| Commit message (Collapse) | Author | Age | Files | Lines |
... | |
|
|
|
|
|
|
|
| |
Test: CTS testAllEffectsEqualizer_CVE_2017_0401
Bug: 37536407
Change-Id: I347af04677fc49a01efb549f06ff81d1a00dc4d0
(cherry picked from commit fa5c6c97ee86ff038979cedea5c449be4e2b9899)
CVE-2017-0767
|
|
|
|
|
|
|
| |
bug: 62872863
Change-Id: I7f8ae62173d8b4bef0d6c35166427871408ad9dd
(cherry picked from commit 069c97e06521035e81ead2eeff8960613fed9254)
CVE-2017-0765
|
|
|
|
|
|
|
|
|
|
| |
Changing reinit handling to not notify error in case init fails.
Bug: 37237396
Test: ran poc before/after on nyc-mr2
Change-Id: I694a9d2ccee7622d9c736efac12c9ec8639911f4
(cherry picked from commit a67eacace769095eb04b01681c99d931e68a4b08)
CVE-2017-0760
|
|
|
|
|
|
|
|
|
|
|
| |
This is to ensure that the framework realises that an error has
occured and does not call onQueueFilled if the error is fatal.
Bug: 36715268
Change-Id: If02499d306aa9b6df64a7f25d43d1bdf318a10cd
(cherry picked from commit eae3ad0585d17bab12bbd831b58407c122732a1c)
CVE-2017-0759
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Fixes a configuration error where we sized a buffer initially based
on the configuration at the time and held onto the buffer through the
rest of our lifetime. If the configuration was changed in a way that
resulted in needing a different size buffer, the code did not make
this happen.
Patch keeps the buffer around but also stores the 'current allocation
size'. This allows the later code that preps the buffer to query if
the buffer size is same or changed. If changed, we discard the old
buffer and allocate a new one of the appropriate size.
safetynet logging added so we can tell how often this happens in the
field.
Testing was done on nyc-mr2 (where poc was built). Patch applies
without change to k/l/m/n/master.
Bug: 34621073
Test: run POC, saw new diagnostics saying it caught the size change.
Change-Id: Ia95aadc8c727434b7ba9628deeae327c405336d3
(cherry picked from commit 0495c029bd51bcfc1cca8c943ab4ce2f201dbe98)
CVE-2017-0756
|
|
|
|
|
|
|
|
| |
Bug: 37563371
Test: use POC on bug or cts security test
Change-Id: I9c9453a222b53fd5ef821330a34cb9e938e4d9c5
(cherry picked from commit 68b9e0f5d69d3b1e7b7628037696ce32f032e819)
|
|
|
|
|
|
|
|
| |
Test: Run the POC
Test: Small CtsMediaTestCases
Bug: 37563942
Change-Id: I8ddfbc91a08d96de1f732e6776d6f90997042f6b
(cherry picked from commit 77e1eb5988ed2b9abff0fec19663d1ec094af192)
|
|
|
|
|
|
|
|
|
| |
Bug: 37622974
Bug: 37622987
Bug: 37623757
Test: run poc and observe no crash
Change-Id: I1e25c011f02bec26a1480ec9a217a52f15d43cf2
(cherry picked from commit 6301f882512ec39baf28640f31b90104def1738d)
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Existing code allocated buffer, adjusted pointer to use it, and would
adjust the pointer back when it came time to free the space. The problem
was that the adjustment was based on user-supplied values and if the
user changed those values between alloc and free (which was possible),
the code ended up free()ing the wrong address.
We fix this by keeping an extra pointer -- the unmodified allocation --
which we use for the subsequent free() calls. This makes the free()
independent of any changes to values that the user provides.
Bug: 36075363
Test: ran poc against patched nyc-mr2-dev tree
Change-Id: I7013ff5883a945c4647517b2980c76a6558f23d2
(cherry picked from commit 90d2dd403bc8faa421cfc6b26930e5aa69879943)
|
|
|
|
|
|
| |
bug:37710346
Change-Id: If18cfb5bb1d1f1b2997d2a0e1685590d674181f4
(cherry picked from commit eb21712f81aa9f6d5b055113595220ee1506f35c)
|
|
|
|
|
|
|
|
| |
Fix potential memory leak introduced with bugfix for bug 31449945.
Bug: 36389123
Change-Id: I5a9a3551692d6cba385b45c4c7a465aa377a62b1
(cherry picked from commit a0721999eccd22d900eb6dec7e48f835f28ce999)
|
|
|
|
|
|
|
| |
Test: the file in the bug doesn't crash
Bug: 37079296
Change-Id: Ie092971dda568119ca38ec67d65ccfc00df93185
(cherry picked from commit 0b5726782d5f9764325057870cef2750853f286a)
|
|
|
|
|
|
|
|
| |
Test: fix the file in the bug
Bug: 37660827
Change-Id: I9d6919f96c0c9f29221be1e8e852ecb21062bad9
(cherry picked from commit db545366c2e893dbbe1a42d858c52067101beda6)
(cherry picked from commit 38142b60f5144f92d99463fa1d65c543382d1264)
|
|
|
|
|
|
|
|
|
|
| |
Bug: 35467458
AOSP-Change-Id: Ia76c8cec8ad2abb95ca29b2a89075f7acab4b174
(cherry picked from commit e25320450ca414dd859fd5d80bcd18ecc91630de)
CVE-2017-0698
Change-Id: Iab332c38fff8fbf6ac89868661d02a7a078c4063
|
|
|
|
|
|
|
|
|
|
| |
Bug: 37239013
AOSP-Change-Id: Ic33e0f7ed946d0729efa46f69aff1a5d35e81b1e
(cherry picked from commit ab34612a31e82b713ca0ac043e14f68f3788fbda)
CVE-2017-0697
Change-Id: Ifa58f980ea543e0062f2ac8884d4aaef11c31972
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
A malformed ogg file might lace together a very large packet, which
could lead to out of memory conditions. Limit the packet size to
avoid this.
Bug: 36592202
AOSP-Change-Id: I8650b3ec54a0de9ec302a7cbac296bb85efcfb3d
(cherry picked from commit bf928560aca13c5a615cb3ffc3b6aad16cdf3824)
CVE-2017-0690
Change-Id: Iea9da72ec8ab00acdc4be26ba1fdb6ac19a3645c
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Soft avc encoder cached buffer sizes across a point where the sizes
could be reset by an app, allowing crafted requests to hit outside
of the current buffer. This remedies that by forcing buffer reallocation
with new sizes whenever the encoder state at such 'reset' points.
Bug: 35421151
Test: run POC with no crash
AOSP-Change-Id: I8c689846142264f7b6a277332260a6bd8a2bd92d
(cherry picked from commit 463452a94907278ca5e4c5632e50bbe59e861544)
CVE-2017-0684
Change-Id: I8df14195d067a42f7bf3ebb8a5ac40fb433a5bea
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Original code blindly copied some header information into the
user-supplied buffer without checking for sufficient space.
The code does check when it gets to filling the data -- it's
just the header copies that weren't checked.
Bug: 34617444
Test: ran POC before/after
AOSP-Change-Id: I6e80ec90616f6cd02bb8316cd2d6e309b7e4729d
(cherry picked from commit 6231243626b8b9c57593b1f0ee417f2c4af4c0aa)
CVE-2017-0594
Change-Id: Ie431b848ffa24700e3e4d84c0e98af99bec9ae5e
|
|
|
|
|
|
|
|
|
|
|
| |
Bug: 35269635
Test: decoded PoC with and without patch
AOSP-Change-Id: I636a14360c7801cc5bca63c9cb44d1d235df8fd8
(cherry picked from commit 2ad2a92318a3b9daf78ebcdc597085adbf32600d)
CVE-2017-0600
Change-Id: Iff929daa479816bb2c0363705d14ad2ee5e11a13
|
|
|
|
|
|
|
|
|
|
|
|
| |
Test: Native POC
Bug: 34749571
AOSP-Change-Id: I7529658e52ac7e64d162eb5338f10fb25eaa8fe7
(cherry picked from commit 1883f69de5f2c4e71df58d5b71d7c39f9779b50c)
(cherry picked from commit eaa3969f757291f151efedde17ec529b8659024d)
CVE-2017-0597
Change-Id: I2a9338daba9a6aae882daa176cf4c8445de316e6
|
|
|
|
|
|
|
|
|
|
| |
Bug: 34618607
AOSP-Change-Id: I84f0ef948414d0b2d54e8948b6c30b8ae4da2b36
(cherry picked from commit d1c19c57f66d91ea8033c8fa6510a8760a6e663b)
CVE-2017-0588
Change-Id: I11dee84a2bf7da9d794f94696af56a78967faea6
|
|
|
|
|
|
|
|
|
|
|
| |
Bug: 35763994
Test: ran CTS with and without fix
AOSP-Change-Id: If835e97ce578d4fa567e33e349e48fb7b2559e0e
(cherry picked from commit 8538a603ef992e75f29336499cb783f3ec19f18c)
CVE-2017-0603
Change-Id: I043e7c709915decc693879adafe5337189021131
|
|
|
|
|
|
|
|
|
|
| |
Test: Run PoC binaries
Bug: 34749392
Bug: 34705519
AOSP-Change-Id: I3356eb615b0e79272d71d72578d363671038c6dd
CVE-2017-0595, CVE-2017-0596
Change-Id: I431e810876891f29bbef5b8b84c25bce8c5eeae0
|
|
|
|
|
|
|
|
|
|
| |
AOSP-Change-Id: Ied32e83215e386c801c02991a0b2fa4baa25b643
CVE-2017-0558
(cherry picked from commit 50358a80b1724f6cf1bcdf003e1abf9cc141b122)
Change-Id: Ic2e40c7d6aec8427444a1fd145726e490e994d08
|
|
|
|
|
|
|
|
|
|
|
|
| |
Bug: 33861560
Test: build
AOSP-Change-Id: Ia85519766e19a6e37237166f309750b3e8323c4e
CVE-2017-0547
(cherry picked from commit 9667e3eff2d34c3797c3b529370de47b2c1f1bf6)
Change-Id: I171aa1c7c4a4a5095ac7041371db14e3a4f3676a
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
When speaker angles are queried, the size of the array for the
returned data is 3x the number of channels (where really it
should be max(2, nbChannels)). The code assumed it was at
least 3x2 (where 2 is the number of virtual speakers this
effect supports) and would thus crash when called for a mono
channel mask.
Test: see repro steps in bug
Bug: 32591350
AOSP-Change-Id: I33d4bff6b2e19a9fc4284a85a446804878d3a410
CVE-2017-0545
Change-Id: Ie4480d9abcfafcd53fca15ab2fd8ef7ecb6fd48d
(cherry picked from commit e5a54485e08400a976092cd5b1c6d909d0e1a4ab)
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
If the server dies, the binder death callback clears out
the global camera service sp<>, and any current references to it
will become quite unhappy.
Test: Camera CTS passes
Bug: 31992879
AOSP-Change-Id: I2966bed35d0319e3f26e3d4b1b8dc08006a22348
CVE-2017-0544
Change-Id: Ib7ef455366927b0471f8fcabdd5a54e38e375d41
(cherry picked from commit 4b49489c12e6862e9a320ebcb53872e809ed20ec)
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Avoid a CHECK and make it the decoder's repsonsibility to handle a
malformed bistream gracefully.
Bug: 34509901
Bug: 33137046
Test: StagefrightTest#testStagefright_bug_27855419_CVE_2016_2463
CVE-2017-0483
Change-Id: I2d94f8da63d65a86a9c711c45546e4c695e0f3b4
(cherry picked from commit 91fe76a157847825601b8f7a627efd1c9cbadcae)
(cherry picked from commit 5cabe32a59f9be1e913b6a07a23d4cfa55e3fb2f)
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
to avoid leaving them in a partially initialized state.
Bug: 33137046
Test: ran CTS tests
CVE-2017-0483
Change-Id: I1f5c070233c5917d85da9e930e01a3fc51a0a0ec
(cherry picked from commit a9660fe122ca382e1777e0c5d3c42ca67ffb0377)
(cherry picked from commit bc62c086e9ba7530723dc8874b83159f4d77d976)
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Bug: 33661708
Bug: 32707507
Bug: 32095713
Test: run CTS AudioEffectTest#test5_0Command, Custom binder test
CVE-2017-0479
CVE-2017-0480
Change-Id: I03f674f126c191143bd8bdfe236f793e975826a5
(cherry picked from commit 31a4598a1908b3ccac7ddb33c511ce66840aa911)
(cherry picked from commit 8415635765380be496da9b4578d8f134a527d86b)
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
- Reorganize handle effect creation code to make sure the effect engine
is created with both thread and effect chain mutex held.
- Reorganize handle disconnect code to make sure the effect engine
is released with both thread and effect chain mutex held.
- Protect IEffect interface methods in EffectHande with a Mutex.
- Only pin effect if the session was acquired first.
- Do not use strong pointer to EffectModule in EffectHandles:
only the EffectChain has a single strong reference to the EffectModule.
Bug: 32707507
CVE-2017-0479
CVE-2017-0480
CVE-2017-0499
Change-Id: Ia1098cba2cd32cc2d1c9dfdff4adc2388dfed80e
(cherry picked from commit b378b73dd7480b584340b8028802c9ca2d625123)
(cherry picked from commit 22e26d8ee73488c58ba3e7928e5da155151abfd0
with backport by <sultanxda@gmail.com>)
|
|
|
|
|
|
|
|
|
| |
Bug: 32705438
Bug: 32703959
Test: cts security test
Change-Id: I8900c92fa55b56c4c2c9d721efdbabe6bfc8a4a4
(cherry picked from commit e275907e576601a3579747c3a842790bacf111e2)
(cherry picked from commit b0bcddb44d992e74140a3f5eedc7177977ea8e34)
|
|
|
|
|
|
|
|
|
| |
Test: POC, Cts Effect, BassBoost, EnvReverb, Equalizer,
Test: LoudnessEnhancer, PresetReverb, Virtualizer, Visualizer
Bug: 32220769
Change-Id: Iea96ba0daf71691ee8954cca4ba1c10fe827626e
(cherry picked from commit dd79ccda92c1e9b982b2d0f8877d98e5258fbb73)
(cherry picked from commit a155de4d70e0b9ac8fc02b2bdcbb2e8e6cca46ff)
|
|
|
|
|
|
|
|
| |
This was disabled by a previous commit.
Bug: 32436178
Change-Id: I9f9c6a372a039226d61f3651be3af207fed63e60
(cherry picked from commit 4fb1e42a16e77d7abf1d84bedbc20f901af26524)
|
|
|
|
|
|
|
|
|
| |
This was meant for buffers shared cross-process, but we are not gaining
anything from this check even if it was at the correct place.
Bug: 32436178
Change-Id: I6919e8ac6e35092273e171f49f6711ba577ba2e6
(cherry picked from commit 58388aa7be1c6963eb4b8464d46938ba9b0a04b0)
|
|
|
|
|
|
|
|
|
|
| |
Test: Custom test.
Bug: 32438594
Bug: 32624850
Bug: 32635664
Change-Id: I9b1315e2c02f11bea395bfdcf5c1ccddccbad8a6
(cherry picked from commit 3d34cc76e315dfa8c3b1edf78835b0dab4980505)
(cherry picked from commit 26965db50a617f69bdefca0d7533796c80374f2c)
|
|
|
|
|
|
|
| |
Bug: 31781965
Change-Id: I1c439a0d0f6aa0057b3c651499f28426e1e1f5e4
(cherry picked from commit 9a2732ba0a8d609ab040d2c1ddee28577ead9772)
(cherry picked from commit 557bd7bfe6c4895faee09e46fc9b5304a956c8b7)
|
|
|
|
|
|
|
| |
Bug: 32577290
Change-Id: I9bcc9422ae7dd3ae4a38df330c9dcd7ac4941ec8
(cherry picked from commit 7fdd36418e945cf6a500018632dfb0ed8cb1a343)
(cherry picked from commit 453b351ac5bd2b6619925dc966da60adf6b3126c)
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
several points in stagefrights mp3 album art code
used strlen() to parse user-supplied strings that may be
unterminated, resulting in reading beyond the end of a buffer.
This changes the code to use strnlen() for 8-bit encodings and
strengthens the parsing of 16-bit encodings similarly. It also
reworks how we watch for the end-of-buffer to avoid all over-reads.
Bug: 32377688
Test: crafted mp3's w/ good/bad cover art. See what showed in play music
Change-Id: Ia9f526d71b21ef6a61acacf616b573753cd21df6
(cherry picked from commit fa0806b594e98f1aed3ebcfc6a801b4c0056f9eb)
(cherry picked from commit 7a3246b870ddd11861eda2ab458b11d723c7f62c)
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Bug: 32448258
Bug: 32095626
Test: Use POC bug or cts security test
Change-Id: I69f24eac5866f8d9090fc4c0ebe58c2c297b63df
(cherry picked from commit 01183402d757f0c28bfd5e3b127b3809dfd67459)
(cherry picked from commit 321ea5257e37c8edb26e66fe4ee78cca4cd915fe)
Fix security vulnerability: Equalizer command might allow negative indexes
Bug: 32247948
Bug: 32438598
Bug: 32436341
Test: use POC on bug or cts security test
Change-Id: I91bd6aadb6c7410163e03101f365db767f4cd2a3
(cherry picked from commit 0872b65cff9129633471945431b9a5a28418049c)
(cherry picked from commit e981cca9fff3608af22bdf8fc1acef5470e25663)
(cherry picked from commit c66c43ad571ed2590dcd55a762c73c90d9744bac)
|
|
|
|
|
|
|
| |
Fixes hotword on angler.
Change-Id: Ic15a617c0f79f03785feaddd2dfa6deb90842a06
(cherry picked from commit 5f72b2213b9dc96ce91871398b539ad6aa653142)
|
|
|
|
|
|
|
|
|
|
| |
and be stricter about the layout of various boxes in mp4 files.
CYNGNOS-3312
Bug: 31318219
Change-Id: I50034d5b6b1967ca6e88aabeacf49f26ba3c0d32
(cherry picked from commit 2e211d38a3124849ef46376256d01e69549c422f)
(cherry picked from commit d4eb1e1ca163d6ab0eaf0d80ca138f851f87c3d2)
|
|
|
|
|
|
|
|
|
|
|
| |
CYNGNOS-3312
Bug: 30229821
Test: fixing CL. Existing unit tests still pass.
Change-Id: I6e4abd759d5d2abc3b391e92e2e18f060cab7af0
(cherry picked from commit 874f9e0b8eb0cbe508d15c8c03796c863851f21f)
(cherry picked from commit 244e7fd2a45b4e7d70d2c2e550181220371b7edf)
|
|\
| |
| |
| |
| |
| |
| |
| | |
CYNGNOS-3303
Android 6.0.1 release 74
Change-Id: I0a14578751f4ecb8d13def26b9ffe5dcba4afd72
|
| |
| |
| |
| |
| |
| |
| |
| |
| | |
Even though storing metadata is not supported in MediaCodec.configure and
is only meant to be used by Stagefright recorder, don't fail configure.
Bug: 31986922
Change-Id: Id9f083be6e857e7a0d8d4a74159be5b8894e28be
(cherry picked from commit ae52fd383a43ac239f459078fd003ce8ac2efb55)
|
| |
| |
| |
| |
| |
| |
| |
| |
| | |
The component might depends on their buffers to be initialized
in certain ways to work. Don't clear unless we're allocating it.
bug: 31586647
Change-Id: Ia0a125797e414998ef0cd8ce03672f5b1e0bbf7a
(cherry picked from commit ea76573aa276f51950007217a97903c4fe64f685)
|
| |
| |
| |
| |
| |
| |
| |
| |
| | |
This was disallowed recently but we still use it as MediaCodcec.stop
only goes to loaded state, and does not free component.
Bug: 31450460
Change-Id: I72e092e4e55c9f23b1baee3e950d76e84a5ef28d
(cherry picked from commit e03b22839d78c841ce0a1a0a1ee1960932188b0b)
|
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
This is only allowed in-process (if backup and codec buffers are
connected.)
Bug: 29422020
Bug: 31412859
Change-Id: If48e3e0b6f1af99a459fdc3f6f03744bbf0dc375
(cherry picked from commit 087ff38490016f4a0b6a1e717ae8af781d9b750c)
|
| |
| |
| |
| |
| |
| | |
Bug: 28615448
Change-Id: I5916f6839b4a9bbee4388a106e7373bcd4154f5a
(cherry picked from commit cb898dca47ac03738db91ddc371207435d2a1526)
|
| |
| |
| |
| |
| |
| | |
Bug: 31091777
Change-Id: Iddf99d0011961d0fd3d755e57db4365b6a6a1193
(cherry picked from commit 03237ce0f9584c98ccda76c2474a4ae84c763f5b)
|