| Commit message (Collapse) | Author | Age | Files | Lines |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
This reverts commit 19d12edc1aad955ecd2e2b1bc786f1e7acb5fe0c. It was
causing lots of programs to crash in Replicant and made booting
significantly longer. Reverting this commit is not ideal but because
we currently don't know how to fix this properly at least by reverting
this commit we can release other security issue fixes in the Replicant
6.0 0004 release.
This is an excerpt from the backtrace of one of the crashes that
happened because of this commit:
F DEBUG : #00 pc 00046248 /system/lib/libc.so (tgkill+12)
F DEBUG : #01 pc 00043d01 /system/lib/libc.so (pthread_kill+32)
F DEBUG : #02 pc 0001bd73 /system/lib/libc.so (raise+10)
F DEBUG : #03 pc 00018c03 /system/lib/libc.so (__libc_android_abort+42)
F DEBUG : #04 pc 000167ec /system/lib/libc.so (abort+4)
F DEBUG : #05 pc 0001a763 /system/lib/libc.so (__libc_fatal+26)
F DEBUG : #06 pc 0002f50d /system/lib/libc.so (__bionic_heap_corruption_error+8)
F DEBUG : #07 pc 0003173b /system/lib/libc.so (dlfree+310)
F DEBUG : #08 pc 0000e9bb /system/lib/libutils.so (_ZNK7android7RefBase9decStrongEPKv+50)
F DEBUG : #09 pc 0001936f /system/lib/libstagefright_omx.so
Signed-off-by: Joonas Kylmälä <joonas.kylmala@iki.fi>
|
|
|
|
|
|
|
| |
only has software rendering
Change-Id: I895cc30e6ed47629442b4cd949089fc940a8382c
Signed-off-by: Wolfgang Wiedmeyer <wolfgit@wiedmeyer.de>
|
|
|
|
|
|
|
| |
Bug: 111603051
Test: CTS
Change-Id: Ib5b1802b9b35769a25c16e2b977308cf7a810606
(cherry picked from commit d1fd02761236b35a336434367131f71bef7405c9)
|
|
|
|
|
|
|
|
| |
Test:POC provided in bug
Bug:79218474
(cherry picked from commit c1bf68a8d1321d7cdf7da6933f0b89b171d251c6)
Change-Id: Iba12c07a5e615f8ed234b01ac53e3559ba9ac12e
|
|
|
|
|
|
|
| |
Bug: 111381540
Test: http://devimages.apple.com.edgekey.net/streaming/examples/bipbop_16x9/bipbop_16x9_variant.m3u8
Change-Id: I57f6cea59ce4c25267385289ab805eefe74b04ac
(cherry picked from commit b8c3a74de55a76e2ee21c731828a8afca7aa4ae0)
|
|
|
|
|
|
|
| |
Bug: 77823362
Test: adb shell am start -a android.intent.action.VIEW -d http://10.42.0.1:8080
Change-Id: Ieaf8a13985277eee5b085ed243205a597627cf5e
(cherry picked from commit 26e236bd426770869644a9962778dedea7bf59be)
|
|
|
|
|
|
|
| |
Bug: 78656554
Test: manual
Change-Id: I677f827483dcc80afac57fd7ef6807e633542252
(cherry picked from commit 3762e0615273f25b059556d5b5f65102e9c55c35)
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Instead of doing many overlapping memmoves, do a single copy pass
that skips over the inserted unsynchronization bytes. For some
files this reduces parsing time from minutes to milliseconds.
Similar to commit 72a43b68da but for v2.2 and v2.3.
Bug: 78029004
Test: poc
Change-Id: I735b7051e77a093d86fb7a3e46209875946225ed
(cherry picked from commit f9d87cc850a589b9b0cc3658cf222187822bcc00)
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
There might be a scenario while period is zero or after including
precision would be zero, prevent from division in that case and
return false (to use previously used period).
Bug: 73898703
bug: 74067957
Test: run playback as stability test
Change-Id: I3fad1060b095b7b5ea4c1f9cb3f9d42a4c503560
(cherry picked from commit 27e47ce3c3bbc0b4dc629163de7ebbba7e80b149)
CVE-2018-9354
|
|
|
|
|
|
|
|
|
|
|
|
| |
Zero initialize structs before parcel read, if status is not checked.
Sanitize parcel read audio_port_config.
Test: Audio CTS, See bug for POC
Bug: 73126106
Merged-in: Iece43eb463385927e6babcf93654eea8aaebc29c
Change-Id: Iece43eb463385927e6babcf93654eea8aaebc29c
(cherry picked from commit 498bdcc90bc470a79bf8943cbac64502f7c1c091)
CVE-2018-9378
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
In AudioPortConfig, we only initialize index for audio_gain_config, but
not other fields. That may cause uninit leak at listAudioPorts and
listAudioPatches.
Bug: 77238250
Bug: 77238762
Test: try repo steps at the bug description.
Change-Id: I57e3bd0598f9aa698a6fa3d3c0218b046de34e2f
(cherry picked from commit ebe0777edcf3b9c6bde9771d65399e2363dc6e40)
CVE-2018-9345, CVE-2018-9346
|
|
|
|
|
|
|
|
|
|
| |
Reference:
https://www.mp3-tech.org/programmer/frame_header.html
Test: run poc with and without this patch.
Bug: 71868329
Change-Id: Ibf6196eba0b99459e84989ac8c13db57c816c572
(cherry picked from commit 8b638123760bd93958f6cc2f5c7c4f5dbd0a754a)
|
|
|
|
|
|
|
|
|
|
|
|
| |
mpeg2 es stream access units have a 3 byte prefix and a 1 byte start
code. Searching for the next access unit started after the prefix
instead of after the start byte.
Bug: 74114680
Test: ran POC before/after
(cherry picked from commit 371066d073c5db289b0f38b9d2bfd3e326c78c66)
Change-Id: I3c51c62355c810e1b8dbc644cad3de335b7d8108
|
|
|
|
|
|
|
| |
C/C++ flags should be avoided in BoardConfig.mk / BoardConfigCommon.mk
if possible.
Change-Id: Id1a11e4b66019ec2ac373b114a8a153374c05895
|
|
|
|
|
|
|
|
|
|
|
| |
Add a check to ensure we have a non-zero size for a NAL while
parsing before we crack said NAL open to see what type it is.
Bug: 72117051
Test: compilation
Change-Id: Iaa3ebb2daae5d9225060a11e9adbb6757a168656
Merged-In: I607c67a320b33b991476db30d78223cf4386c0e8
(cherry picked from commit e0c020969d88891b0b71bb938778e9ca762e8035)
|
|
|
|
|
|
| |
Bug: 68399439
Change-Id: I95207b40f23a5f927da7154f9a952046118b5cad
(cherry picked from commit f3e0afb82f104d6e9986779ba2cf548c6aab1092)
|
|
|
|
|
|
|
|
|
|
|
| |
Test: make cts -j123 && cts-tradefed run cts-dev -m \
CtsMediaTestCases --compatibility:module-arg \
CtsMediaTestCases:include-annotation:\
android.platform.test.annotations.RequiresDevice
Bug: 70546581
Change-Id: Ia3a8eb99c2faf6935c63800ba08f65970cede48e
(cherry picked from commit 082e4f75a383f957a6ed9186ca0692b694e1ce45)
|
|
|
|
|
|
|
| |
Bug: 70239507
Test: stagefright -a poc.aac
Change-Id: I61225a04c76fe8855bd2591fb14b734099fa3be6
(cherry picked from commit 0790581021d89ae1d7242e5eb1197bfd12725c85)
|
|
|
|
|
|
|
|
| |
Bug: 68342866
Test: adb shell am start -a android.intent.action.VIEW -d http://localhost:1137/index.html
Change-Id: I479f9e0b7ca828d048ef88b23b4948e3c1472b3c
(cherry picked from commit e3bd8dd81e51b4d02484e7eec0d725ba9c254c68)
CVE-2017-13235
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Input buffer validation is existing only on VPX encoders. This patch
applies the checking also to the other sw video encoders.
Bug: 69065651 Bug: 27569635
Test: run poc with and without the patch.
Test: pass post submit media CTS tests after disabling hw encoders.
Merged-In: I1358df64352577fd6d41cd4bfec18be37c98fe6f
Change-Id: I1358df64352577fd6d41cd4bfec18be37c98fe6f
(cherry picked from commit fed57366c58aa69ad8f1df5191d6bf48e58d86a8)
CVE-2017-13241
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
When audio_attributes_t was read from the binder parcel,
the string tags field was copied without checking that
it contained a '\0'.
This could lead to read past the end when tags were used.
This patch always adds a '\0' at the end of the buffer when
deserializing.
Bug: 68953950
Test: manual playback/record
Test: send binder payload without \0 in tags attribute, check that only
AUDIO_ATTRIBUTES_TAGS_MAX_SIZE - 1 char are printed.
Change-Id: I285258cbf7cfaf26b191d1f31b3b1e2d724c4934
Merged-In: I285258cbf7cfaf26b191d1f31b3b1e2d724c4934
Signed-off-by: Kevin Rocard <krocard@google.com>
(cherry picked from commit 39fdbd097a147b5c719dac9ad2759e6c44eb3a4e)
CVE-2017-13232
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
This is to avoid a concurrent use after free if other OMX commands
are being executed before the node is marked as deleted.
Bug: 63666573
Backport:
Wrap into #ifndef/#endif statement to allow skipping this patch
for specific devices by adding the following directive into the
BoardConfig.mk or BoardConfigCommon.mk file of the device repo:
TARGET_RELEASE_CPPFLAGS += -DSKIP_CVE_2017_13154
Change-Id: I7720dd900bfa252f8675e0c56191adbf52aa957e
CVE-2017-13154
|
|
|
|
|
|
|
|
| |
Bug: 63100526
Test: opened poc, other files
Change-Id: I0a51a2a11d0ea84ede0c075de650a7118f0e00c5
(cherry picked from commit 3e70296461c5f260988ab21854a6f43fdafea764)
CVE-2017-13200
|
|
|
|
|
|
|
|
| |
Bug: 67647856
Test: Added CTS tests
Change-Id: I027ce8f7a1cdb8406ca423aaae7c45b6b76617f0
(cherry picked from commit ee804dfa15cc2d34e5d67a9b437cd023349d633b)
CVE-2017-13202
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Cherry picked from http://go/ag/3038278.
AesCtrDecryptor::decrypt() doesn't check whether the size of "key"
is equal to 16 bytes, which may lead to an OOB read problem in the
context of mediadrmserver.
Add DecryptsWithEmptyKey and DecryptsWithKeyTooLong unit tests.
Test: ClearKeyDrmUnitTest
adb shell LD_LIBRARY_PATH="/vendor/lib/mediadrm"
/data/nativetest/ClearKeyDrmUnitTest/ClearKeyDrmUnitTest
bug: 63982768
Change-Id: I1f22c9df2b051972b2c532608b7f203e3ce77926
(cherry picked from commit 379b672b189aa72ce0103b485019022f3e292c36)
CVE-2017-13201
|
|
|
|
|
|
| |
Bug: 64528824
Change-Id: Id19ec0d634d9337190d04abdbd97842b66502c01
CVE-2017-0855
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
When a zero length input buffer is sent to SoftAVC decoder
without EOS set in nFlags, SoftAVC decoder plugin was
entering an infinite loop. Fixed it by returning from
onQueueFilled for such cases.
Bug: 66969349
Test: Tested using poc associated with the bug
Change-Id: I79cebc8f5b40c51256aba83a08deb547b220c4d7
(cherry picked from commit 21943c05f0ee2350647a6fa5ee17aa3c68859383)
CVE-2017-13180
|
|
|
|
|
|
|
| |
Bug: 66969193
Change-Id: Icd1c8d78986e3795ba7f1c1d50ebeb90d77f6178
(cherry picked from commit 2bee8317ecfa5dca3c43d99db40491c4e28f832d)
CVE-2017-13179
|
|
|
|
|
|
|
| |
Bug: 66969281
Change-Id: I7c293417079da991cfad675a2d5563423d751610
(cherry picked from commit 8e6a6fe2e1542b3333ffecb7307a5de671c8a785)
CVE-2017-13178
|
|
|
|
|
|
|
| |
Test:poc provided in bug
bug:62872384
Change-Id: I3d104a2a64a0cb81e9fd5b04c4def1fbee64da2d
CVE-2017-13152
|
|
|
|
|
|
|
| |
Bug: 65025028
Test: run POC
Change-Id: Ifa5cf0e3ced7188ed70849b04b57828518ccb5bf
CVE-2017-0879
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Do not hold Module mutex when calling into audio policy manager to
avoid cross deadlock with audio poicy service mutex: Audio policy manager
can call into sound trigger service with its mutex held in methods like
stopInput().
Regression introduced by fix for b/64340921 commit f759b8c4
Bug: 64340921
Bug: 67310830
Test: repro steps in b/67310830
Merged-In: Ie50b2e7c55fe9828a3fd8de6b31eb4a492791583
Change-Id: Ie50b2e7c55fe9828a3fd8de6b31eb4a492791583
(cherry picked from commit 98647879efd7fd85c57399037a2cf330726b0a09)
CVE-2017-0837
|
|
|
|
|
|
|
| |
Test: Enable always on GSA
Bug: 64340921
Change-Id: I05d8c680be97ba4c92081425596addcc038f7dda
CVE-2017-0837
|
|
|
|
|
|
|
|
| |
Test: CtsMediaTestCases & YT & Play Movies & Cast
Bug: 62948670
Merged-In: Icbd9b767f1aef005819e680f77f4a05041988f34
Change-Id: Icbd9b767f1aef005819e680f77f4a05041988f34
CVE-2017-0840
|
|
|
|
|
|
|
|
|
| |
Test: POC CTS AudioEffectTest
Bug: 64477217
Bug: 64478003
Change-Id: Ia5e6ecb5a356daf5f3fa085d1055748f638795d9
CVE-2017-0839
CVE-2017-0848
|
|
|
|
|
|
|
|
|
|
| |
buffer.
Bug: 38391487
Bug: 24145279
Change-Id: I6b99ee2dc63063557f4ee2c5856f7c848e969752
(cherry picked from commit 56097a8ecc31ec308a1caa38f92b69f99324eada)
(cherry picked from commit 15c3740aa96df30049b7acf9d7dce77bbcf9d9d4)
|
|
|
|
|
|
|
|
| |
Bug: 62187433
Test: ran poc, CTS
Change-Id: Ib9b0b6de88d046d8149e9ea5073d6c40ffec7b0c
(cherry picked from commit ef8c7830d838d877e6b37b75b47294b064c79397)
CVE-2017-0820
|
|
|
|
|
|
|
|
| |
Test: added a temporal log and run poc
Bug: 63581671
Change-Id: I436a08e54d5e831f9fbdb33c26d15397ce1fbeba
(cherry picked from commit 63079e7c8e12cda4eb124fbe565213d30b9ea34c)
CVE-2017-0818
|
|
|
|
|
|
|
|
| |
Test: No more crash from oob read/write with running poc.
Bug: 63522430
Change-Id: I232d256eacdfaa9347902fe9b42650999f0d2d85
(cherry picked from commit 4e79910fdb303fd28a37a9401bed1b7fbccb1373)
CVE-2017-0817
|
|
|
|
|
|
|
|
|
|
|
| |
Bug: 63662938
Bug: 63526567
Test: Added CTS tests
Change-Id: I8ed398cd62a9f461b0590e37f593daa3d8e4dbc4
(cherry picked from commit 804632afcdda6e80945bf27c384757bda50560cb)
CVE-2017-0815
CVE-2017-0816
|
|
|
|
|
|
|
| |
Bug: 62673128
Change-Id: Id5f04b772aaca3184879bd5bca453ad9e82c7f94
(cherry picked from commit 5e96386ab7a5391185f6b3ed9ea06f3e23ed253b)
CVE-2017-0809
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
A sample number value of 0 means that the value stored in
the mSyncSamples array, would become negative (-1),
when converted to index value. This causes a crash.
Make sure that stss sample numbers are bigger
than 0 before converting sample number to index value.
Bug: 32423862
bug: 35645051
Test: Playback video that triggers stss sync sample number 0
Change-Id: I35bee7c718e01b086d7e05deda13b38083f509f5
(cherry picked from commit 024e783acdff65cdb8eb9de5ade3359ebb338a3b)
|
|
|
|
|
|
|
|
|
| |
Merged-In: Ia7edd9a802905214a27961dbcec6352f6ef98f73
Test: Native POC
Bug: 38340117
Change-Id: I633caf563d3607dbe4b9be10be1687efce33469c
(cherry picked from commit f4aeab2bd69bead05ed75ae3254f53a6ab2316b5)
CVE-2017-0779
|
|
|
|
|
|
|
|
|
|
| |
Test: Ringtone with BT
Bug: 35350587
Bug: 38340117
Change-Id: If247d319d58f8f4d18b49f58ec950491871ebb2d
(cherry picked from commit afb31487f3156a7284d2f0d06646c7bc00d99537)
(cherry picked from commit 1159ffd5e3f832206982d45a7b030b943cc4775e)
CVE-2017-0779
|
|
|
|
|
|
|
|
| |
Test: stagefright -s poc_file
Bug: 62133227
Change-Id: Iafefac39764ce01b4dde414b9f152c9ea71810e9
(cherry picked from commit 6ace94d2952eac82fc4c86aa6d585258248bf18c)
CVE-2017-0778
|
|
|
|
|
|
|
| |
bug: 62673179
Change-Id: I5da44822ad2ff59d396d1df42f34cd0a5620e134
(cherry picked from commit 6e2bcf40e4083be3a0fbb13d03293a78301e66ef)
CVE-2017-0775
|
|
|
|
|
|
|
|
|
|
| |
Test: passed CTS test DecoderTest#testDecodeFragmented
Bug: 64314728
Bug: 36571704
Change-Id: I71ad6aaae473b03483f8405899d3178148597bba
(cherry picked from commit ba9af7792dfed6e9b1b216aab91a97e713eec891)
(cherry picked from commit 6b401a337674f2f22b7589534700a33187899869)
CVE-2017-0774
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Also fix handling of zero atom size in MPEG4Source::parseChunk.
IDataSource: ensure readAt returns correct status.
Test: manually test with mediaplayer.
Bug: 34718515
Change-Id: I1219ec579aa0876dc1230e36af46b158b84c6d77
(cherry picked from commit ff1fb4d5cdd3b2b28c69edd8cd3021e335ca381a)
(cherry picked from commit 371561214467f848496928914f771703d6c331e6)
Change-Id: I51546975ac0992cff7cf890a71a177e1058ed613
CVE-2017-0774
|
|
|
|
|
|
|
|
| |
Test: poc doesn't crash
Bug: 38234812
Change-Id: I6f9be046ff66d2d5bed27bd712287e4ead550830
(cherry picked from commit 502c2f405355c3253990ac4edae345ac1907f916)
CVE-2017-0770
|
|
|
|
|
|
|
|
|
|
|
|
| |
Block effect commands reserved for framework use when
received on server side IAudioEffect. Applications have no reason
to use these commands and they present a unnecessary attack surface.
Bug: 62019992
Test: run CTS tests for audio effects
Change-Id: Ie680d5d5650f99dbabf93891703e1cde2c2e852d
(cherry picked from commit c7ab309ecbb289cd1296430f724166a26bd45afe)
CVE-2017-0768
|