| Commit message (Collapse) | Author | Age | Files | Lines |
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Increased allocation to include reference list1 also by
default. In the case of error, we could get B_SLICES
even in BASE_PROFILE. The initialization in the
dec_slice_struct_t slice structure has also been
modified accordingly.
Test: run poc with and without this patch
Bug: 38496660
Change-Id: I3451d79bbcd9f0d7a80981a9897f877b7f0812bd
(cherry picked from commit a925a6b539642c8749c91a6f33e362eda8c4a5b6)
CVE-2017-0776
|
|
|
|
|
|
|
|
|
|
|
| |
Reference list needs to be initialized for every P/B
slice, to ensure colocated picture always points to a
valid picture buffer, even in the case of error.
Bug: 36279112
Change-Id: I051d7e725b0af209cc7bb333db8da3518adf78a0
(cherry picked from commit f9d3f9af8fc113acda28e1a4e48d85736ee29c75)
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
The end of bistream error check was fixed for
odd number of macroblocks in Mbaff frames.
Bug: 37008096
Test: Ittiam-verified
AOSP-Change-Id: I058d74a3c1d1511968c2b36802dfc5c102947919
(cherry picked from commit 2e01924cd692191c970c64ec3f358e53dccb9e54)
CVE-2017-0680
Change-Id: I4472f827796093e932d9853d45f21a4a16d92928
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
ps_dec->ps_cur_slice->u1_mbaff_frame_flag is updated in ih264d_start_of_pic().
So updated value should be used after calling ih264d_start_of_pic()
Bug: 33974623
Test: ran POC from bug
AOSP-Change-Id: I0f1ff5e01ed39767f493f197791e51b0da74952f
(cherry picked from commit 3f6937a0031e4acadc9228559ae2ae47b992b16a)
(cherry picked from commit 0f2f2b5fde873b8badee949561c17692588647e8)
CVE-2017-0673
Change-Id: I4e9f951fa836ea597dfa6a593de8da0c476627f1
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
To handle some errors, first_slice_in_pic was being set to 2.
This is now cleaned up and first_slice_in_pic is set to 1 only once per pic.
This will ensure picture level initializations are done only once even in case
of error clips
Bug: 33717589
Bug: 33551775
Bug: 33716442
Bug: 33677995
AOSP-Change-Id: If341436b3cbaa724017eedddd88c2e6fac36d8ba
CVE-2017-0555
Change-Id: Ifecf8e8cf6a257eaffdc8411e6af44962b554d72
(cherry picked from commit 0b23c81c3dd9ec38f7e6806a3955fed1925541a0)
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Return ERROR_INV_SLICE_HDR_T instead of ERROR_INV_SPS_PPS_T for slice
header errors.
Bug: 34097915
AOSP-Change-Id: I45d14a71f2322ff349058baaf65fb0f3c1140fba
CVE-2017-0552
Change-Id: I4c87503f9014f67721fb3a06a7542215d4f10cd6
(cherry picked from commit 9a00f562a612d56e7b2b989d168647db900ba6cf)
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
In case of MBAFF streams, slices should terminate on
even MB boundary. If bytes are exhausted with odd number
of MBs decoded for MBAff, then treat that as error.
Bug: 33933140
AOSP-Change-Id: Ifc26b66ff8ebdb3aec5c0d6c512e4cac3f54c5b7
CVE-2017-0550
Change-Id: I239352c34311d40096ebd7eed66acfb11a628475
(cherry picked from commit 7950bf47b6944546a0aff11a7184947de9591b51)
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
ih264d_end_of_pic() was called after parsing slice of a new picture.
This is now being done at the end of decode of the current picture.
decode_gaps_in_frame_num which needs frame_num of new slice is now
done after decoding frame_num in new slice.
This helps in handling errors in picaff streams with gaps in frames
Bug: 33588051
Bug: 33641588
Bug: 34097231
AOSP-Change-Id: I1a26e611aaa2c19e2043e05a210849bd21b22220
CVE-2017-0538
CVE-2017-0551
Change-Id: I62cd9bff7c8d4b20c930e6ddc4164aaa3368407f
(cherry picked from commit 494561291a503840f385fbcd11d9bc5f4dc502b8)
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
In case of MBAff clips, if error is detected after parsing odd MB,
then treat that odd MB also as error. All MBAff processing is done
as an MB-Pair.
Bug: 33298089
CVE-2017-0482
CVE-2017-0484
Change-Id: I5242064dadec93333123309cea4c8a8676a2e727
(cherry picked from commit 3ebff7dc62f6fb93d9635dd052c1140ddcc63dc7)
(cherry picked from commit a467b1fb2956fdcee5636ab63573a4bca8150dbe)
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Also, increment slice header only if previous slice had atleast one MB
This is to ensure there is no out of bound read for streams with 1 MB, and
due to error 2 slices were being accessed.
Bug: 33982658
CVE-2017-0473
Change-Id: I5f1918c09e922ca39f495f6059dfea3fa1d49448
(cherry picked from commit ef27433ca86c4084f0cff3e284f9e799c3fdfbec)
(cherry picked from commit 0a4463e2beddb8290e05ad552e48b17686f854ce)
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Number of MBs to be marked as skip should be even for MBAff
error streams
Bug: 33450635
CVE-2017-0469
Change-Id: I6af59632e4b2d2882881fe8c52472164ea088f7a
(cherry picked from commit 43e0aa221067341b0b32bc87410a1ca45d9a6455)
(cherry picked from commit 21851eaecc814be709cb0c20f732cb858cfe1440)
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
In case of error in first MB in a frame, ps_dec->i4_submb_ofst
was decremented to result in negative offsets.
Bug: 33351708
CVE-2017-0468
CVE-2017-0482
Change-Id: I7376f781782576616351ffa0e1d43b835f7bbbbe
(cherry picked from commit 56b5563f3eecb845148a2948beb3f07343784f3f)
(cherry picked from commit 0e8b1dff88e08b9d738d2360f05b96108e190995)
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
When number of MBs decoded in the current frame is zero and an error is
detected, MB info was unnecessarily decremented in multi-core case.
Bug: 33351708
Bug: 33298089
Bug: 33250932
CVE-2017-0467
CVE-2017-0468
CVE-2017-0482
CVE-2017-0484
Change-Id: I150c48c6fb382736f1de855ba5384c12bf84710d
(cherry picked from commit 902c15251fe53f103f910b9f6a133e4cc7ca7416)
(cherry picked from commit fd9a12f9fdd9dd3e66c59dd7037e864b948085f7)
|
|
|
|
|
|
|
|
|
|
| |
Fixes mb_x, mb_y and first_mb_in_slice for Mbaff error streams
CYNGNOS-3312
Bug: 30481714
Change-Id: Ie99f3b57e48a620a4bc7aee88031955a2e1b6753
(cherry picked from commit d79d09f453aa7a026b5e0c5c56a15b59910a527d)
|
|\
| |
| |
| |
| |
| |
| |
| | |
CYNGNOS-3303
Android 6.0.1 release 74
Change-Id: I85e892e50468a5cf4430ba6618f097fd26992080
|
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
Initialize default reference buffer for erroneous interlaced clips
Pick slice_type from decode thread slice structure
Call start_of_pic only once
Bug: 30822755
Change-Id: I553c646446d99a626d62351aa1b385355191cdc3
(cherry picked from commit bc71ad2d43dc03b2a71e3423da5385ed3cb9799a)
|
| |
| |
| |
| |
| |
| | |
Bug: 31092462
Change-Id: I0e2ab5a1088717bbf36f6b0cf859b5a6e0f59c5d
(cherry picked from commit c2e8ffe451e2a78161037ca09a3516e65c80675c)
|
|\|
| |
| |
| |
| |
| | |
Android 6.0.1 Release 61 (MOB30Z)
Change-Id: I107a592189bf09de163549a3645c37eff8b70e03
|
| |
| |
| |
| | |
Bug: 28673410
|
|\|
| |
| |
| |
| |
| | |
Ticket: CYNGNOS-3020
Change-Id: I16174755f6efba69fed299659a9a35a40922999d
|
| |
| |
| |
| |
| | |
Bug: 28165661
Change-Id: I912a86bd78ebf0617fd2bc6eb2b5a61afc17bf53
|
| |
| |
| |
| |
| |
| |
| |
| | |
For MBs which are in error, set u1_long_term_reference_flag to zero.
This ensures latest frame is used for concealment
Bug: 28470138
Change-Id: I58eab5bc1da277823f3dbb4103ba50867f8935dc
|
| |
| |
| |
| |
| |
| |
| |
| | |
Also memset ps_dec_op structure to zero.
For error input, this ensures dimensions are initialized to zero
Bug: 28165661
Change-Id: I66eb2ddc5e02e74b7ff04da5f749443920f37141
|
| |
| |
| |
| |
| |
| | |
Bug: 25928803
Change-Id: Iccc58a7dd1c5c6ea656dfca332cfb8dddba4de37
|
|\ \
| | |
| | |
| | |
| | |
| | |
| | | |
am: 943323f1d9
* commit '943323f1d9d3dd5c2634deb26cbe72343ca6b3db':
Return error when there are more mmco params than allocated size
|
| | |
| | |
| | |
| | |
| | |
| | | |
Bug: 25818142
Change-Id: I5c1b23985eeca5192b42703c627ca3d060e4e13d
|
|\| |
| |/
|/|
| |
| |
| |
| | |
am: 4a524d3a8a
* commit '4a524d3a8ae9aa20c36430008e6bd429443f8f1d':
Decoder Update mb count after mb map is set.
|
| |
| |
| |
| |
| |
| | |
Bug: 25928803
Change-Id: Iccc58a7dd1c5c6ea656dfca332cfb8dddba4de37
|
| |
| |
| |
| |
| |
| |
| | |
Once all the MBs are decoded, simply break from decode loops and do not signal an error
This will handle cases where there may be extra bytes at the end of picture data
Change-Id: I6d8ec918df5375f135e60f85b9a56ab2a5313a64
|
|/
|
|
|
|
|
|
|
|
|
| |
Memory allocations are now done based on contents of SPS
API changed to move allocations inside the library
Also changed strlen to strnlen
Bug: 24221026
Change-Id: I9130457f564cddb4da7ec6399cc9fe88ee871217
|
|
|
|
|
|
|
|
| |
Fixed buffer management for error cases
Fixed end of picture detection logic for multiple slice error cases
Fixed handling of incomplete frame, missing slices.
Change-Id: Iae447667e4d88869a8bf992180cacd77870b9877
|
|
|
|
|
|
|
|
|
|
|
|
| |
Fixed the following bugs
Issue 21145276
Issue 21144884
Issue 21181133
Issue 21181134
Decoder now returns error if the level in stream is higher than level at init
Change-Id: I8892c62bd98f7854d046510330c05a1e9ca826b2
|
|
|
|
| |
Change-Id: Ia4f99d5b963acd8d8a1afc2fbdf06b122d898f63
|
|
Change-Id: I7efe9a589cd24edf86e8d086b40c27cbbf8b4017
|