| Commit message (Collapse) | Author | Age | Files | Lines |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
IVD_RES_CHANGED was not signaled when crop parameters changed, i.e.
display dimensions changed without change in decode dimensions.
In such cases, if output buffer was allocated as per the current
dimension being decoded, without IVD_RES_CHANGED signalled, there can be
an OOB write if the new buffer is smaller than the frame being returned
as output
Bug: 118399205
Test: vendor
Change-Id: Ia750a99cda08a3254a6f8ea8b55d07e655b34d05
(cherry picked from commit 442a01bf37d5bd97bb6d13b382f00265051abbe8)
|
|
|
|
|
|
|
|
| |
Bug: 73625898
Test: ran POC before/after under ASAN
Change-Id: I9765b57f4afc6a2b6ad9cd19c8c7c5000beb9de9
(cherry picked from commit 9fa58d4db3ef176ed54af5f602970b48624be413)
CVE-2018-9351
|
|
|
|
|
|
|
|
|
|
|
|
| |
Do not mark bottom field as short term in case of error.
Bug: 73553038
Bug: 73552574
Bug: 73552999
Test: poc before/after
Change-Id: I8576861af36996a361a81f48ba9b251f0ae4e660
(cherry picked from commit 47cc04b40c94b14841d27eb3ac0b01c3f1739180)
CVE-2018-9350
|
|
|
|
|
|
|
|
|
| |
Memset to zero whenever new sps occurs.
Bug: 70897394
Test: manual
Change-Id: I5936fd55265ff8ad2b275a72b175cdb540bb7933
(cherry picked from commit 9c32ad7126890dfaa79fd29affaaf07de335fa3a)
|
|
|
|
|
|
|
|
|
| |
Fixed initialization of u1_pr_sl_type for I slice.
Bug: 70897454
Test: ran PoC before/after patch
Change-Id: I0c37317513b72236be98c2b25482a67bf2b56052
(cherry picked from commit aecdfd1aff2505da11ad48ad4f9f918054ce0c97)
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
The output buffer size given by the application, needs to be checked
in every process call. This is required in the case of resolution
change in shared display mode.
Bug: 70294343
Bug: 70350193
Bug: 70526411
Bug: 70526485
Test: manual
Change-Id: I2c1e59425e84ac62a874e5ee180e1b98f0a4058f
(cherry picked from commit 3692aceb1b244be3e1b36d8e7b804986f593bb69)
|
|
|
|
|
|
|
|
|
|
| |
The factor multiplication should happen only at the source,
not at the destination.
Bug: 71375536
Test: manual
Change-Id: Ib5f00b87150a0533880346fac5464b0b1a802c36
(cherry picked from commit c3b026a87d7da17ca5196e1973137b8691e60bde)
|
|
|
|
|
|
|
|
|
|
|
|
| |
When ref_pic_list_reordering_flag_l1 is equal to 1, the number of times
that reordering_of_pic_nums_idc is not equal to 3 following
ref_pic_list_reordering_flag_l1 should not exceed
num_ref_idx_l1_active_minus1 + 1.
Bug: 69478425
Change-Id: I031bb744869ac8a57f85bb97574832efd0eefc25
(cherry picked from commit 7ea47d575d26d4d5356670092af26fb6915e75bf)
CVE-2017-13228
|
|
|
|
|
|
|
|
|
|
|
|
| |
If memory allocation for dec_hdl fails, return gracefully
with an error code. All other allocation failures are
handled correctly.
Bug: 68300072
Test: ran poc before/after
Change-Id: I118ae71f4aded658441f1932bd4ede3536f5028b
(cherry picked from commit 7720b3fe3de04523da3a9ecec2b42a3748529bbd)
CVE-2017-13189
|
|
|
|
|
|
|
|
|
|
|
| |
Added extra structure to read mmco values and copied only once per
picture.
Bug: 65735716
Change-Id: I25b08a37bc78342042c52957774b089abce1a54b
(cherry picked from commit 3c70b9a190875938fc57164d9295a3ec791554df)
CVE-2017-13186
|
|
|
|
|
|
|
|
|
|
|
| |
Change in Mbaff flag needs re-initialization of NMB group
and other variables in decoder context.
Bug: 64380237
Test: ran poc on ASAN before/after
Change-Id: I0fc65e4dfc3cc2c15528ec52da1782ecec61feab
(cherry picked from commit d524ba03101c0c662c9d365d7357536b42a0265e)
CVE-2017-13204
|
|
|
|
|
|
|
|
|
|
| |
This prevents heap overflow while parsing sei_message.
Bug: 63122634
Test: ran PoC on unpatched/patched
Change-Id: I61c1ff4ac053a060be8c24da4671db985cac628c
(cherry picked from commit f2b70d353768af8d4ead7f32497be05f197925ef)
CVE-2017-13203
|
|
|
|
|
|
|
|
|
|
| |
The u1_top_bottom_decoded flag in the decoder context has been fixed
to be updated correctly in the case of dangling field
Bug: 63315932
Test: ran POC after patching
Change-Id: I8db4ebeb94fba735ba45f365c37e52a202ea84cd
CVE-2017-0874
|
|
|
|
|
|
|
|
|
|
| |
Added an error check on the lower limit of u1_num_ref_idx_lx_active,
while parsing slice header. The minimum possible value is 1.
Bug: 64836894
Change-Id: I57056851fc135ed00f7a10af5c81eb560e9e12de
CVE-2017-0858
|
|
|
|
|
|
|
|
|
|
|
| |
The difference between two 32 signed numbers was getting assigned
to 16 bits, leading to a divide by zero arithmetic execption.
Modified variable names to match their datatypes.
Bug: 65122447
Change-Id: I45ade1945f10b4d7660bd09fb564e60fd29d40dc
CVE-2017-0857
|
|
|
|
|
|
|
|
| |
ps_dec_ip->s_out_buffer.u4_num_bufs was missing out of bound checks
Bug: 62688399
Change-Id: Ic5e5c002d29fcb18064550d5a5f9289bb68b448e
CVE-2017-0849
|
|
|
|
|
|
|
|
|
|
|
|
| |
If all the slices in the current pic were invalid, then
the decoder would not have received a valid picture buffer
in the current call. In such cases there is no need to conceal or
deblock the picture.
Bug: 62896384
Test: run ASAN-enabled PoC before/after the patch
Change-Id: I3cf6e871592826f93b0dcd2b06fff80677bc8338
CVE-2017-0833
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
same resolution
Cherry pick of Change-Id: Ifa78c3125ab207ce5e39166f4891cba0d3a4e39c
which went into master (post-n). This needed backporting to M so that
the final fix for 35583675 could be integrated.
Bug: 35583675
Test: ran POC without failure
Change-Id: I0d248212aaf6635f34a70ad36657416a0c623d32
(cherry picked from commit 142221a3f993adca0c7db7f4b65d76cd9fd72a38)
|
|
|
|
|
|
|
|
|
|
| |
At the end of picture processing, if the current pic is partially
decoded, number of MBs to be processed was wrongly calculated for
interlaced cases.
Bug: 33129467
Change-Id: Ia81186c60d346f02663607f2dc14166781db6a69
(cherry picked from commit e1cf7ea8ae9af4d8b5aca7efba61025dae10a345)
|
|
|
|
|
|
| |
This reverts commit 839c6327f8467e2e238238623ab3831fc4b3f280.
Change-Id: Ia07e3a08843c3f52cb40efcd91fa4d1bba3b7b90
|
|
|
|
|
|
|
|
|
|
|
| |
Initialize the buffer used to store inter mb info
(reference index, weights etc) to zero.
Bug: 36035683
Change-Id: I23561a6a7fe852c0563a631d7ec6ab022cd78ccc
(cherry picked from commit 2575ae6c989b133554f9b1267cf5dd694cf2aae6)
(cherry picked from commit 9041bb17f70a94019e05459164b4756bde01edee)
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Increased allocation to include reference list1 also by
default. In the case of error, we could get B_SLICES
even in BASE_PROFILE. The initialization in the
dec_slice_struct_t slice structure has also been
modified accordingly.
Test: run poc with and without this patch
Bug: 38496660
Change-Id: I3451d79bbcd9f0d7a80981a9897f877b7f0812bd
(cherry picked from commit a925a6b539642c8749c91a6f33e362eda8c4a5b6)
CVE-2017-0776
|
|
|
|
|
|
|
|
|
|
|
| |
When the first frame is a B frame, the colocated picture
will now point to the current frame.
Test: run poc with and without this patch
Bug: 38115076
Change-Id: I48a8f128740551d6a9252931dafcf8c629ecad0d
(cherry picked from commit b8d362561e48dde8898eb0415f298d64e76f2b7c)
CVE-2017-0772
|
|
|
|
|
|
|
|
|
|
|
| |
Since the maximum value of long term index is 255,
the loop control variable needs to be 32 bit.
Bug: 38448381
Test: ran POC before/after applying fix
Change-Id: Iae3ecff38d4a922bde10fde33f1cfcafd2ea2680
(cherry picked from commit cbcd2846fa837e4be6d35f5c1211b070bc8d26da)
CVE-2017-0761
|
|
|
|
|
|
|
|
|
|
|
|
| |
The output buffer size given by the application, needs to be checked
in every process call. This is required in the case of resolution
change.
Bug: 36006815
Test: avcdec -i poc.bin
Change-Id: I16a92cdad23eb7b1e12c1a67c1b2599204f29249
(cherry picked from commit 3f6c941de5cd959072fa046c9d6cb26fa0f01dc6)
CVE-2017-0757
|
|
|
|
|
|
|
|
|
|
|
|
| |
Modified the way i4_header_decoded in decoder context
is used, to ensure that resolution change is detected
even if PPS has not been decoded.
Bug: 35583675
Test: ran POC, no longer hangs
Change-Id: Ibb3f8dfbeb66a999fd81720a7d2a02dd951a55c4
(cherry picked from commit 1d06027c69e31d450b1e837c81073362d41084d3)
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
If resolution changes within a decode call,due to multiple
sps, the decoder hangs as the the application will
give the same data again in the next decode call. This
results in a hang. Fixed this by flaging an error,
when sps/resoultion changes within a process call.
Bug: 38487564
Test: ran POC on patched O-based system w/o hanging
Change-Id: I30095b2e8bf573c1a58a316a23b1a5e6a4af589b
(cherry picked from commit fe18375850fe04b8c4ff2f1b20069e161f718e53)
|
|
|
|
|
|
|
|
|
|
|
|
| |
The sps parameters used to detect change in
resolution/sps were incorrect. Made a fix to
use current sps from decoder context.
Bug: 38239864
Change-Id: I2d110e635ced32b3dc7f364e08a97d672fcbae37
(cherry picked from commit 8c6fe35f6d28f3e8c3a9f9458eea89eba858bded)
(cherry picked from commit ec3f58500066edee259942057e21489621fca9dd)
|
|
|
|
|
|
|
|
|
|
|
| |
Added an error check in the case of MMCO 6
(SET_LT_INDEX)
Bug: 38014992
Test: POC fails before / works after patch
Change-Id: I76e38a8e2ff0bab043b47f44f1f7b1d4fe60d416
(cherry picked from commit 9e4f0ce7042078aeffaa16f2773cc2d1b82cdb12)
(cherry picked from commit 41489f9ece970df8530e28d7a24710b1beb755e2)
|
|
|
|
|
|
|
|
|
|
|
| |
Reference list needs to be initialized for every P/B
slice, to ensure colocated picture always points to a
valid picture buffer, even in the case of error.
Bug: 36279112
Change-Id: I051d7e725b0af209cc7bb333db8da3518adf78a0
(cherry picked from commit f9d3f9af8fc113acda28e1a4e48d85736ee29c75)
|
|
|
|
|
|
|
|
|
|
|
| |
Postponed the initializations to decoder context
till the end of the parse sps function, after
all the error checks are done.
Bug: 37968755
Test: ran poc on ASAN-enabled build before/after
Change-Id: Ibee3383c28cede3edb68d2459565d6ce10683bbd
(cherry picked from commit 4eb72f7c935595817026b4cf4aed5ef2ff579ab5)
|
|
|
|
|
|
|
|
|
| |
Buffer allocation size for pred info was increased
in the case number reference frames equal to 1.
Bug: 36998372
Change-Id: I1f84a16703422109d40bed8436f35d0c2069c088
(cherry picked from commit 9008aed514f7211f6fcad328277ce464b042f622)
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Aligned the sizes of au1_ngbr_pels to ensure SSE42 functions do not
result in stack buffer overflow
Bug: 36490809
AOSP-Change-Id: I0bfe493f94647046013759b3ec9db3c627ac471e
(cherry picked from commit f69e34419b267be7285a7e0e85a019294118ae03)
CVE-2017-0699
Change-Id: I4523d94411a752abb2461c4857e66beee67c3364
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Added an error check while parsing PPS syntax element
second_chroma_qp_index_offset.
Bug: 37207120
AOSP-Change-Id: Icba6b7bcf5940505717ee61134ed801c221b6e26
(cherry picked from commit 62f98981ffc29082dd4bbf173a043a5bcbb86652)
CVE-2017-0696
Change-Id: I702fb66977fe51f4489c7f7f928cd3eb27e4756e
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Fixed initialization of flag u1_top_bottom_decoded
in decoder context. This flag indicates if top
field and botton field is decoded.
Bug: 36993291
Test: avcdec --input poc.h264 --output /dev/null
AOSP-Change-Id: I9f8a2620683abd8b15e4780d76d4849394710716
(cherry picked from commit 7703822731a3e5425390ba1d177d061a699c367d)
CVE-2017-0693
Change-Id: Ibd2f703e0aef8faa4cb32e036db1a74815ea7b7c
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Increment number of long term reference buffers only when both top field
and bottom field have been set as long term.
[backport for M/N from master]
Bug: 35584425
Test: ran POC - no hang, no segfault.
AOSP-Change-Id: I94e3857944da675eda38f8e1a9bd887f48bff524
(cherry picked from commit 6fa5df8811ea0b8e8459f86dd3c30bf7a9b39482)
(cherry picked from commit 46e96d40dbca2896b5e20cf48d14798231c97663)
CVE-2017-0688
Change-Id: I3f4077df0fc0764b70c93cb226a5c7503799ba26
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
The end of bistream error check was fixed for
odd number of macroblocks in Mbaff frames.
Bug: 37008096
Test: Ittiam-verified
AOSP-Change-Id: I058d74a3c1d1511968c2b36802dfc5c102947919
(cherry picked from commit 2e01924cd692191c970c64ec3f358e53dccb9e54)
CVE-2017-0680
Change-Id: I4472f827796093e932d9853d45f21a4a16d92928
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Increased the allocation size for Mbaff weight
matrix buffer
Bug: 36996978
AOSP-Change-Id: I21cf2cb1010abdc6346f743f5237ae1730c4bf41
(cherry picked from commit 07db35ad5af8c4ee2308f983650d9a1b811841ea)
CVE-2017-0679
Change-Id: I1a8e38c839eee9887abf2fd99954237db31b2234
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
In the case of error, initialize the new reference list1 with the first
picture in default list0 instead of default list1, as first picture in
list1 could still be invalid.
Bug: 36035074
AOSP-Change-Id: I7ab493ee7a157cbefcd4da8389ff1ff899c16b7f
(cherry picked from commit 93954f5e9a5d727e402921ac6fa100e6dcc1d4e8)
CVE-2017-0677
Change-Id: I6e3d02457961d222fa721e2d8d283a989302805d
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
ps_dec->ps_cur_slice->u1_mbaff_frame_flag is updated in ih264d_start_of_pic().
So updated value should be used after calling ih264d_start_of_pic()
Bug: 33974623
Test: ran POC from bug
AOSP-Change-Id: I0f1ff5e01ed39767f493f197791e51b0da74952f
(cherry picked from commit 3f6937a0031e4acadc9228559ae2ae47b992b16a)
(cherry picked from commit 0f2f2b5fde873b8badee949561c17692588647e8)
CVE-2017-0673
Change-Id: I4e9f951fa836ea597dfa6a593de8da0c476627f1
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
In case of dangling fields with gaps in frames enabled,
field pic in cur_slice was wrongly set to 0.
This would cause dangling field to be concealed as a frame, which would
result in a number of MB mismatch and hence a hang.
Bug: 34097672
AOSP-Change-Id: Ia9b7f72c4676188c45790b2dfbb4fe2c2d2c01f8
(cherry picked from commit 1a13168ca3510ba91274d10fdee46b3642cc9554)
CVE-2017-0591
Change-Id: I4087c11d52a5c72c75cb4b992f67ccff63b5d509
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
To handle some errors, first_slice_in_pic was being set to 2.
This is now cleaned up and first_slice_in_pic is set to 1 only once per pic.
This will ensure picture level initializations are done only once even in case
of error clips
Bug: 33717589
Bug: 33551775
Bug: 33716442
Bug: 33677995
AOSP-Change-Id: If341436b3cbaa724017eedddd88c2e6fac36d8ba
CVE-2017-0555
Change-Id: Ifecf8e8cf6a257eaffdc8411e6af44962b554d72
(cherry picked from commit 0b23c81c3dd9ec38f7e6806a3955fed1925541a0)
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Return ERROR_INV_SLICE_HDR_T instead of ERROR_INV_SPS_PPS_T for slice
header errors.
Bug: 34097915
AOSP-Change-Id: I45d14a71f2322ff349058baaf65fb0f3c1140fba
CVE-2017-0552
Change-Id: I4c87503f9014f67721fb3a06a7542215d4f10cd6
(cherry picked from commit 9a00f562a612d56e7b2b989d168647db900ba6cf)
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
In case of MBAFF streams, slices should terminate on
even MB boundary. If bytes are exhausted with odd number
of MBs decoded for MBAff, then treat that as error.
Bug: 33933140
AOSP-Change-Id: Ifc26b66ff8ebdb3aec5c0d6c512e4cac3f54c5b7
CVE-2017-0550
Change-Id: I239352c34311d40096ebd7eed66acfb11a628475
(cherry picked from commit 7950bf47b6944546a0aff11a7184947de9591b51)
|
|
|
|
|
|
|
|
|
|
|
| |
Bug: 33818508
Bug: 34013472
AOSP-Change-Id: I2e99cbceba1c00555d624e8975522725e362362b
CVE-2017-0549
Change-Id: I737d00a2c8d0729d6ef47af2049401f10ff139e4
(cherry picked from commit 37345554fea84afd446d6d8fbb87feea5a0dde3f)
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Reference buffer is now initialized to default value for
each pic before decoding the first slice in the pic
Bug: 34097866
AOSP-Change-Id: Id64b123af2188217ce833f11db0e6c0681d41dfd
CVE-2017-0543
Change-Id: I49a76e0af23001842630218f79f47a98bc287d6a
(cherry picked from commit f634481e940421020e52f511c1fb34aac1db4b2f)
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
[for mnc-dr-dev and later; mnc-dev gets a different patch]
After emulation prevention, data is written as an int,
so at least 3 additional bytes should be available.
And since bitstream functions read 8 bytes ahead, 8 extra bytes
should be available in the bitstream buffer.
Bug: 33934721
AOSP-Change-Id: I444ec6f85d01b0bade9f827e15c4b476779d6c69
CVE-2017-0542
Change-Id: I3c77857dc558b2ab0bacbfae0c56e794154bd50c
(cherry picked from commit 33ef7de9ddc8ea7eb9cbc440d1cf89957a0c267b)
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
ih264d_end_of_pic() was called after parsing slice of a new picture.
This is now being done at the end of decode of the current picture.
decode_gaps_in_frame_num which needs frame_num of new slice is now
done after decoding frame_num in new slice.
This helps in handling errors in picaff streams with gaps in frames
Bug: 33588051
Bug: 33641588
Bug: 34097231
AOSP-Change-Id: I1a26e611aaa2c19e2043e05a210849bd21b22220
CVE-2017-0538
CVE-2017-0551
Change-Id: I62cd9bff7c8d4b20c930e6ddc4164aaa3368407f
(cherry picked from commit 494561291a503840f385fbcd11d9bc5f4dc502b8)
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
This is needed to decode streams with consecutive IDRs.
Bug: 34097231
Test: successful run of POC in security bug
AOSP-Change-Id: Ib737a4ef4b8c5bb7a57c90292102dd28af0615fe
CVE-2017-0551
Change-Id: I5d2569034b03ba44830d96319a354e0cb0e665d3
(cherry picked from commit 8b5fd8f24eba5dd19ab2f80ea11a9125aa882ae2)
|
|
|
|
|
|
|
|
|
|
|
|
| |
Invalid SPS Id read was resulting in an out of bound read
Bug: 33552073
CVE-2017-0495
Change-Id: Ie5b80222fc7ac3a64475340371be0facdf999d7b
(cherry picked from commit d3d60c6a5d7ab605d19b9ac4b95bc227b7b870dc)
(cherry picked from commit 99a85bb4690dd30871d9457c30ca3b44a0928cc1)
(cherry picked from commit 85c0ec4106659a11c220cd1210f8d76c33d9e2ae)
|