summaryrefslogtreecommitdiffstats
Commit message (Collapse)AuthorAgeFilesLines
* Revert "Backport: OMXNodeInstance: use a lock around OMX::freeNode"HEADreplicant-6.0Joonas Kylmälä2020-01-031-4/+0
| | | | | | | | | | | | | | | | | | | | | | | | | This reverts commit 19d12edc1aad955ecd2e2b1bc786f1e7acb5fe0c. It was causing lots of programs to crash in Replicant and made booting significantly longer. Reverting this commit is not ideal but because we currently don't know how to fix this properly at least by reverting this commit we can release other security issue fixes in the Replicant 6.0 0004 release. This is an excerpt from the backtrace of one of the crashes that happened because of this commit: F DEBUG : #00 pc 00046248 /system/lib/libc.so (tgkill+12) F DEBUG : #01 pc 00043d01 /system/lib/libc.so (pthread_kill+32) F DEBUG : #02 pc 0001bd73 /system/lib/libc.so (raise+10) F DEBUG : #03 pc 00018c03 /system/lib/libc.so (__libc_android_abort+42) F DEBUG : #04 pc 000167ec /system/lib/libc.so (abort+4) F DEBUG : #05 pc 0001a763 /system/lib/libc.so (__libc_fatal+26) F DEBUG : #06 pc 0002f50d /system/lib/libc.so (__bionic_heap_corruption_error+8) F DEBUG : #07 pc 0003173b /system/lib/libc.so (dlfree+310) F DEBUG : #08 pc 0000e9bb /system/lib/libutils.so (_ZNK7android7RefBase9decStrongEPKv+50) F DEBUG : #09 pc 0001936f /system/lib/libstagefright_omx.so Signed-off-by: Joonas Kylmälä <joonas.kylmala@iki.fi>
* colorconversion: not only check for the emulator, but also for a device that ↵Wolfgang Wiedmeyer2020-01-021-1/+6
| | | | | | | only has software rendering Change-Id: I895cc30e6ed47629442b4cd949089fc940a8382c Signed-off-by: Wolfgang Wiedmeyer <wolfgit@wiedmeyer.de>
* Check for overflow of crypto sizeMarco Nelissen2018-12-031-1/+12
| | | | | | | Bug: 111603051 Test: CTS Change-Id: Ib5b1802b9b35769a25c16e2b977308cf7a810606 (cherry picked from commit d1fd02761236b35a336434367131f71bef7405c9)
* Fix information disclosure in mediadrmserverJeff Tinker2018-12-031-2/+7
| | | | | | | | Test:POC provided in bug Bug:79218474 (cherry picked from commit c1bf68a8d1321d7cdf7da6933f0b89b171d251c6) Change-Id: Iba12c07a5e615f8ed234b01ac53e3559ba9ac12e
* M3UParser: handle missing EXT-X-MEDIA URIsRobert Shih2018-10-081-2/+6
| | | | | | | Bug: 111381540 Test: http://devimages.apple.com.edgekey.net/streaming/examples/bipbop_16x9/bipbop_16x9_variant.m3u8 Change-Id: I57f6cea59ce4c25267385289ab805eefe74b04ac (cherry picked from commit b8c3a74de55a76e2ee21c731828a8afca7aa4ae0)
* M3UParser: make url on demandRobert Shih2018-10-082-10/+22
| | | | | | | Bug: 77823362 Test: adb shell am start -a android.intent.action.VIEW -d http://10.42.0.1:8080 Change-Id: Ieaf8a13985277eee5b085ed243205a597627cf5e (cherry picked from commit 26e236bd426770869644a9962778dedea7bf59be)
* Fix possible out of bounds readMarco Nelissen2018-08-081-0/+3
| | | | | | | Bug: 78656554 Test: manual Change-Id: I677f827483dcc80afac57fd7ef6807e633542252 (cherry picked from commit 3762e0615273f25b059556d5b5f65102e9c55c35)
* Speed up id3v2 unsynchronizationRobert Shih2018-07-161-4/+17
| | | | | | | | | | | | | Instead of doing many overlapping memmoves, do a single copy pass that skips over the inserted unsynchronization bytes. For some files this reduces parsing time from minutes to milliseconds. Similar to commit 72a43b68da but for v2.2 and v2.3. Bug: 78029004 Test: poc Change-Id: I735b7051e77a093d86fb7a3e46209875946225ed (cherry picked from commit f9d87cc850a589b9b0cc3658cf222187822bcc00)
* Add check preventing div0 issueRyszard Grzesica2018-06-081-0/+5
| | | | | | | | | | | | | | There might be a scenario while period is zero or after including precision would be zero, prevent from division in that case and return false (to use previously used period). Bug: 73898703 bug: 74067957 Test: run playback as stability test Change-Id: I3fad1060b095b7b5ea4c1f9cb3f9d42a4c503560 (cherry picked from commit 27e47ce3c3bbc0b4dc629163de7ebbba7e80b149) CVE-2018-9354
* Sanitize effect descriptors for AudioPolicyService binder calls.Andy Hung2018-06-082-14/+53
| | | | | | | | | | | | Zero initialize structs before parcel read, if status is not checked. Sanitize parcel read audio_port_config. Test: Audio CTS, See bug for POC Bug: 73126106 Merged-in: Iece43eb463385927e6babcf93654eea8aaebc29c Change-Id: Iece43eb463385927e6babcf93654eea8aaebc29c (cherry picked from commit 498bdcc90bc470a79bf8943cbac64502f7c1c091) CVE-2018-9378
* Init gain config to prevent uninit leak.jiabin2018-06-081-0/+1
| | | | | | | | | | | | | In AudioPortConfig, we only initialize index for audio_gain_config, but not other fields. That may cause uninit leak at listAudioPorts and listAudioPatches. Bug: 77238250 Bug: 77238762 Test: try repo steps at the bug description. Change-Id: I57e3bd0598f9aa698a6fa3d3c0218b046de34e2f (cherry picked from commit ebe0777edcf3b9c6bde9771d65399e2363dc6e40) CVE-2018-9345, CVE-2018-9346
* Handle bad bitrate index in mp3dec.Dongwon Kang2018-05-221-1/+1
| | | | | | | | | | Reference: https://www.mp3-tech.org/programmer/frame_header.html Test: run poc with and without this patch. Bug: 71868329 Change-Id: Ibf6196eba0b99459e84989ac8c13db57c816c572 (cherry picked from commit 8b638123760bd93958f6cc2f5c7c4f5dbd0a754a)
* better mpeg2 TS elementary stream Access Unit parsingRay Essick2018-05-221-2/+7
| | | | | | | | | | | | mpeg2 es stream access units have a 3 byte prefix and a 1 byte start code. Searching for the next access unit started after the prefix instead of after the start byte. Bug: 74114680 Test: ran POC before/after (cherry picked from commit 371066d073c5db289b0f38b9d2bfd3e326c78c66) Change-Id: I3c51c62355c810e1b8dbc644cad3de335b7d8108
* Skip CVE_2017_13154: use a Boardflag instead C/C++ flagAndreas Blaesius2018-05-071-0/+4
| | | | | | | C/C++ flags should be avoided in BoardConfig.mk / BoardConfigCommon.mk if possible. Change-Id: Id1a11e4b66019ec2ac373b114a8a153374c05895
* Check NAL size before looking insideRay Essick2018-04-061-1/+1
| | | | | | | | | | | Add a check to ensure we have a non-zero size for a NAL while parsing before we crack said NAL open to see what type it is. Bug: 72117051 Test: compilation Change-Id: Iaa3ebb2daae5d9225060a11e9adbb6757a168656 Merged-In: I607c67a320b33b991476db30d78223cf4386c0e8 (cherry picked from commit e0c020969d88891b0b71bb938778e9ca762e8035)
* M3UParser: detect variant streams without EXT-X-STREAM-INFRobert Shih2018-04-061-2/+5
| | | | | | Bug: 68399439 Change-Id: I95207b40f23a5f927da7154f9a952046118b5cad (cherry picked from commit f3e0afb82f104d6e9986779ba2cf548c6aab1092)
* Refactor MediaPlayerBase's notifyPawin Vongmasa2018-04-065-69/+78
| | | | | | | | | | | Test: make cts -j123 && cts-tradefed run cts-dev -m \ CtsMediaTestCases --compatibility:module-arg \ CtsMediaTestCases:include-annotation:\ android.platform.test.annotations.RequiresDevice Bug: 70546581 Change-Id: Ia3a8eb99c2faf6935c63800ba08f65970cede48e (cherry picked from commit 082e4f75a383f957a6ed9186ca0692b694e1ce45)
* AACExtractor: check bounds during seekRobert Shih2018-03-081-0/+4
| | | | | | | Bug: 70239507 Test: stagefright -a poc.aac Change-Id: I61225a04c76fe8855bd2591fb14b734099fa3be6 (cherry picked from commit 0790581021d89ae1d7242e5eb1197bfd12725c85)
* httplive: check for malformed EXT-X-STREAM-INFRobert Shih2018-02-081-0/+3
| | | | | | | | Bug: 68342866 Test: adb shell am start -a android.intent.action.VIEW -d http://localhost:1137/index.html Change-Id: I479f9e0b7ca828d048ef88b23b4948e3c1472b3c (cherry picked from commit e3bd8dd81e51b4d02484e7eec0d725ba9c254c68) CVE-2017-13235
* Apply input buffer validation also to AVC and MPEG4 encodersDongwon Kang2018-02-085-8/+36
| | | | | | | | | | | | | | Input buffer validation is existing only on VPX encoders. This patch applies the checking also to the other sw video encoders. Bug: 69065651 Bug: 27569635 Test: run poc with and without the patch. Test: pass post submit media CTS tests after disabling hw encoders. Merged-In: I1358df64352577fd6d41cd4bfec18be37c98fe6f Change-Id: I1358df64352577fd6d41cd4bfec18be37c98fe6f (cherry picked from commit fed57366c58aa69ad8f1df5191d6bf48e58d86a8) CVE-2017-13241
* IAudioPolicyService: Add attribute tags sanitizationKevin Rocard2018-02-082-0/+14
| | | | | | | | | | | | | | | | | | | | | When audio_attributes_t was read from the binder parcel, the string tags field was copied without checking that it contained a '\0'. This could lead to read past the end when tags were used. This patch always adds a '\0' at the end of the buffer when deserializing. Bug: 68953950 Test: manual playback/record Test: send binder payload without \0 in tags attribute, check that only AUDIO_ATTRIBUTES_TAGS_MAX_SIZE - 1 char are printed. Change-Id: I285258cbf7cfaf26b191d1f31b3b1e2d724c4934 Merged-In: I285258cbf7cfaf26b191d1f31b3b1e2d724c4934 Signed-off-by: Kevin Rocard <krocard@google.com> (cherry picked from commit 39fdbd097a147b5c719dac9ad2759e6c44eb3a4e) CVE-2017-13232
* Backport: OMXNodeInstance: use a lock around OMX::freeNodeLajos Molnar2018-01-121-0/+4
| | | | | | | | | | | | | | | | This is to avoid a concurrent use after free if other OMX commands are being executed before the node is marked as deleted. Bug: 63666573 Backport: Wrap into #ifndef/#endif statement to allow skipping this patch for specific devices by adding the following directive into the BoardConfig.mk or BoardConfigCommon.mk file of the device repo: TARGET_RELEASE_CPPFLAGS += -DSKIP_CVE_2017_13154 Change-Id: I7720dd900bfa252f8675e0c56191adbf52aa957e CVE-2017-13154
* Fix edge case when applying id3 unsynchronizationMarco Nelissen2018-01-101-1/+6
| | | | | | | | Bug: 63100526 Test: opened poc, other files Change-Id: I0a51a2a11d0ea84ede0c075de650a7118f0e00c5 (cherry picked from commit 3e70296461c5f260988ab21854a6f43fdafea764) CVE-2017-13200
* Add EFFECT_CMD_SET_PARAM parameter checking to Preset ReverbMikhail Naganov2018-01-101-0/+4
| | | | | | | | Bug: 67647856 Test: Added CTS tests Change-Id: I027ce8f7a1cdb8406ca423aaae7c45b6b76617f0 (cherry picked from commit ee804dfa15cc2d34e5d67a9b437cd023349d633b) CVE-2017-13202
* Validate decryption key length to decrypt function.Edwin Wong2018-01-103-1/+68
| | | | | | | | | | | | | | | | | | | Cherry picked from http://go/ag/3038278. AesCtrDecryptor::decrypt() doesn't check whether the size of "key" is equal to 16 bytes, which may lead to an OOB read problem in the context of mediadrmserver. Add DecryptsWithEmptyKey and DecryptsWithKeyTooLong unit tests. Test: ClearKeyDrmUnitTest adb shell LD_LIBRARY_PATH="/vendor/lib/mediadrm" /data/nativetest/ClearKeyDrmUnitTest/ClearKeyDrmUnitTest bug: 63982768 Change-Id: I1f22c9df2b051972b2c532608b7f203e3ce77926 (cherry picked from commit 379b672b189aa72ce0103b485019022f3e292c36) CVE-2017-13201
* stagefright: MP4Extractor: allow 10% overhead on default sample sizeLajos Molnar2018-01-101-0/+3
| | | | | | Bug: 64528824 Change-Id: Id19ec0d634d9337190d04abdbd97842b66502c01 CVE-2017-0855
* SoftAVCDec: Handle zero length input without EOSHarish Mahendrakar2018-01-101-1/+1
| | | | | | | | | | | | | When a zero length input buffer is sent to SoftAVC decoder without EOS set in nFlags, SoftAVC decoder plugin was entering an infinite loop. Fixed it by returning from onQueueFilled for such cases. Bug: 66969349 Test: Tested using poc associated with the bug Change-Id: I79cebc8f5b40c51256aba83a08deb547b220c4d7 (cherry picked from commit 21943c05f0ee2350647a6fa5ee17aa3c68859383) CVE-2017-13180
* Access HEVC context after create fail checkNaveen Kumar P2018-01-101-4/+4
| | | | | | | Bug: 66969193 Change-Id: Icd1c8d78986e3795ba7f1c1d50ebeb90d77f6178 (cherry picked from commit 2bee8317ecfa5dca3c43d99db40491c4e28f832d) CVE-2017-13179
* Access AVCDEC context after create fail checkNaveen Kumar P2018-01-101-4/+4
| | | | | | | Bug: 66969281 Change-Id: I7c293417079da991cfad675a2d5563423d751610 (cherry picked from commit 8e6a6fe2e1542b3333ffecb7307a5de671c8a785) CVE-2017-13178
* Fix information disclosure in mediadrmserverJeff Tinker2017-12-091-2/+7
| | | | | | | Test:poc provided in bug bug:62872384 Change-Id: I3d104a2a64a0cb81e9fd5b04c4def1fbee64da2d CVE-2017-13152
* m4v_h263: fix global buffer overflowWonsik Kim2017-12-091-1/+1
| | | | | | | Bug: 65025028 Test: run POC Change-Id: Ifa5cf0e3ced7188ed70849b04b57828518ccb5bf CVE-2017-0879
* Soundtrigger service: fix cross deadlock with audio policy serviceEric Laurent2017-12-092-44/+57
| | | | | | | | | | | | | | | | | | Do not hold Module mutex when calling into audio policy manager to avoid cross deadlock with audio poicy service mutex: Audio policy manager can call into sound trigger service with its mutex held in methods like stopInput(). Regression introduced by fix for b/64340921 commit f759b8c4 Bug: 64340921 Bug: 67310830 Test: repro steps in b/67310830 Merged-In: Ie50b2e7c55fe9828a3fd8de6b31eb4a492791583 Change-Id: Ie50b2e7c55fe9828a3fd8de6b31eb4a492791583 (cherry picked from commit 98647879efd7fd85c57399037a2cf330726b0a09) CVE-2017-0837
* AudioPolicyService: Acquire mutex for SoundTriggerSessionAndy Hung2017-12-091-0/+2
| | | | | | | Test: Enable always on GSA Bug: 64340921 Change-Id: I05d8c680be97ba4c92081425596addcc038f7dda CVE-2017-0837
* Track graphic buffer mode in OMXNodeInstanceDongwon Kang2017-11-152-0/+23
| | | | | | | | Test: CtsMediaTestCases & YT & Play Movies & Cast Bug: 62948670 Merged-In: Icbd9b767f1aef005819e680f77f4a05041988f34 Change-Id: Icbd9b767f1aef005819e680f77f4a05041988f34 CVE-2017-0840
* EffectBundle: Check parameter and value sizeAndy Hung2017-11-141-393/+569
| | | | | | | | | Test: POC CTS AudioEffectTest Bug: 64477217 Bug: 64478003 Change-Id: Ia5e6ecb5a356daf5f3fa085d1055748f638795d9 CVE-2017-0839 CVE-2017-0848
* NuPlayerDecoder: fail gracefully when input data can't be held in allocated ↵Wei Jia2017-10-051-2/+9
| | | | | | | | | | buffer. Bug: 38391487 Bug: 24145279 Change-Id: I6b99ee2dc63063557f4ee2c5856f7c848e969752 (cherry picked from commit 56097a8ecc31ec308a1caa38f92b69f99324eada) (cherry picked from commit 15c3740aa96df30049b7acf9d7dce77bbcf9d9d4)
* Skip track if verification failsMarco Nelissen2017-10-041-6/+12
| | | | | | | | Bug: 62187433 Test: ran poc, CTS Change-Id: Ib9b0b6de88d046d8149e9ea5073d6c40ffec7b0c (cherry picked from commit ef8c7830d838d877e6b37b75b47294b064c79397) CVE-2017-0820
* Fix memory leak in OggExtractorDongwon Kang2017-10-041-0/+4
| | | | | | | | Test: added a temporal log and run poc Bug: 63581671 Change-Id: I436a08e54d5e831f9fbdb33c26d15397ce1fbeba (cherry picked from commit 63079e7c8e12cda4eb124fbe565213d30b9ea34c) CVE-2017-0818
* Check buffer size in useBuffer in software componentsDongwon Kang2017-10-041-2/+7
| | | | | | | | Test: No more crash from oob read/write with running poc. Bug: 63522430 Change-Id: I232d256eacdfaa9347902fe9b42650999f0d2d85 (cherry picked from commit 4e79910fdb303fd28a37a9401bed1b7fbccb1373) CVE-2017-0817
* Add EFFECT_CMD_SET_PARAM parameter checking to Downmix and ReverbMikhail Naganov2017-10-042-3/+40
| | | | | | | | | | | Bug: 63662938 Bug: 63526567 Test: Added CTS tests Change-Id: I8ed398cd62a9f461b0590e37f593daa3d8e4dbc4 (cherry picked from commit 804632afcdda6e80945bf27c384757bda50560cb) CVE-2017-0815 CVE-2017-0816
* stagefright: avoid buffer overflow in base64 decoderLajos Molnar2017-10-041-2/+1
| | | | | | | Bug: 62673128 Change-Id: Id5f04b772aaca3184879bd5bca453ad9e82c7f94 (cherry picked from commit 5e96386ab7a5391185f6b3ed9ea06f3e23ed253b) CVE-2017-0809
* Avoid crash for stss sync sample number 0Roger1 Jonsson2017-09-171-0/+4
| | | | | | | | | | | | | | | A sample number value of 0 means that the value stored in the mSyncSamples array, would become negative (-1), when converted to index value. This causes a crash. Make sure that stss sample numbers are bigger than 0 before converting sample number to index value. Bug: 32423862 bug: 35645051 Test: Playback video that triggers stss sync sample number 0 Change-Id: I35bee7c718e01b086d7e05deda13b38083f509f5 (cherry picked from commit 024e783acdff65cdb8eb9de5ade3359ebb338a3b)
* Track: Check buffer size of static tracksAndy Hung2017-09-171-0/+15
| | | | | | | | | Merged-In: Ia7edd9a802905214a27961dbcec6352f6ef98f73 Test: Native POC Bug: 38340117 Change-Id: I633caf563d3607dbe4b9be10be1687efce33469c (cherry picked from commit f4aeab2bd69bead05ed75ae3254f53a6ab2316b5) CVE-2017-0779
* AudioFlinger: Fix memory allocation for client-less tracksAndy Hung2017-09-171-6/+7
| | | | | | | | | | Test: Ringtone with BT Bug: 35350587 Bug: 38340117 Change-Id: If247d319d58f8f4d18b49f58ec950491871ebb2d (cherry picked from commit afb31487f3156a7284d2f0d06646c7bc00d99537) (cherry picked from commit 1159ffd5e3f832206982d45a7b030b943cc4775e) CVE-2017-0779
* MPEG4Extractor: check size for yrrc boxDongwon Kang2017-09-171-0/+9
| | | | | | | | Test: stagefright -s poc_file Bug: 62133227 Change-Id: Iafefac39764ce01b4dde414b9f152c9ea71810e9 (cherry picked from commit 6ace94d2952eac82fc4c86aa6d585258248bf18c) CVE-2017-0778
* stagefright: check aac_frame_length to prevent infinite loopChong Zhang2017-09-171-0/+5
| | | | | | | bug: 62673179 Change-Id: I5da44822ad2ff59d396d1df42f34cd0a5620e134 (cherry picked from commit 6e2bcf40e4083be3a0fbb13d03293a78301e66ef) CVE-2017-0775
* MPEG4Source: fix fragmented read.Wei Jia2017-09-171-1/+2
| | | | | | | | | | Test: passed CTS test DecoderTest#testDecodeFragmented Bug: 64314728 Bug: 36571704 Change-Id: I71ad6aaae473b03483f8405899d3178148597bba (cherry picked from commit ba9af7792dfed6e9b1b216aab91a97e713eec891) (cherry picked from commit 6b401a337674f2f22b7589534700a33187899869) CVE-2017-0774
* MPEG4Extractor: ensure returned status is checked.Wei Jia2017-09-172-10/+69
| | | | | | | | | | | | | | Also fix handling of zero atom size in MPEG4Source::parseChunk. IDataSource: ensure readAt returns correct status. Test: manually test with mediaplayer. Bug: 34718515 Change-Id: I1219ec579aa0876dc1230e36af46b158b84c6d77 (cherry picked from commit ff1fb4d5cdd3b2b28c69edd8cd3021e335ca381a) (cherry picked from commit 371561214467f848496928914f771703d6c331e6) Change-Id: I51546975ac0992cff7cf890a71a177e1058ed613 CVE-2017-0774
* MediaPlayerService: fix access of mPlayer in clientWei Jia2017-09-171-8/+34
| | | | | | | | Test: poc doesn't crash Bug: 38234812 Change-Id: I6f9be046ff66d2d5bed27bd712287e4ead550830 (cherry picked from commit 502c2f405355c3253990ac4edae345ac1907f916) CVE-2017-0770
* audio effects: filter reserved effect commandsEric Laurent2017-09-171-0/+18
| | | | | | | | | | | | Block effect commands reserved for framework use when received on server side IAudioEffect. Applications have no reason to use these commands and they present a unnecessary attack surface. Bug: 62019992 Test: run CTS tests for audio effects Change-Id: Ie680d5d5650f99dbabf93891703e1cde2c2e852d (cherry picked from commit c7ab309ecbb289cd1296430f724166a26bd45afe) CVE-2017-0768