| Commit message (Collapse) | Author | Age | Files | Lines |
|
|
|
|
|
|
|
|
|
| |
At the end of picture processing, if the current pic is partially
decoded, number of MBs to be processed was wrongly calculated for
interlaced cases.
Bug: 33129467
Change-Id: Ia81186c60d346f02663607f2dc14166781db6a69
(cherry picked from commit e1cf7ea8ae9af4d8b5aca7efba61025dae10a345)
|
|
|
|
|
|
| |
This reverts commit 839c6327f8467e2e238238623ab3831fc4b3f280.
Change-Id: Ia07e3a08843c3f52cb40efcd91fa4d1bba3b7b90
|
|
|
|
|
|
|
|
|
|
|
| |
Initialize the buffer used to store inter mb info
(reference index, weights etc) to zero.
Bug: 36035683
Change-Id: I23561a6a7fe852c0563a631d7ec6ab022cd78ccc
(cherry picked from commit 2575ae6c989b133554f9b1267cf5dd694cf2aae6)
(cherry picked from commit 9041bb17f70a94019e05459164b4756bde01edee)
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Increased allocation to include reference list1 also by
default. In the case of error, we could get B_SLICES
even in BASE_PROFILE. The initialization in the
dec_slice_struct_t slice structure has also been
modified accordingly.
Test: run poc with and without this patch
Bug: 38496660
Change-Id: I3451d79bbcd9f0d7a80981a9897f877b7f0812bd
(cherry picked from commit a925a6b539642c8749c91a6f33e362eda8c4a5b6)
CVE-2017-0776
|
|
|
|
|
|
|
|
|
|
|
| |
When the first frame is a B frame, the colocated picture
will now point to the current frame.
Test: run poc with and without this patch
Bug: 38115076
Change-Id: I48a8f128740551d6a9252931dafcf8c629ecad0d
(cherry picked from commit b8d362561e48dde8898eb0415f298d64e76f2b7c)
CVE-2017-0772
|
|
|
|
|
|
|
|
|
|
|
| |
Since the maximum value of long term index is 255,
the loop control variable needs to be 32 bit.
Bug: 38448381
Test: ran POC before/after applying fix
Change-Id: Iae3ecff38d4a922bde10fde33f1cfcafd2ea2680
(cherry picked from commit cbcd2846fa837e4be6d35f5c1211b070bc8d26da)
CVE-2017-0761
|
|
|
|
|
|
|
|
|
|
|
|
| |
The output buffer size given by the application, needs to be checked
in every process call. This is required in the case of resolution
change.
Bug: 36006815
Test: avcdec -i poc.bin
Change-Id: I16a92cdad23eb7b1e12c1a67c1b2599204f29249
(cherry picked from commit 3f6c941de5cd959072fa046c9d6cb26fa0f01dc6)
CVE-2017-0757
|
|
|
|
|
|
|
|
|
|
|
|
| |
Modified the way i4_header_decoded in decoder context
is used, to ensure that resolution change is detected
even if PPS has not been decoded.
Bug: 35583675
Test: ran POC, no longer hangs
Change-Id: Ibb3f8dfbeb66a999fd81720a7d2a02dd951a55c4
(cherry picked from commit 1d06027c69e31d450b1e837c81073362d41084d3)
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
If resolution changes within a decode call,due to multiple
sps, the decoder hangs as the the application will
give the same data again in the next decode call. This
results in a hang. Fixed this by flaging an error,
when sps/resoultion changes within a process call.
Bug: 38487564
Test: ran POC on patched O-based system w/o hanging
Change-Id: I30095b2e8bf573c1a58a316a23b1a5e6a4af589b
(cherry picked from commit fe18375850fe04b8c4ff2f1b20069e161f718e53)
|
|
|
|
|
|
|
|
|
|
|
|
| |
The sps parameters used to detect change in
resolution/sps were incorrect. Made a fix to
use current sps from decoder context.
Bug: 38239864
Change-Id: I2d110e635ced32b3dc7f364e08a97d672fcbae37
(cherry picked from commit 8c6fe35f6d28f3e8c3a9f9458eea89eba858bded)
(cherry picked from commit ec3f58500066edee259942057e21489621fca9dd)
|
|
|
|
|
|
|
|
|
|
|
| |
Added an error check in the case of MMCO 6
(SET_LT_INDEX)
Bug: 38014992
Test: POC fails before / works after patch
Change-Id: I76e38a8e2ff0bab043b47f44f1f7b1d4fe60d416
(cherry picked from commit 9e4f0ce7042078aeffaa16f2773cc2d1b82cdb12)
(cherry picked from commit 41489f9ece970df8530e28d7a24710b1beb755e2)
|
|
|
|
|
|
|
|
|
|
|
| |
Reference list needs to be initialized for every P/B
slice, to ensure colocated picture always points to a
valid picture buffer, even in the case of error.
Bug: 36279112
Change-Id: I051d7e725b0af209cc7bb333db8da3518adf78a0
(cherry picked from commit f9d3f9af8fc113acda28e1a4e48d85736ee29c75)
|
|
|
|
|
|
|
|
|
|
|
| |
Postponed the initializations to decoder context
till the end of the parse sps function, after
all the error checks are done.
Bug: 37968755
Test: ran poc on ASAN-enabled build before/after
Change-Id: Ibee3383c28cede3edb68d2459565d6ce10683bbd
(cherry picked from commit 4eb72f7c935595817026b4cf4aed5ef2ff579ab5)
|
|
|
|
|
|
|
|
|
| |
Buffer allocation size for pred info was increased
in the case number reference frames equal to 1.
Bug: 36998372
Change-Id: I1f84a16703422109d40bed8436f35d0c2069c088
(cherry picked from commit 9008aed514f7211f6fcad328277ce464b042f622)
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Aligned the sizes of au1_ngbr_pels to ensure SSE42 functions do not
result in stack buffer overflow
Bug: 36490809
AOSP-Change-Id: I0bfe493f94647046013759b3ec9db3c627ac471e
(cherry picked from commit f69e34419b267be7285a7e0e85a019294118ae03)
CVE-2017-0699
Change-Id: I4523d94411a752abb2461c4857e66beee67c3364
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Added an error check while parsing PPS syntax element
second_chroma_qp_index_offset.
Bug: 37207120
AOSP-Change-Id: Icba6b7bcf5940505717ee61134ed801c221b6e26
(cherry picked from commit 62f98981ffc29082dd4bbf173a043a5bcbb86652)
CVE-2017-0696
Change-Id: I702fb66977fe51f4489c7f7f928cd3eb27e4756e
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Fixed initialization of flag u1_top_bottom_decoded
in decoder context. This flag indicates if top
field and botton field is decoded.
Bug: 36993291
Test: avcdec --input poc.h264 --output /dev/null
AOSP-Change-Id: I9f8a2620683abd8b15e4780d76d4849394710716
(cherry picked from commit 7703822731a3e5425390ba1d177d061a699c367d)
CVE-2017-0693
Change-Id: Ibd2f703e0aef8faa4cb32e036db1a74815ea7b7c
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Increment number of long term reference buffers only when both top field
and bottom field have been set as long term.
[backport for M/N from master]
Bug: 35584425
Test: ran POC - no hang, no segfault.
AOSP-Change-Id: I94e3857944da675eda38f8e1a9bd887f48bff524
(cherry picked from commit 6fa5df8811ea0b8e8459f86dd3c30bf7a9b39482)
(cherry picked from commit 46e96d40dbca2896b5e20cf48d14798231c97663)
CVE-2017-0688
Change-Id: I3f4077df0fc0764b70c93cb226a5c7503799ba26
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
The end of bistream error check was fixed for
odd number of macroblocks in Mbaff frames.
Bug: 37008096
Test: Ittiam-verified
AOSP-Change-Id: I058d74a3c1d1511968c2b36802dfc5c102947919
(cherry picked from commit 2e01924cd692191c970c64ec3f358e53dccb9e54)
CVE-2017-0680
Change-Id: I4472f827796093e932d9853d45f21a4a16d92928
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Increased the allocation size for Mbaff weight
matrix buffer
Bug: 36996978
AOSP-Change-Id: I21cf2cb1010abdc6346f743f5237ae1730c4bf41
(cherry picked from commit 07db35ad5af8c4ee2308f983650d9a1b811841ea)
CVE-2017-0679
Change-Id: I1a8e38c839eee9887abf2fd99954237db31b2234
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
In the case of error, initialize the new reference list1 with the first
picture in default list0 instead of default list1, as first picture in
list1 could still be invalid.
Bug: 36035074
AOSP-Change-Id: I7ab493ee7a157cbefcd4da8389ff1ff899c16b7f
(cherry picked from commit 93954f5e9a5d727e402921ac6fa100e6dcc1d4e8)
CVE-2017-0677
Change-Id: I6e3d02457961d222fa721e2d8d283a989302805d
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
ps_dec->ps_cur_slice->u1_mbaff_frame_flag is updated in ih264d_start_of_pic().
So updated value should be used after calling ih264d_start_of_pic()
Bug: 33974623
Test: ran POC from bug
AOSP-Change-Id: I0f1ff5e01ed39767f493f197791e51b0da74952f
(cherry picked from commit 3f6937a0031e4acadc9228559ae2ae47b992b16a)
(cherry picked from commit 0f2f2b5fde873b8badee949561c17692588647e8)
CVE-2017-0673
Change-Id: I4e9f951fa836ea597dfa6a593de8da0c476627f1
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
In case of dangling fields with gaps in frames enabled,
field pic in cur_slice was wrongly set to 0.
This would cause dangling field to be concealed as a frame, which would
result in a number of MB mismatch and hence a hang.
Bug: 34097672
AOSP-Change-Id: Ia9b7f72c4676188c45790b2dfbb4fe2c2d2c01f8
(cherry picked from commit 1a13168ca3510ba91274d10fdee46b3642cc9554)
CVE-2017-0591
Change-Id: I4087c11d52a5c72c75cb4b992f67ccff63b5d509
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
To handle some errors, first_slice_in_pic was being set to 2.
This is now cleaned up and first_slice_in_pic is set to 1 only once per pic.
This will ensure picture level initializations are done only once even in case
of error clips
Bug: 33717589
Bug: 33551775
Bug: 33716442
Bug: 33677995
AOSP-Change-Id: If341436b3cbaa724017eedddd88c2e6fac36d8ba
CVE-2017-0555
Change-Id: Ifecf8e8cf6a257eaffdc8411e6af44962b554d72
(cherry picked from commit 0b23c81c3dd9ec38f7e6806a3955fed1925541a0)
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Return ERROR_INV_SLICE_HDR_T instead of ERROR_INV_SPS_PPS_T for slice
header errors.
Bug: 34097915
AOSP-Change-Id: I45d14a71f2322ff349058baaf65fb0f3c1140fba
CVE-2017-0552
Change-Id: I4c87503f9014f67721fb3a06a7542215d4f10cd6
(cherry picked from commit 9a00f562a612d56e7b2b989d168647db900ba6cf)
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
In case of MBAFF streams, slices should terminate on
even MB boundary. If bytes are exhausted with odd number
of MBs decoded for MBAff, then treat that as error.
Bug: 33933140
AOSP-Change-Id: Ifc26b66ff8ebdb3aec5c0d6c512e4cac3f54c5b7
CVE-2017-0550
Change-Id: I239352c34311d40096ebd7eed66acfb11a628475
(cherry picked from commit 7950bf47b6944546a0aff11a7184947de9591b51)
|
|
|
|
|
|
|
|
|
|
|
| |
Bug: 33818508
Bug: 34013472
AOSP-Change-Id: I2e99cbceba1c00555d624e8975522725e362362b
CVE-2017-0549
Change-Id: I737d00a2c8d0729d6ef47af2049401f10ff139e4
(cherry picked from commit 37345554fea84afd446d6d8fbb87feea5a0dde3f)
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Reference buffer is now initialized to default value for
each pic before decoding the first slice in the pic
Bug: 34097866
AOSP-Change-Id: Id64b123af2188217ce833f11db0e6c0681d41dfd
CVE-2017-0543
Change-Id: I49a76e0af23001842630218f79f47a98bc287d6a
(cherry picked from commit f634481e940421020e52f511c1fb34aac1db4b2f)
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
[for mnc-dr-dev and later; mnc-dev gets a different patch]
After emulation prevention, data is written as an int,
so at least 3 additional bytes should be available.
And since bitstream functions read 8 bytes ahead, 8 extra bytes
should be available in the bitstream buffer.
Bug: 33934721
AOSP-Change-Id: I444ec6f85d01b0bade9f827e15c4b476779d6c69
CVE-2017-0542
Change-Id: I3c77857dc558b2ab0bacbfae0c56e794154bd50c
(cherry picked from commit 33ef7de9ddc8ea7eb9cbc440d1cf89957a0c267b)
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
ih264d_end_of_pic() was called after parsing slice of a new picture.
This is now being done at the end of decode of the current picture.
decode_gaps_in_frame_num which needs frame_num of new slice is now
done after decoding frame_num in new slice.
This helps in handling errors in picaff streams with gaps in frames
Bug: 33588051
Bug: 33641588
Bug: 34097231
AOSP-Change-Id: I1a26e611aaa2c19e2043e05a210849bd21b22220
CVE-2017-0538
CVE-2017-0551
Change-Id: I62cd9bff7c8d4b20c930e6ddc4164aaa3368407f
(cherry picked from commit 494561291a503840f385fbcd11d9bc5f4dc502b8)
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
This is needed to decode streams with consecutive IDRs.
Bug: 34097231
Test: successful run of POC in security bug
AOSP-Change-Id: Ib737a4ef4b8c5bb7a57c90292102dd28af0615fe
CVE-2017-0551
Change-Id: I5d2569034b03ba44830d96319a354e0cb0e665d3
(cherry picked from commit 8b5fd8f24eba5dd19ab2f80ea11a9125aa882ae2)
|
|
|
|
|
|
|
|
|
|
|
|
| |
Invalid SPS Id read was resulting in an out of bound read
Bug: 33552073
CVE-2017-0495
Change-Id: Ie5b80222fc7ac3a64475340371be0facdf999d7b
(cherry picked from commit d3d60c6a5d7ab605d19b9ac4b95bc227b7b870dc)
(cherry picked from commit 99a85bb4690dd30871d9457c30ca3b44a0928cc1)
(cherry picked from commit 85c0ec4106659a11c220cd1210f8d76c33d9e2ae)
|
|
|
|
|
|
|
|
|
|
|
| |
Bug: 34097213
Bug: 33641588
CVE-2017-0488
Change-Id: I40a6c5af7f1e46e1623ae1b399db3073123390fe
(cherry picked from commit 1d5640f2f9013e8de68cedc3e57a6b02b495b3c2)
(cherry picked from commit 0340381cd8c220311fd4fe2e8b23e1534657e399)
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
ih264d_deblock_display() should be called only if current
decoder call has got a picture buffer during start of pic
Bug: 33751193
CVE-2017-0487
Change-Id: I3bf2fdbb910bf7240484dae48b85d72833830d56
(cherry picked from commit 318368435f38629288dc500081a018dc698ca1f1)
(cherry picked from commit aa78b96e842fc1fb70a18acff22be35c7a715b23)
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
When the input does not contain PPS and decoder is in header decode
mode, decoder was entering an infinite loop.
Bug: 33621215
CVE-2017-0486
Change-Id: I3fe853660e210a259446a3d2992db2cbce69308e
(cherry picked from commit 33e1b190d6db09bd72a9f0f51acef4b14eabd6ff)
(cherry picked from commit 2cd2f7a33535f29c87a1952e0d4b43a80b6f1f3c)
(cherry picked from commit 19814b7ad4ea6f0cc4cab34e50ebab2e180fc269)
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
ps_dpb_mgr->ps_dpb_ht_head is a linked list with
ps_dpb_mgr->u1_num_lt_ref_bufs number of valid buffers.
So ps_next_dbp has to be initialized to ps_dpb_mgr->ps_dpb_ht_head
for each u1_lt_index loop iteration
Bug: 33387820
CVE-2017-0482
CVE-2017-0485
Change-Id: I2dfd962bad5640a829afc123adbd0709e563e621
(cherry picked from commit 54cbe1b29b35e8bd8ebbaed2b5eeacfeecca98cc)
(cherry picked from commit 3695b6bdaa183bb2852da06b63ebd5b9c2cace36)
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
In case of MBAff clips, if error is detected after parsing odd MB,
then treat that odd MB also as error. All MBAff processing is done
as an MB-Pair.
Bug: 33298089
CVE-2017-0482
CVE-2017-0484
Change-Id: I5242064dadec93333123309cea4c8a8676a2e727
(cherry picked from commit 3ebff7dc62f6fb93d9635dd052c1140ddcc63dc7)
(cherry picked from commit a467b1fb2956fdcee5636ab63573a4bca8150dbe)
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Also, increment slice header only if previous slice had atleast one MB
This is to ensure there is no out of bound read for streams with 1 MB, and
due to error 2 slices were being accessed.
Bug: 33982658
CVE-2017-0473
Change-Id: I5f1918c09e922ca39f495f6059dfea3fa1d49448
(cherry picked from commit ef27433ca86c4084f0cff3e284f9e799c3fdfbec)
(cherry picked from commit 0a4463e2beddb8290e05ad552e48b17686f854ce)
|
|
|
|
|
|
|
|
|
|
| |
Bug: 33816782
CVE-2017-0471
Change-Id: I65a5376f46902139f9fc49a2fff54b53b518d703
(cherry picked from commit bee9b9a54b5f7a30991b630a13659e573f0cb52d)
(cherry picked from commit 4a61d15e7b0ab979ba7e80db8ddbde025c1ce6cc)
|
|
|
|
|
|
|
|
|
|
| |
bound read
CVE-2017-0470
Change-Id: Ie8761de856ed8c7d08f3da61631c1bef446448e6
(cherry picked from commit b88f59d8353d65a75a3d250992f6b7fee1a61757)
(cherry picked from commit 6aac82003d665708b4e21e9b91693b642e2fa64f)
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Number of MBs to be marked as skip should be even for MBAff
error streams
Bug: 33450635
CVE-2017-0469
Change-Id: I6af59632e4b2d2882881fe8c52472164ea088f7a
(cherry picked from commit 43e0aa221067341b0b32bc87410a1ca45d9a6455)
(cherry picked from commit 21851eaecc814be709cb0c20f732cb858cfe1440)
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
In case of error in first MB in a frame, ps_dec->i4_submb_ofst
was decremented to result in negative offsets.
Bug: 33351708
CVE-2017-0468
CVE-2017-0482
Change-Id: I7376f781782576616351ffa0e1d43b835f7bbbbe
(cherry picked from commit 56b5563f3eecb845148a2948beb3f07343784f3f)
(cherry picked from commit 0e8b1dff88e08b9d738d2360f05b96108e190995)
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
When number of MBs decoded in the current frame is zero and an error is
detected, MB info was unnecessarily decremented in multi-core case.
Bug: 33351708
Bug: 33298089
Bug: 33250932
CVE-2017-0467
CVE-2017-0468
CVE-2017-0482
CVE-2017-0484
Change-Id: I150c48c6fb382736f1de855ba5384c12bf84710d
(cherry picked from commit 902c15251fe53f103f910b9f6a133e4cc7ca7416)
(cherry picked from commit fd9a12f9fdd9dd3e66c59dd7037e864b948085f7)
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
This needs an additional row of data to hold top row
Issue is seen only for MBAff error cases which start with a field
at lower resolutions
Bug: 33139050
CVE-2017-0466
CVE-2017-0482
Change-Id: I4e0de4e16ece3999c3c753d0476cd0dd26a72714
(cherry picked from commit 9b095de571621463a7ee46a6750f79cfc6738975)
(cherry picked from commit ec9ab83ac437d31f484a86643e2cc66db8efae4c)
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
In case a slice start code is found and picture decode is not complete
and a non slice NAL is encountered, then mark the current pic as incomplete
Bug: 33250932
Bug: 33139050
CVE-2017-0466
CVE-2017-0467
CVE-2017-0482
Change-Id: I9db4446338b307310805dba90c60c8cbdeee0739
(cherry picked from commit d1896deaf15ad8c6d148702899426b64601a3358)
(cherry picked from commit c4f152575bd6d8cc6db1f89806e2ba1fd1bb314f)
|
|
|
|
|
|
|
|
|
|
| |
Apart from Baseline, main and high profile, only extended profile
is supported provided, constraint_set0_flag or constraint_set1_flag are set to 1
Bug: 31999646
Change-Id: I3b62069efc49e222a7126fba0805fa9124aac8f2
(cherry picked from commit d7eee555dc124a4ab7977f073c6b4a76c346f760)
(cherry picked from commit e08e31d5efe89f234a5204b99d0dcb3d98467572)
|
|
|
|
|
|
|
|
|
|
| |
Fixes mb_x, mb_y and first_mb_in_slice for Mbaff error streams
CYNGNOS-3312
Bug: 30481714
Change-Id: Ie99f3b57e48a620a4bc7aee88031955a2e1b6753
(cherry picked from commit d79d09f453aa7a026b5e0c5c56a15b59910a527d)
|
|
|
|
|
|
|
|
|
|
| |
Ignore dpb errors, where decoder fails to release a non-existing picture
from reference lists. This is needed to decode streams where few pictures
are missing.
CYNGNOS-3312
Change-Id: I8ece68cb1fa22473029e16158cd86ce7a197027a
(cherry picked from commit 027d32535107a43833e090a53ec8bb2e03732e65)
|
|\
| |
| |
| |
| |
| |
| |
| | |
CYNGNOS-3303
Android 6.0.1 release 74
Change-Id: I85e892e50468a5cf4430ba6618f097fd26992080
|
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
Initialize default reference buffer for erroneous interlaced clips
Pick slice_type from decode thread slice structure
Call start_of_pic only once
Bug: 30822755
Change-Id: I553c646446d99a626d62351aa1b385355191cdc3
(cherry picked from commit bc71ad2d43dc03b2a71e3423da5385ed3cb9799a)
|