summaryrefslogtreecommitdiffstats
Commit message (Collapse)AuthorAgeFilesLines
...
* EffectBundle: Check value size for get preset nameAndy Hung2017-09-171-0/+7
| | | | | | | | Test: CTS testAllEffectsEqualizer_CVE_2017_0401 Bug: 37536407 Change-Id: I347af04677fc49a01efb549f06ff81d1a00dc4d0 (cherry picked from commit fa5c6c97ee86ff038979cedea5c449be4e2b9899) CVE-2017-0767
* stagefright: fix crash due to bad timestamp indexChong Zhang2017-09-171-4/+9
| | | | | | | bug: 62872863 Change-Id: I7f8ae62173d8b4bef0d6c35166427871408ad9dd (cherry picked from commit 069c97e06521035e81ead2eeff8960613fed9254) CVE-2017-0765
* Change MPEG2 reinit Error HandlingVenkatarama Avadhani2017-09-171-14/+9
| | | | | | | | | | Changing reinit handling to not notify error in case init fails. Bug: 37237396 Test: ran poc before/after on nyc-mr2 Change-Id: I694a9d2ccee7622d9c736efac12c9ec8639911f4 (cherry picked from commit a67eacace769095eb04b01681c99d931e68a4b08) CVE-2017-0760
* Notify Errors Appropriately from SoftMPEG2Venkatarama Avadhani2017-09-172-7/+38
| | | | | | | | | | | This is to ensure that the framework realises that an error has occured and does not call onQueueFilled if the error is fatal. Bug: 36715268 Change-Id: If02499d306aa9b6df64a7f25d43d1bdf318a10cd (cherry picked from commit eae3ad0585d17bab12bbd831b58407c122732a1c) CVE-2017-0759
* Fix TOCTOU problem in libstagefright_soft_aacencRay Essick2017-09-172-0/+13
| | | | | | | | | | | | | | | | | | | | | | | | | Fixes a configuration error where we sized a buffer initially based on the configuration at the time and held onto the buffer through the rest of our lifetime. If the configuration was changed in a way that resulted in needing a different size buffer, the code did not make this happen. Patch keeps the buffer around but also stores the 'current allocation size'. This allows the later code that preps the buffer to query if the buffer size is same or changed. If changed, we discard the old buffer and allocate a new one of the appropriate size. safetynet logging added so we can tell how often this happens in the field. Testing was done on nyc-mr2 (where poc was built). Patch applies without change to k/l/m/n/master. Bug: 34621073 Test: run POC, saw new diagnostics saying it caught the size change. Change-Id: Ia95aadc8c727434b7ba9628deeae327c405336d3 (cherry picked from commit 0495c029bd51bcfc1cca8c943ab4ce2f201dbe98) CVE-2017-0756
* Fix security vulnerability: Equalizer setParameter memory overflowrago2017-08-211-3/+31
| | | | | | | | Bug: 37563371 Test: use POC on bug or cts security test Change-Id: I9c9453a222b53fd5ef821330a34cb9e938e4d9c5 (cherry picked from commit 68b9e0f5d69d3b1e7b7628037696ce32f032e819)
* Check the buffer index from acquireBufferPawin Vongmasa2017-08-211-1/+17
| | | | | | | | Test: Run the POC Test: Small CtsMediaTestCases Bug: 37563942 Change-Id: I8ddfbc91a08d96de1f732e6776d6f90997042f6b (cherry picked from commit 77e1eb5988ed2b9abff0fec19663d1ec094af192)
* Don't leak `this` out of GraphicBufferSource ctorRobert Shih2017-08-213-11/+9
| | | | | | | | | Bug: 37622974 Bug: 37622987 Bug: 37623757 Test: run poc and observe no crash Change-Id: I1e25c011f02bec26a1480ec9a217a52f15d43cf2 (cherry picked from commit 6301f882512ec39baf28640f31b90104def1738d)
* better manage buffer for libstagefright_soft_mpeg4encRay Essick2017-08-212-16/+13
| | | | | | | | | | | | | | | | | Existing code allocated buffer, adjusted pointer to use it, and would adjust the pointer back when it came time to free the space. The problem was that the adjustment was based on user-supplied values and if the user changed those values between alloc and free (which was possible), the code ended up free()ing the wrong address. We fix this by keeping an extra pointer -- the unmodified allocation -- which we use for the subsequent free() calls. This makes the free() independent of any changes to values that the user provides. Bug: 36075363 Test: ran poc against patched nyc-mr2-dev tree Change-Id: I7013ff5883a945c4647517b2980c76a6558f23d2 (cherry picked from commit 90d2dd403bc8faa421cfc6b26930e5aa69879943)
* Fix integer overflow in mediadrmserverJeff Tinker2017-08-211-1/+1
| | | | | | bug:37710346 Change-Id: If18cfb5bb1d1f1b2997d2a0e1685590d674181f4 (cherry picked from commit eb21712f81aa9f6d5b055113595220ee1506f35c)
* Fix potential leakMarco Nelissen2017-08-211-1/+3
| | | | | | | | Fix potential memory leak introduced with bugfix for bug 31449945. Bug: 36389123 Change-Id: I5a9a3551692d6cba385b45c4c7a465aa377a62b1 (cherry picked from commit a0721999eccd22d900eb6dec7e48f835f28ce999)
* m4v_h263: update width/height only when they are valid.Wei Jia2017-08-211-5/+13
| | | | | | | Test: the file in the bug doesn't crash Bug: 37079296 Change-Id: Ie092971dda568119ca38ec67d65ccfc00df93185 (cherry picked from commit 0b5726782d5f9764325057870cef2750853f286a)
* m4v_h263: check header first before decoding a frame.Wei Jia2017-08-211-4/+19
| | | | | | | | Test: fix the file in the bug Bug: 37660827 Change-Id: I9d6919f96c0c9f29221be1e8e852ecb21062bad9 (cherry picked from commit db545366c2e893dbbe1a42d858c52067101beda6) (cherry picked from commit 38142b60f5144f92d99463fa1d65c543382d1264)
* Don't allow using or allocating a buffer after the first state transitionMarco Nelissen2017-07-071-0/+18
| | | | | | | | | | Bug: 35467458 AOSP-Change-Id: Ia76c8cec8ad2abb95ca29b2a89075f7acab4b174 (cherry picked from commit e25320450ca414dd859fd5d80bcd18ecc91630de) CVE-2017-0698 Change-Id: Iab332c38fff8fbf6ac89868661d02a7a078c4063
* Fix memory leak in error caseMarco Nelissen2017-07-071-0/+1
| | | | | | | | | | Bug: 37239013 AOSP-Change-Id: Ic33e0f7ed946d0729efa46f69aff1a5d35e81b1e (cherry picked from commit ab34612a31e82b713ca0ac043e14f68f3788fbda) CVE-2017-0697 Change-Id: Ifa58f980ea543e0062f2ac8884d4aaef11c31972
* Limit ogg packet sizeMarco Nelissen2017-07-071-1/+15
| | | | | | | | | | | | | | A malformed ogg file might lace together a very large packet, which could lead to out of memory conditions. Limit the packet size to avoid this. Bug: 36592202 AOSP-Change-Id: I8650b3ec54a0de9ec302a7cbac296bb85efcfb3d (cherry picked from commit bf928560aca13c5a615cb3ffc3b6aad16cdf3824) CVE-2017-0690 Change-Id: Iea9da72ec8ab00acdc4be26ba1fdb6ac19a3645c
* Prevent OOB write in soft_avc encoderRay Essick2017-07-072-0/+14
| | | | | | | | | | | | | | | | Soft avc encoder cached buffer sizes across a point where the sizes could be reset by an app, allowing crafted requests to hit outside of the current buffer. This remedies that by forcing buffer reallocation with new sizes whenever the encoder state at such 'reset' points. Bug: 35421151 Test: run POC with no crash AOSP-Change-Id: I8c689846142264f7b6a277332260a6bd8a2bd92d (cherry picked from commit 463452a94907278ca5e4c5632e50bbe59e861544) CVE-2017-0684 Change-Id: I8df14195d067a42f7bf3ebb8a5ac40fb433a5bea
* Add bounds check in SoftAACEncoder2::onQueueFilled()Ray Essick2017-05-251-0/+9
| | | | | | | | | | | | | | | | Original code blindly copied some header information into the user-supplied buffer without checking for sufficient space. The code does check when it gets to filling the data -- it's just the header copies that weren't checked. Bug: 34617444 Test: ran POC before/after AOSP-Change-Id: I6e80ec90616f6cd02bb8316cd2d6e309b7e4729d (cherry picked from commit 6231243626b8b9c57593b1f0ee417f2c4af4c0aa) CVE-2017-0594 Change-Id: Ie431b848ffa24700e3e4d84c0e98af99bec9ae5e
* Fix NPDs in h263 decoderMarco Nelissen2017-05-252-1/+24
| | | | | | | | | | | Bug: 35269635 Test: decoded PoC with and without patch AOSP-Change-Id: I636a14360c7801cc5bca63c9cb44d1d235df8fd8 (cherry picked from commit 2ad2a92318a3b9daf78ebcdc597085adbf32600d) CVE-2017-0600 Change-Id: Iff929daa479816bb2c0363705d14ad2ee5e11a13
* AudioFlinger: Check framecount overflow when creating trackAndy Hung2017-05-251-1/+16
| | | | | | | | | | | | Test: Native POC Bug: 34749571 AOSP-Change-Id: I7529658e52ac7e64d162eb5338f10fb25eaa8fe7 (cherry picked from commit 1883f69de5f2c4e71df58d5b71d7c39f9779b50c) (cherry picked from commit eaa3969f757291f151efedde17ec529b8659024d) CVE-2017-0597 Change-Id: I2a9338daba9a6aae882daa176cf4c8445de316e6
* Fix out of bounds accessMarco Nelissen2017-05-251-4/+8
| | | | | | | | | | Bug: 34618607 AOSP-Change-Id: I84f0ef948414d0b2d54e8948b6c30b8ae4da2b36 (cherry picked from commit d1c19c57f66d91ea8033c8fa6510a8760a6e663b) CVE-2017-0588 Change-Id: I11dee84a2bf7da9d794f94696af56a78967faea6
* Fix integer overflow and divide-by-zeroMarco Nelissen2017-05-252-2/+2
| | | | | | | | | | | Bug: 35763994 Test: ran CTS with and without fix AOSP-Change-Id: If835e97ce578d4fa567e33e349e48fb7b2559e0e (cherry picked from commit 8538a603ef992e75f29336499cb783f3ec19f18c) CVE-2017-0603 Change-Id: I043e7c709915decc693879adafe5337189021131
* codecs: handle onReset() for a few encodersWonsik Kim2017-05-188-19/+61
| | | | | | | | | | Test: Run PoC binaries Bug: 34749392 Bug: 34705519 AOSP-Change-Id: I3356eb615b0e79272d71d72578d363671038c6dd CVE-2017-0595, CVE-2017-0596 Change-Id: I431e810876891f29bbef5b8b84c25bce8c5eeae0
* resolve merge conflicts of 79cf158c51 to mnc-devMarco Nelissen2017-04-051-4/+10
| | | | | | | | | | AOSP-Change-Id: Ied32e83215e386c801c02991a0b2fa4baa25b643 CVE-2017-0558 (cherry picked from commit 50358a80b1724f6cf1bcdf003e1abf9cc141b122) Change-Id: Ic2e40c7d6aec8427444a1fd145726e490e994d08
* Fix overflow check and check read resultMarco Nelissen2017-04-051-8/+10
| | | | | | | | | | | | Bug: 33861560 Test: build AOSP-Change-Id: Ia85519766e19a6e37237166f309750b3e8323c4e CVE-2017-0547 (cherry picked from commit 9667e3eff2d34c3797c3b529370de47b2c1f1bf6) Change-Id: I171aa1c7c4a4a5095ac7041371db14e3a4f3676a
* EffectBundle: check nb channels to write speaker anglesJean-Michel Trivi2017-04-051-8/+16
| | | | | | | | | | | | | | | | | | When speaker angles are queried, the size of the array for the returned data is 3x the number of channels (where really it should be max(2, nbChannels)). The code assumed it was at least 3x2 (where 2 is the number of virtual speakers this effect supports) and would thus crash when called for a mono channel mask. Test: see repro steps in bug Bug: 32591350 AOSP-Change-Id: I33d4bff6b2e19a9fc4284a85a446804878d3a410 CVE-2017-0545 Change-Id: Ie4480d9abcfafcd53fca15ab2fd8ef7ecb6fd48d (cherry picked from commit e5a54485e08400a976092cd5b1c6d909d0e1a4ab)
* CameraBase: Don't return an sp<> by referenceEino-Ville Talvala2017-04-052-6/+6
| | | | | | | | | | | | | | | If the server dies, the binder death callback clears out the global camera service sp<>, and any current references to it will become quite unhappy. Test: Camera CTS passes Bug: 31992879 AOSP-Change-Id: I2966bed35d0319e3f26e3d4b1b8dc08006a22348 CVE-2017-0544 Change-Id: Ib7ef455366927b0471f8fcabdd5a54e38e375d41 (cherry picked from commit 4b49489c12e6862e9a320ebcb53872e809ed20ec)
* avc_utils: skip empty NALs from malformed bistreamsRobert Shih2017-03-221-1/+4
| | | | | | | | | | | | | | | Avoid a CHECK and make it the decoder's repsonsibility to handle a malformed bistream gracefully. Bug: 34509901 Bug: 33137046 Test: StagefrightTest#testStagefright_bug_27855419_CVE_2016_2463 CVE-2017-0483 Change-Id: I2d94f8da63d65a86a9c711c45546e4c695e0f3b4 (cherry picked from commit 91fe76a157847825601b8f7a627efd1c9cbadcae) (cherry picked from commit 5cabe32a59f9be1e913b6a07a23d4cfa55e3fb2f)
* Don't initialize sync sample parameters until the endMarco Nelissen2017-03-221-9/+12
| | | | | | | | | | | | | to avoid leaving them in a partially initialized state. Bug: 33137046 Test: ran CTS tests CVE-2017-0483 Change-Id: I1f5c070233c5917d85da9e930e01a3fc51a0a0ec (cherry picked from commit a9660fe122ca382e1777e0c5d3c42ca67ffb0377) (cherry picked from commit bc62c086e9ba7530723dc8874b83159f4d77d976)
* DO NOT MERGE - audioflinger: fix recursive mutex lock in EffectHandle.Eric Laurent2017-03-221-7/+25
| | | | | | | | | | | | | | | Bug: 33661708 Bug: 32707507 Bug: 32095713 Test: run CTS AudioEffectTest#test5_0Command, Custom binder test CVE-2017-0479 CVE-2017-0480 Change-Id: I03f674f126c191143bd8bdfe236f793e975826a5 (cherry picked from commit 31a4598a1908b3ccac7ddb33c511ce66840aa911) (cherry picked from commit 8415635765380be496da9b4578d8f134a527d86b)
* DO NOT MERGE - improve audio effect framwework thread safetyEric Laurent2017-03-227-123/+225
| | | | | | | | | | | | | | | | | | | | | | - Reorganize handle effect creation code to make sure the effect engine is created with both thread and effect chain mutex held. - Reorganize handle disconnect code to make sure the effect engine is released with both thread and effect chain mutex held. - Protect IEffect interface methods in EffectHande with a Mutex. - Only pin effect if the session was acquired first. - Do not use strong pointer to EffectModule in EffectHandles: only the EffectChain has a single strong reference to the EffectModule. Bug: 32707507 CVE-2017-0479 CVE-2017-0480 CVE-2017-0499 Change-Id: Ia1098cba2cd32cc2d1c9dfdff4adc2388dfed80e (cherry picked from commit b378b73dd7480b584340b8028802c9ca2d625123) (cherry picked from commit 22e26d8ee73488c58ba3e7928e5da155151abfd0 with backport by <sultanxda@gmail.com>)
* Fix security vulnerability: potential OOB write in audioserverrago2017-03-133-6/+49
| | | | | | | | | Bug: 32705438 Bug: 32703959 Test: cts security test Change-Id: I8900c92fa55b56c4c2c9d721efdbabe6bfc8a4a4 (cherry picked from commit e275907e576601a3579747c3a842790bacf111e2) (cherry picked from commit b0bcddb44d992e74140a3f5eedc7177977ea8e34)
* Effect: Use local cached data for Effect commitAndy Hung2017-03-131-19/+38
| | | | | | | | | Test: POC, Cts Effect, BassBoost, EnvReverb, Equalizer, Test: LoudnessEnhancer, PresetReverb, Virtualizer, Visualizer Bug: 32220769 Change-Id: Iea96ba0daf71691ee8954cca4ba1c10fe827626e (cherry picked from commit dd79ccda92c1e9b982b2d0f8877d98e5258fbb73) (cherry picked from commit a155de4d70e0b9ac8fc02b2bdcbb2e8e6cca46ff)
* IOMX: convert ANWB to Gralloc meta if using useBuffer in the same processLajos Molnar2017-02-031-3/+5
| | | | | | | | This was disabled by a previous commit. Bug: 32436178 Change-Id: I9f9c6a372a039226d61f3651be3af207fed63e60 (cherry picked from commit 4fb1e42a16e77d7abf1d84bedbc20f901af26524)
* stagefright: remove allottedSize equality check in IOMX::useBufferLajos Molnar2017-02-031-7/+0
| | | | | | | | | This was meant for buffers shared cross-process, but we are not gaining anything from this check even if it was at the correct place. Bug: 32436178 Change-Id: I6919e8ac6e35092273e171f49f6711ba577ba2e6 (cherry picked from commit 58388aa7be1c6963eb4b8464d46938ba9b0a04b0)
* Effects: Check get parameter command sizeAndy Hung2017-02-031-0/+7
| | | | | | | | | | Test: Custom test. Bug: 32438594 Bug: 32624850 Bug: 32635664 Change-Id: I9b1315e2c02f11bea395bfdcf5c1ccddccbad8a6 (cherry picked from commit 3d34cc76e315dfa8c3b1edf78835b0dab4980505) (cherry picked from commit 26965db50a617f69bdefca0d7533796c80374f2c)
* Visualizer: Check capture size and latency parametersAndy Hung2017-02-031-11/+32
| | | | | | | Bug: 31781965 Change-Id: I1c439a0d0f6aa0057b3c651499f28426e1e1f5e4 (cherry picked from commit 9a2732ba0a8d609ab040d2c1ddee28577ead9772) (cherry picked from commit 557bd7bfe6c4895faee09e46fc9b5304a956c8b7)
* Make VBRISeeker more robustMarco Nelissen2017-01-131-2/+16
| | | | | | | Bug: 32577290 Change-Id: I9bcc9422ae7dd3ae4a38df330c9dcd7ac4941ec8 (cherry picked from commit 7fdd36418e945cf6a500018632dfb0ed8cb1a343) (cherry picked from commit 453b351ac5bd2b6619925dc966da60adf6b3126c)
* DO NOT MERGE: defensive parsing of mp3 album art informationRay Essick2017-01-131-17/+39
| | | | | | | | | | | | | | | | several points in stagefrights mp3 album art code used strlen() to parse user-supplied strings that may be unterminated, resulting in reading beyond the end of a buffer. This changes the code to use strnlen() for 8-bit encodings and strengthens the parsing of 16-bit encodings similarly. It also reworks how we watch for the end-of-buffer to avoid all over-reads. Bug: 32377688 Test: crafted mp3's w/ good/bad cover art. See what showed in play music Change-Id: Ia9f526d71b21ef6a61acacf616b573753cd21df6 (cherry picked from commit fa0806b594e98f1aed3ebcfc6a801b4c0056f9eb) (cherry picked from commit 7a3246b870ddd11861eda2ab458b11d723c7f62c)
* Fix security vulnerability: Effect command might allow negative indexesrago2017-01-131-6/+26
| | | | | | | | | | | | | | | | | | | | | | | Bug: 32448258 Bug: 32095626 Test: Use POC bug or cts security test Change-Id: I69f24eac5866f8d9090fc4c0ebe58c2c297b63df (cherry picked from commit 01183402d757f0c28bfd5e3b127b3809dfd67459) (cherry picked from commit 321ea5257e37c8edb26e66fe4ee78cca4cd915fe) Fix security vulnerability: Equalizer command might allow negative indexes Bug: 32247948 Bug: 32438598 Bug: 32436341 Test: use POC on bug or cts security test Change-Id: I91bd6aadb6c7410163e03101f365db767f4cd2a3 (cherry picked from commit 0872b65cff9129633471945431b9a5a28418049c) (cherry picked from commit e981cca9fff3608af22bdf8fc1acef5470e25663) (cherry picked from commit c66c43ad571ed2590dcd55a762c73c90d9744bac)
* soundtrigger: fix memory corruptionSam Mortimer2016-12-131-1/+1
| | | | | | | Fixes hotword on angler. Change-Id: Ic15a617c0f79f03785feaddd2dfa6deb90842a06 (cherry picked from commit 5f72b2213b9dc96ce91871398b539ad6aa653142)
* DO NOT MERGE Fix divide by zeroMarco Nelissen2016-12-121-5/+18
| | | | | | | | | | and be stricter about the layout of various boxes in mp4 files. CYNGNOS-3312 Bug: 31318219 Change-Id: I50034d5b6b1967ca6e88aabeacf49f26ba3c0d32 (cherry picked from commit 2e211d38a3124849ef46376256d01e69549c422f) (cherry picked from commit d4eb1e1ca163d6ab0eaf0d80ca138f851f87c3d2)
* Fix potential NULL dereference in Visualizer effectrago2016-12-121-3/+8
| | | | | | | | | | | CYNGNOS-3312 Bug: 30229821 Test: fixing CL. Existing unit tests still pass. Change-Id: I6e4abd759d5d2abc3b391e92e2e18f060cab7af0 (cherry picked from commit 874f9e0b8eb0cbe508d15c8c03796c863851f21f) (cherry picked from commit 244e7fd2a45b4e7d70d2c2e550181220371b7edf)
* Merge tag 'android-6.0.1_r74' into HEADJessica Wagantall2016-11-0916-80/+275
|\ | | | | | | | | | | | | | | CYNGNOS-3303 Android 6.0.1 release 74 Change-Id: I0a14578751f4ecb8d13def26b9ffe5dcba4afd72
| * stagefright: don't fail MediaCodec.configure if clients use store-meta keyLajos Molnar2016-10-111-1/+4
| | | | | | | | | | | | | | | | | | Even though storing metadata is not supported in MediaCodec.configure and is only meant to be used by Stagefright recorder, don't fail configure. Bug: 31986922 Change-Id: Id9f083be6e857e7a0d8d4a74159be5b8894e28be (cherry picked from commit ae52fd383a43ac239f459078fd003ce8ac2efb55)
| * IOMX: do not clear buffer if it's allocated by componentChong Zhang2016-09-301-1/+0
| | | | | | | | | | | | | | | | | | The component might depends on their buffers to be initialized in certain ways to work. Don't clear unless we're allocating it. bug: 31586647 Change-Id: Ia0a125797e414998ef0cd8ce03672f5b1e0bbf7a (cherry picked from commit ea76573aa276f51950007217a97903c4fe64f685)
| * IOMX: allow configuration after going to loaded stateLajos Molnar2016-09-301-2/+8
| | | | | | | | | | | | | | | | | | This was disallowed recently but we still use it as MediaCodcec.stop only goes to loaded state, and does not free component. Bug: 31450460 Change-Id: I72e092e4e55c9f23b1baee3e950d76e84a5ef28d (cherry picked from commit e03b22839d78c841ce0a1a0a1ee1960932188b0b)
| * IOMX: restrict conversion of ANWB to gralloc source in emptyBufferLajos Molnar2016-09-301-2/+7
| | | | | | | | | | | | | | | | | | | | This is only allowed in-process (if backup and codec buffers are connected.) Bug: 29422020 Bug: 31412859 Change-Id: If48e3e0b6f1af99a459fdc3f6f03744bbf0dc375 (cherry picked from commit 087ff38490016f4a0b6a1e717ae8af781d9b750c)
| * Limit mp4 atom size to something reasonableMarco Nelissen2016-09-271-0/+13
| | | | | | | | | | | | Bug: 28615448 Change-Id: I5916f6839b4a9bbee4388a106e7373bcd4154f5a (cherry picked from commit cb898dca47ac03738db91ddc371207435d2a1526)
| * SampleIterator: clear members on seekTo errorRobert Shih2016-09-271-3/+4
| | | | | | | | | | | | Bug: 31091777 Change-Id: Iddf99d0011961d0fd3d755e57db4365b6a6a1193 (cherry picked from commit 03237ce0f9584c98ccda76c2474a4ae84c763f5b)
generated by cgit v1.2.3 (git 2.25.1) at 2024-04-27 11:39:22 +0000