Commits · 542e306905f32c2d5ced9da512795dcec4fedb70 · halo / frameworks_av

26 Mar, 2016 7 commits

Marco Nelissen authored 9 years ago

Previous change caused EOS to be ignored.

Bug: 27843673
Related-to-bug: 27662364
Change-Id: Ia148a88abc861a9b393f42bc7cd63d8d3ae349bc

542e3069

SoftAMR: check input buffer size to avoid overflow. · 22ec453b
Wei Jia authored 9 years ago
```
Bug: 27662364
Change-Id: I47380545ea7d85845e141e722b0d84f498d27145
```
22ec453b
SoftAMR: check output buffer size to avoid overflow. · eaceff03
Wei Jia authored 9 years ago
```
Bug: 27662364
Change-Id: I7b26892c41d6f2e690e77478ab855c2fed1ff6b0
```
eaceff03
codecs: check OMX buffer size before use in VP8 encoder. · 7d6a9145
Wonsik Kim authored 9 years ago
```
Bug: 27569635
Change-Id: I469573f40e21dc9f4c200749d4f220e3a2d31761
```
7d6a9145
NuPlayerStreamListener: NULL and bounds check before memcpy · f68983c5
Robert Shih authored 9 years ago
```
Bug: 27533704
Change-Id: I992a7709b92b1cbc3114c97bec48a3fc5b22ba6e
```
f68983c5

Camera3Device: Validate template ID · d65154ea

Chien-Yu Chen authored 9 years ago

Validate template ID before creating a default request.

Bug: 26866110
Bug: 27568958
Change-Id: Ifda457024f1d5c2b1382f189c1a8d5fda852d30d

d65154ea

Add VPX output buffer size check · 86d7a40e

Marco Nelissen authored 9 years ago

and handle dead observers more gracefully

Bug: 27597103
Change-Id: Id7acb25d5ef69b197da15ec200a9e4f9e7b03518

86d7a40e

26 Feb, 2016 4 commits

Get service by value instead of reference · 3097f364

Marco Nelissen authored 9 years ago

to prevent a cleared service binder from being used.

Bug: 26040840
Change-Id: Ifb5483c55b172d3553deb80dbe27f2204b86ecdb

3097f364

Also fix out of bounds access for normal read · 7a282fb6

Marco Nelissen authored 9 years ago

Previous fix accidentally only fixed the fragmented read case.

Bug: 27208621
Change-Id: Ie16f1920b84c8aba613842659238fcd5925694ad

7a282fb6

Clear allocation to avoid info leak · 1171e7c0
Marco Nelissen authored 9 years ago
```
Bug: 26914474
Change-Id: Ie1a86e86d78058d041149fe599a4996e7f8185cf
```
1171e7c0

IOMX.cpp uninitialized pointer in BnOMX::onTransact · 25be9ac2

mspector@google.com authored 9 years ago

This can lead to local code execution in media server.
Fix initializes the pointer and checks the error conditions before
returning

Bug: 26403627
Change-Id: I7fa90682060148448dba01d6acbe3471d1ddb500

25be9ac2

22 Jan, 2016 4 commits

Merge Conflict Addressed. · 6ad0c98c

Eino-Ville Talvala authored 9 years ago

Camera: Disallow dumping clients directly

Camera service dumps should only be initiated through
ICameraService::dump.

Bug: 26265403
Change-Id: If3ca4718ed74bf33ad8a416192689203029e2803

6ad0c98c

DO NOT MERGE - Remove deprecated image defines · 5a678873

Vignesh Venkatasubramanian authored 9 years ago

libvpx has always supported the VPX_ prefixed versions of these defines.
The unprefixed versions have been removed in the most recent release.

https://chromium.googlesource.com/webm/libvpx/+/9cdaa3d72eade9ad162ef8f78a93bd8f85c6de10

BUG=23452792

Change-Id: I8a656f2262f117d7a95271f45100b8c6fd0a470f

5a678873

Fix out-of-bounds write · fe84c201
Marco Nelissen authored 9 years ago
```
Bug: 26365349
Change-Id: Ia363d9f8c231cf255dea852e0bbf5ca466c7990b
```
fe84c201

fix possible overflow in effect wrappers. · b862285d

Eric Laurent authored 9 years ago

Add checks on parameter size field in effect command handlers
to avoid overflow leading to invalid comparison with min allowed
size for command and reply buffers.

Bug: 26347509.
Change-Id: I20e6a9b6de8e5172b957caa1ac9410b9752efa4d
(cherry picked from commit ad1bd92a)

b862285d

18 Dec, 2015 1 commit
- merge in lmp-mr1-release history after reset to lmp-mr1-dev · 03ba707e
  The Android Automerger authored 9 years ago
  
  03ba707e
17 Dec, 2015 1 commit
- merge in lmp-mr1-release history after reset to lmp-mr1-dev · 4ed2e1c8
  The Android Automerger authored 9 years ago
  
  4ed2e1c8
14 Dec, 2015 1 commit
- GenericSource: reset mDrmManagerClient when mDataSource is cleared. · 3e49ad28
  Wei Jia authored 9 years ago
```
Bug: 25070434
Change-Id: Iade3472c496ac42456e42db35e402f7b66416f5b
(cherry picked from commit b41fd0d4)
```
  3e49ad28
11 Dec, 2015 3 commits

DO NOT MERGE - libstagefright: check requested memory size before allocation... · 3292bef4

Wei Jia authored 9 years ago

DO NOT MERGE - libstagefright: check requested memory size before allocation for SoftMPEG4Encoder and SoftVPXEncoder.

Bug: 25812794
Change-Id: I96dc74734380d462583f6efa33d09946f9532809
(cherry picked from commit 87f8cbb2)
(cherry picked from commit 04629752)

3292bef4

DO NOT MERGE nuplayer: do not use cached source for wvm content · 0077bdf4

Chong Zhang authored 10 years ago

bug: 18730095, 25563255
Change-Id: Ibd4f54907949daae1d095fa0922050310d16698f
(cherry picked from commit fc6cfd83)

0077bdf4

DO NOT MERGE SoundPool: add lock for findSample access from SoundPoolThread · 6616d19b

Andy Hung authored 9 years ago

Sample decoding still occurs in SoundPoolThread
without holding the SoundPool lock.

Bug: 25781119
Change-Id: I11fde005aa9cf5438e0390a0d2dfe0ec1dd282e8

6616d19b

27 Oct, 2015 11 commits

stagefright: check bounds for MediaCodecList.getCodecInfo · f0b53a1c
Lajos Molnar authored 9 years ago
```
Bug: 24445127
Change-Id: I1c6cb9e2518b852d48d5d0d625b54409bd4e13ec
```
f0b53a1c
DO NOT MERGE - OMX: allow only secure codec to remotely call allocateBuffer. · cf6067b5
Wei Jia authored 9 years ago
```
Bug: 24310423
Change-Id: Iebcfc58b447f925ec2134898060af2ef227266a3
(cherry picked from commit 8dde7269)
```
cf6067b5
ID3: check possible integer overflow for extendedHeaderSize and paddingSize. · 2642744c
Wei Jia authored 9 years ago
```
Bug: 24623447
Change-Id: Ifbc74454d6e28ad7136efe35ab638a07e46398b1
(cherry picked from commit b3694ff5)
```
2642744c

Check NAL size before use · 9f474114

Marco Nelissen authored 9 years ago

Bug: 24441553
Bug: 24445122
Change-Id: Ib7f025769adbafd5a2cb64fae5562a0a565945c2

9f474114

MPEG4Extractor: ensure buffer size is not less than 8 for LastCommentData. · cf12b35a
Wei Jia authored 9 years ago
```
Bug: 24346430
Change-Id: I897a724e968841d9160f819d06c0ce22f6d743c4
(cherry picked from commit 5cae16bd)
```
cf12b35a
Don't crash when there's no conceal frame · 9c20e9ec
Marco Nelissen authored 9 years ago
```
Bug: 24630158
Change-Id: If042aebebb58c218eb7bbf01dcddbcbd05dca1d6
```
9c20e9ec

stagefright: fix AMessage::FromParcel · 44cc6044

Flanker authored 9 years ago

Add check for incoming mNumItems. Also add check readCString return
value.

Fix style & add log.

Bug: 24123723

Change-Id: If41a5312c27d868f481893eef56019b6807c39b7

44cc6044

DO NOT MERGE - AudioFlinger: Clear record buffers when starting RecordThread · 53156f31
Andy Hung authored 9 years ago
```
Bug: 24211743
Bug: 24267152
Change-Id: I58c55e56b85067b71e4e300f947b4dfc159637ba
```
53156f31

DO NOT MERGE Fix vulnerability in mediaserver · 6ca32859

Jeff Tinker authored 9 years ago

ICrypto.cpp: ASLR bypass using DECRYPT IPC

bug: 24074485
Change-Id: Ia12942d6b86adde28745908d36a728ab5d69a037

6ca32859

DO NOT MERGE NuCachedSource2: fix possible erroneous early free · f35e4b55

Wonsik Kim authored 9 years ago

Because the constructor of NuCachedSource2 sent a message to
AHandlerReflector object, AHandlerReflector::onMessageReceived could
have executed just before the object gets wrapped in a strong
pointer, resulting in erroneous early free. Fix the issue by using
static Create function to ensure the message is sent after the
object is wrapped in a sp.

Bug: 23882800
Change-Id: I38a9d7a3083f184b4c81d0b00ba1661721278855

f35e4b55

Limit allocations to avoid out-of-memory · 7f62e8bf

Marco Nelissen authored 9 years ago

Corrupt files could cause very large allocations, limit them to something
more reasonable.

Bug: 17769851
Change-Id: Ib0f722fd6fddff873bd7a547aac456e608c34c84

7f62e8bf

28 Sep, 2015 8 commits

IAudioFlinger: fix the missing initialization of variable to ensure no info... · 951acde7

Wei Jia authored 9 years ago

IAudioFlinger: fix the missing initialization of variable to ensure no info leak when writing them to Parcel.

Bug: 23953967
Change-Id: I3a1d0144ba3832649e322c197ff0f03305ee7829
(cherry picked from commit 4cac44b5)

951acde7

DO NOT MERGE - IAudioFlinger: always initialize variables to ensure no info... · b7903b47

Wei Jia authored 9 years ago

DO NOT MERGE - IAudioFlinger: always initialize variables to ensure no info leak when writing them to Parcel.

Bug: 23953967
Change-Id: Ibbe841da149038675e9e8daea76c77558bc8564b
(cherry picked from commit 983dca39)

b7903b47

Fix heap data leak vulnerability · 114193c6
Jeff Tinker authored 9 years ago
```
bug: 23600291
Change-Id: I7979e9e25ada01c13775be8580d433a8b4ce4ffe
```
114193c6
Fix for security vulnerability in media server DO NOT MERGE · 8977f0e3
Jeff Tinker authored 9 years ago
```
bug: 23540426
Change-Id: I7ca419e4008967a0387649e5293ac9d4be71d3c4
```
8977f0e3

DO NOT MERGE Avoid size_t overflow in base64 decoding once again · 7184a342

Wonsik Kim authored 9 years ago

Switch to foundation base64 function in OggExtractor and fix the
issue there.

This reverts commit 28314aef.

Bug: 23707088
Change-Id: I268bd50431de5b5e579343bf1b425c42ada6daba

7184a342

DO NOT MERGE - IAudioFlinger: clear config before reading it from parcel. · 8a9a1597

Wei Jia authored 9 years ago

Bug: 23905951
Bug: 23912202
Change-Id: Id13a9d3cae2c09e7381b841e67ddfb188274d74c
(cherry picked from commit e995e477)

8a9a1597

DO NOT MERGE - libstagefright: sanity check size before dereferencing pointer in Utils.cpp · c38bb447
Wei Jia authored 9 years ago
```
Also remove some CHECK's.

Bug: 23680780
Change-Id: I62d0941e203e40209fa6fbe3f923f3efdc5a6c23
(cherry picked from commit 7bb772e0)
```
c38bb447
Ogg: avoid size_t overflow in base64 decoding · 7e354f50
Wonsik Kim authored 9 years ago
```
Bug: 23707088
Change-Id: I8d32841fee3213c721cdcc57788807ea64d19d74
```
7e354f50