC on ASAN build AOSP-Change-Id: Id4e52cd10a4d5eac015efe4b752162dc39cc30b8 (cherry picked from commit 520465122804c4022edd0c8c3c54a93fb4cba613) CVE-2017-0695 Change-Id: Ia50299381e19b6f6f4b278de3028f98b7aa296be
* Check for buffer overflow in pps/slice header parsingNaveen Kumar P2017-07-072-0/+6
| | | | | | | | | | | | Bug: 36215950 Bug: 36215953 Bug: 36216719 AOSP-Change-Id: Ibdc05e1d5aa21d060d7c683fd9af4bed8537053f (cherry picked from commit d61d5e5f6aa0e5f80b8ae793aca4a4085d015c06) CVE-2017-0689 Change-Id: Ie8fb16141103647514880a8274100141ba0391fc
* Check for cpb cnt in hrd parsingNaveen Kumar P2017-07-061-4/+13
| | | | | | | | | | | | | | | Bug: 34896431 The arrays in hrd are of size MAX_CPB_CNT. If cpb cnt is more than MAX_CPB_CNT, more data is parsed and the subsequent buffer is corrupted. AOSP-Change-Id: I74c01b8c7142b67a358eb5e36b160a7fbf2b69e4 (cherry picked from commit 3e194e0edde1d9ceb71d18f6f0e0bf156a76a650) CVE-2017-0676 Change-Id: Ied5f6ecf2ad2c2ab6f2f9d054ef64db5e80b4892
* Fix reallocation for new spsNaveen Kumar P2017-07-061-2/+14
| | | | | | | | | | | | | This works for mnc-dr-dev and later. Bug: 34779227 Test: re-ran POC before/after patch to verify behavior AOSP-Change-Id: Ida0bf6bcc236494c3c89b228039501e287839fbe (cherry picked from commit 99df61bb9a89cdd123d4f515c44238b48d62642a) CVE-2017-0675 Change-Id: I4d0b147b6a8c30ac80174adfd2e950a3fb7e2285
* DO NOT MERGE Handle streams with change in max_dec_buffering/num_reorder_framesHarish Mahendrakar2017-07-061-0/+21
| | | | | | | | | | | | | | | | without resolution change backported from master as part of fixing a security issue on nyc-*. Bug: 34779227 Test: successful re-run of POC after patch AOSP-Change-Id: I404099ac24439b5f6eddc9265dc571929433b3ee (cherry picked from commit 27ad0d7bffb18dc47ab420789ca45f5481906903) CVE-2017-0675 Change-Id: I32be2ce0ec44acf60224f67d7d5b51c64ec87d90
* memset SPS to zeroHarish Mahendrakar2017-07-061-0/+6
| | | | | | | | | | | | | SPS structure is memset to zero in parse_sps() Bug: 33966031 Bug: 37458993 AOSP-Change-Id: I7d4c04d2d25d7e9c8f581bd470260fc4394a564b (cherry picked from commit 2e0e75aedef322baeb829bf5151aba312840ed40) CVE-2017-0540 Change-Id: I6f3f6a16b3b985124459133683dcd7ce29af76de
* Check only allocated mv bufs for releasing from referenceNaveen Kumar Ponnusamy2017-06-094-6/+11
| | | | | | | | | | | | | | | When checking mv bufs for releasing from reference, unallocated mv bufs were also checked. This issue was fixed by restricting the loop count to allocated number of mv bufs. Bug: 34896906 Bug: 34819017 AOSP-Change-Id: If832f590b301f414d4cd5206414efc61a70c17cb (cherry picked from commit 23bfe3e06d53ea749073a5d7ceda84239742b2c2) CVE-2017-0642 Change-Id: I6bc4ce3298df94d288211bd642db49e67ece42ee
* Set current slice ctb x and y to fill prev incomplete sliceNaveen Kumar P2017-06-091-0/+4
| | | | | | | | | | | | | | If previous slice is not completed, update the current slice ctb_x and ctb_y so that while filling the previous slice, the parse slice code can break properly. Bug: 32322258 Test: boot, ran POC supplied with bug AOSP-Change-Id: Ie9090694514a018268851560a3f056194ff6fc91 (cherry picked from commit 830858436bb31036d4260f30c25fa83fd351ed40) CVE-2017-0391 Change-Id: I5fada9d8f5e2afb7cfd7aa5e82ed1a6d5c2b6808
* Correct Tiles rows and cols checkNaveen Kumar P2017-06-091-2/+8
| | | | | | | | | | Bug: 36231493 Bug: 34064500 AOSP-Change-Id: Ib17b2c68360685c5a2c019e1497612a130f9f76a (cherry picked from commit 07ef4e7138e0e13d61039530358343a19308b188) CVE-2017-0637 Change-Id: Iba716c70f07fb070fa221eb1f5a3779df6e1d7cc
* Handle error return from ref list in slice hdr parsingNaveen Kumar Ponnusamy2017-05-231-1/+5
| | | | | | | | | | | | | | The error returned by ref_list function was not handled by the caller parse_slice_header. Bug: 34672748 AOSP-Change-Id: I55f6cb0e651746e77f7ff3375115894ec3964203 (cherry picked from commit 25206ffa6eeb25f32103e69f893287425ab1bd10) CVE-2017-0599 Change-Id: Idab5c9503268d099c60b0d996312b0e774d61cb3 (cherry picked from commit a1424724a00d62ac5efa0e27953eed66850d662f)
* Return error if SPS parsing reads more bytes than the nal lengthHarish Mahendrakar2017-05-211-0/+4
| | | | | | | | | | | | Bug: 35039946 AOSP-Change-Id: Ia97fa8711f313d0029d2b13e6d150d5e46b2bb99 (cherry picked from commit a6c58e18a49a1ea4929f8345b3c59f900d5813f5) (cherry picked from commit 232bbe1908d1dd9f10513d7b8065ecaf5c9a11a6) CVE-2017-0590 Change-Id: I95f922a2c6fc96253b1b3cecb2f6a9b4acb06077
* Return error from cabac init if offset is greater than rangeNaveen Kumar Ponnusamy2017-05-212-20/+56
| | | | | | | | | | | | | | | | | When the offset was greater than range, the bitstream was read more than the valid range in leaf-level cabac parsing modules. Error check was added to cabac init to fix this issue. Additionally end of slice and slice error were signalled to suppress further parsing of current slice. Bug: 34897036 AOSP-Change-Id: I1263f1d1219684ffa6e952c76e5a08e9a933c9d2 (cherry picked from commit 3b175da88a1807d19cdd248b74bce60e57f05c6a) (cherry picked from commit b92314c860d01d754ef579eafe55d7377962b3ba) CVE-2017-0589 Change-Id: I0eb2baaa0db50ca02ecc1498a14c5fd948760baf
* Fix in handling wrong cu_qp_deltareplicant-6.0-0001Harish Mahendrakar2017-04-052-3/+11
| | | | | | | | | | | | cu_qp_delta is now checked for the range as specified in the spec Bug: 33966031 AOSP-Change-Id: I00420bf68081af92e9f2be9af7ce58d0683094ca CVE-2017-0540 Change-Id: I3f50e370e43489d9f6c003ad03cddac47796f7af (cherry picked from commit 01ca88bb6c5bdd44e071f8effebe12f1d7da9853)
* Handle invalid num_reorder_pics & max_dec_pic_buffering in SPSHarish Mahendrakar2017-04-051-0/+10
| | | | | | | | | | Bug: 33864300 AOSP-Change-Id: I920e45c3420a1a41a366ad45bd4186c5f6af6d6b CVE-2017-0539 Change-Id: Ibd55790a3b31ee345240f263e4a83d20d8f3120a (cherry picked from commit 1ab5ce7e42feccd49e49752e6f58f9097ac5d254)
* Added check for invalid log2_max_transform_block_size in SPSHarish Mahendrakar2017-03-221-0/+9
| | | | | | | | | | | | | | Bug: 33918236 Bug: 33964497 Bug: 33965905 Bug: 33862021 CVE-2017-0472 AOSP Change-Id: If121221d0f6e983c05d95d123af9bed378d1961f Change-Id: Ib3ef6e3abc584ed1d797f18fc47b22d13129beda (cherry picked from commit b5cae8181efbb9649ffddb659305a0da59ed445a) (cherry picked from commit dfa7251ff270ae7e12a019e6735542e36b2a47e0)
* Fixed handling invalid chroma tu size for error clipsHarish Mahendrakar2017-03-221-0/+5
| | | | | | | | | | | | | | | Limit func_idx to valid range to ensure invalid functions are not called when wrong TU size is signalled for chroma due to error in parsing Bug: 32915871 CVE-2017-0406 AOSP Change-Id: I662212eb2e9b8994e7e85780e667f14df73b5905 Change-Id: I254bb3ffab57bc24e97f99d4d4f0ce4764802c50 (cherry picked from commit a76773ab749bd57f3467c79aa60c16c1f2c87380) (cherry picked from commit 3da3ec6441c9694391efd9b758473c3f9c33f360)
* Fixed out of bound reads in stack variablesHarish Mahendrakar2017-03-222-6/+9
| | | | | | | | | | | | | | | | | | Out of bound reads in the following variables are fixed scaling_mat_offset in ihevcd_iquant_itrans_recon_ctb() ai1_offset_y, ai1_offset_cb and ai1_offset_cr in ihevcd_sao_shift_ctb() These values were read but not used b/32915871 CVE-2017-0406 AOSP Change-Id: Ib07e2ed1bdcc600700d4e9e5d970f6cc2164ab1b Change-Id: Id3e335941d6f015a55085d2592f92974b3225976 (cherry picked from commit 4def2dfabf8afcb185942131c1e67bb3ff211f05) (cherry picked from commit 5e7a6141e9e7a165b1234a3fd24ea4b176c3d016)
* Fix in Chroma SAO for non-multiple of 8 heightHarish Mahendrakar2017-03-222-2/+2
| | | | | | | | | | | | | | | A register was not loaded correctly which was resulting in a crash for a certain combination of availability flags and block height Bug: 32873375 Test: Tested manually for the clip associated with the bug CVE-2017-0407 AOSP Change-Id: I6e0969a1e51c8149853bae226b527411b45ec370 Change-Id: I373d9d862988fc8fed65b1c07cba50d22702bb14 (cherry picked from commit 68215fd9ed309d1f1cc204e96bd788f5c865525c) (cherry picked from commit 02bcb7ddec84cc08af907231706b0e03e7138cbf)
generated by cgit v1.2.3 (git 2.25.1) at 2024-04-26 11:15:34 +0000