android_external_libhevc, branch cm-13.0 Unnamed repository; edit this file 'description' to name the repository. Decoder: Signal IVD_RES_CHANGED error for change in crop params 2019-04-12T22:14:36+00:00 Rakesh Kumar rakesh.kumar@ittiam.com 2018-11-12T12:30:27+00:00 fc1a05c9894743339c5dbef76c4c36876dfa4540 IVD_RES_CHANGED was not signaled when crop parameters changed, i.e. display dimensions changed without change in decode dimensions. In such cases, if output buffer was allocated as per the current dimension being decoded, without IVD_RES_CHANGED signalled, there can be an OOB write if the new buffer is smaller than the frame being returned as output Bug: 118453553 Test: vendor Change-Id: Ic74c6fb9612403f75a8f9ddb3a93861bca82cf16 (cherry picked from commit fdbbd60bfebe48c0539897d7eeeeb5816e59ce1b) 
IVD_RES_CHANGED was not signaled when crop parameters changed, i.e.
display dimensions changed without change in decode dimensions.

In such cases, if output buffer was allocated as per the current
dimension being decoded, without IVD_RES_CHANGED signalled, there can be
an OOB write if the new buffer is smaller than the frame being returned
as output

Bug: 118453553
Test: vendor
Change-Id: Ic74c6fb9612403f75a8f9ddb3a93861bca82cf16
(cherry picked from commit fdbbd60bfebe48c0539897d7eeeeb5816e59ce1b)
Add limits check for the CTB position in a frame 2019-01-13T16:48:57+00:00 Shubham Tandle shubham.tandle@ittiam.com 2018-09-11T07:47:15+00:00 9601147d8f8e78c5790a8f6a162b73b26f37aa04 Bug: 113260892 Bug: 113261108 Bug: 113261310 The decoder does not support tile position > 255. Added error checks to ensure the same. Test: re-run POC Change-Id: Id359c172c8630ded2fb3f47c447f373cd2d1bc34 (cherry picked from commit 5a3dafc3248edcd2df5e2fdafaca61b6acbc44b1) 
Bug: 113260892
Bug: 113261108
Bug: 113261310

The decoder does not support tile position > 255.
Added error checks to ensure the same.

Test: re-run POC
Change-Id: Id359c172c8630ded2fb3f47c447f373cd2d1bc34
(cherry picked from commit 5a3dafc3248edcd2df5e2fdafaca61b6acbc44b1)
Add limits check for depth hierarchy sps parameters 2018-06-08T17:31:11+00:00 Naveen Kumar P naveenkumar.p@ittiam.com 2018-03-09T10:55:56+00:00 ed02579a01c251af05781f3e75252b3bb6397777 Bug: 73965890 Test: run poc before/after According to the hevc specification, max_transform_hierarchy_depth_inter and max_transform_hierarchy_depth_intra cannot be greater than difference between log2_ctb_size and log2_min_transform_block_size. Change-Id: I9a6f56b029957cead3e81bd07d7fb8392a1a98a2 (cherry picked from commit f7287c7993a0d61abccfdc530f388b366139ac1d) CVE-2018-9353 
Bug: 73965890
Test: run poc before/after

According to the hevc specification, max_transform_hierarchy_depth_inter
and max_transform_hierarchy_depth_intra cannot be greater than
difference between log2_ctb_size and log2_min_transform_block_size.

Change-Id: I9a6f56b029957cead3e81bd07d7fb8392a1a98a2
(cherry picked from commit f7287c7993a0d61abccfdc530f388b366139ac1d)
CVE-2018-9353
Return error for invalid sps sub layers parameters 2018-06-08T17:30:59+00:00 Naveen Kumar P naveenkumar.p@ittiam.com 2018-03-09T03:04:01+00:00 6bd8b4b37414a9115fb0876070a30e8c7d80ff4f Return error for negative values of max_dec_pic_buffering and num_reorder_pics sps parameters. Bug: 73965867 Test: Ittiam Change-Id: I6035b3b2fcbd29c6bbb1223f4714ba04b4bca6b3 (cherry picked from commit f4486cdb2ff81368baa1d6e7afcf2c06ba64e666) CVE-2018-9352 
Return error for negative values of max_dec_pic_buffering and
num_reorder_pics sps parameters.

Bug: 73965867
Test: Ittiam
Change-Id: I6035b3b2fcbd29c6bbb1223f4714ba04b4bca6b3
(cherry picked from commit f4486cdb2ff81368baa1d6e7afcf2c06ba64e666)
CVE-2018-9352
Return error for invalid reorder parameter 2018-06-08T17:30:42+00:00 Naveen Kumar P naveenkumar.p@ittiam.com 2017-05-17T08:45:44+00:00 09f8990ab332343abf1da6e703287e03e2669291 Bug: 62689208 Test: before/after process PoC on ASAN builds. Change-Id: Ib1404bdf512fba28c2641f3f2022811a2a2d7751 (cherry picked from commit 4286d31e9e121e1005ad8986bcbf9ba3f62122ee) CVE-2018-9352 
Bug: 62689208
Test: before/after process PoC on ASAN builds.
Change-Id: Ib1404bdf512fba28c2641f3f2022811a2a2d7751
(cherry picked from commit 4286d31e9e121e1005ad8986bcbf9ba3f62122ee)
CVE-2018-9352
Check limits for log2_max_pic_order_cnt_lsb_minus4 in sps 2018-04-06T17:52:27+00:00 Naveen Kumar P naveenkumar.p@ittiam.com 2018-01-19T08:43:55+00:00 9648e375eab80ef82b2d11f85d2d153a01d97902 Bug: 71766721 According to the spec, the value of log2_max_pic_order_cnt_lsb_minus4 shall be in the range of 0 to 12, inclusive. Change-Id: Ibd199b6dea246c2fac6214c21e49f27d95c07659 (cherry picked from commit 4d32ff55cf3eeeb3a319517176ed2a2c6c376fe1) 
Bug: 71766721

According to the spec, the value of log2_max_pic_order_cnt_lsb_minus4
shall be in the range of 0 to 12, inclusive.

Change-Id: Ibd199b6dea246c2fac6214c21e49f27d95c07659
(cherry picked from commit 4d32ff55cf3eeeb3a319517176ed2a2c6c376fe1)
Fix output buffer size check 2018-04-06T14:29:46+00:00 Naveen Kumar P naveenkumar.p@ittiam.com 2018-01-23T12:33:49+00:00 f3dbc2afceeb57369c65efb76bf55f56a754443d Bug: 72165027 Test: ran poc before/after For output buffer size check, the parameter wd is set to larger of disp_wd and disp_strd. Change-Id: I1fc745753762b8a8e943165d0bf6525c500fb020 (cherry picked from commit ce8a8db32e9b2054c5dc119fbbec542bf8e848b6) 
Bug: 72165027
Test: ran poc before/after

For output buffer size check, the parameter wd is set to larger
of disp_wd and disp_strd.

Change-Id: I1fc745753762b8a8e943165d0bf6525c500fb020
(cherry picked from commit ce8a8db32e9b2054c5dc119fbbec542bf8e848b6)
Update ctb pu map for I slice 2018-02-07T23:22:41+00:00 Naveen Kumar P naveenkumar.p@ittiam.com 2017-06-22T10:06:50+00:00 c0353e261ca1d9faaef1289855fe64cf7adaa3b8 The update in I slice is required for P/B slices in the same frame for accessing neighbor pus. Bug: 62851602 Bug: 63522067 Test: re-run PoC from b/62851602 Change-Id: Ie5e43f1cd5649b2745b6527654bc24d8c7d42932 (cherry picked from commit 43f126112a8f2000cd0744f2fc5d545ff1a9a70c) CVE-2017-13233 
The update in I slice is required for P/B slices in the same
frame for accessing neighbor pus.

Bug: 62851602
Bug: 63522067
Test: re-run PoC from b/62851602
Change-Id: Ie5e43f1cd5649b2745b6527654bc24d8c7d42932
(cherry picked from commit 43f126112a8f2000cd0744f2fc5d545ff1a9a70c)
CVE-2017-13233
Check if luma wd and ht are multiple of min cb size 2018-02-07T23:22:25+00:00 Naveen Kumar P naveenkumar.p@ittiam.com 2017-07-06T10:41:17+00:00 455a13288143432c4a7625ee9610d5822af8f085 Bug: 65483665 Instead of aligning width and height to 8, it is now checked for being a multiple of min CB size Change-Id: I99bf60e19d490fd06933aa01fa6a34f47fe58bb4 (cherry picked from commit ccfd1ea5c4cf9cf0a55088506ae5f312663f8792) CVE-2017-13230 
Bug: 65483665

Instead of aligning width and height to 8, it is now
checked for being a multiple of min CB size

Change-Id: I99bf60e19d490fd06933aa01fa6a34f47fe58bb4
(cherry picked from commit ccfd1ea5c4cf9cf0a55088506ae5f312663f8792)
CVE-2017-13230
Decoder: Handle ps_codec_obj memory allocation failure gracefully 2018-01-10T21:54:51+00:00 Harish Mahendrakar harish.mahendrakar@ittiam.com 2017-10-26T10:11:42+00:00 01740dc72236c48f4a503b0b468277ed0dad765d If memory allocation for ps_codec_obj fails, return gracefully with an error code. All other allocation failures are handled correctly. Bug: 68299873 Test: before/after with always-failing malloc Change-Id: I5e6c07b147b13df81e65476851662d4b55d33b83 (cherry picked from commit a966e2a65dd901151ce7f4481d0084840c9a0f7e) CVE-2017-13190 
If memory allocation for ps_codec_obj fails, return gracefully
with an error code. All other allocation failures are
handled correctly.

Bug: 68299873
Test: before/after with always-failing malloc
Change-Id: I5e6c07b147b13df81e65476851662d4b55d33b83
(cherry picked from commit a966e2a65dd901151ce7f4481d0084840c9a0f7e)
CVE-2017-13190