Commits · 65b1cf37907d8a7d5e100827e9d58cddf032be08 · halo / frameworks_av

01 Sep, 2015 22 commits

Fix for memory corruption in ID3::removeUnsynchronizationV2_4(). · 65b1cf37
Neel Mehta authored 9 years ago
```
Bug: 23227354

Change-Id: Iaa36cfda4fd84ca7e039f56086fd61b4118020db
(cherry picked from commit 77e23413)
```
65b1cf37
SoftAVCEncoder: fix mismatched type for comparison. · bbff8c7e
Wei Jia authored 9 years ago
```
Bug: 20674674
Change-Id: Iace5b8c882339b3a9d2e706375255aeeeb0532fe
```
bbff8c7e
Fix compile failure after rI431aa2b7d30a942350ab6d105451c6b77e2f99d4 · 815cc6ca
Abhishek Arya authored 9 years ago
```
Bug: 20674086
Change-Id: I2ee6b7e0eabbf696c0986d08b2d759d48cb9eb7b
```
815cc6ca
MPEG4Source::fragmentedRead: check range before writing into buffers · 73e9dfc0
Robert Shih authored 10 years ago
```
Bug: 22008959
Change-Id: I5f6e188adcc593796455bdaf7b0b8aba672b106e
```
73e9dfc0
Fix compile after rI431aa2b7d30a942350ab6d105451c6b77e2f99d4 · e856d516
Abhishek Arya authored 9 years ago
```
BUG: 20674086
Change-Id: Idaff17975b327adea65c39bdba1ab4e88789c0cd
```
e856d516
do not dequeue from native window after we hit fatal error -- DO NOT MERGE · 57beddd2
Chong Zhang authored 9 years ago
```
bug: 22845824
Change-Id: I8c375790c697e02b6ab3ea54b84d3f70d5e78141
(cherry picked from commit 346de3c2)
```
57beddd2
libstagefright: check remaining data size before parsing it. · e88d81b0
Wei Jia authored 9 years ago
```
Bug: 23248776
Change-Id: I45cf53e58e4375afcf260b122264c968ec0ff6c8
(cherry picked from commit 3bf1e0fd)
```
e88d81b0

SoftAVCEnc: check requested memory size before allocation. · 53788a1a

Wei Jia authored 9 years ago

Bug: 20674674

Change-Id: If80186a7b9078e575d389220f3bebe9f7630a956
(cherry picked from commit f6fe4340)

53788a1a

Check integer overflow to prevent memory corruption · 9aa63d18

Jeff Tinker authored 9 years ago

bug: 23016072
Change-Id: If3c9a835408773847c0024a812bd8b4915ebd680
(cherry picked from commit fa8ebb45)

9aa63d18

SoftOpus: Fix output buffer capacity. · 2bd303a3

Vignesh Venkatasubramanian authored 10 years ago

The output buffer size as per opus project's sample decoder [1] is
960*6*channel_count. Whereas in SoftOpus, we use 960*6 (without the
channel count multiplier. Fixing it to include maximum number of
channels possible as the multiplier.

[1] http://git.xiph.org/?p=opus-tools.git;a=blob;f=src/opusdec.c;h=d085f04eacdfd49759ffdb73db805562ba396720;hb=f2a2e88b47f6f24083a37be476f140f677fe7160#l571

BUG=20721050

Change-Id: I323891a1b11491782bc093477b09e7757b885674
(cherry picked from commit 08e82275)

2bd303a3

Check buffer size before using it · 61d9a7eb

Marco Nelissen authored 9 years ago

Bug: 21814993
Change-Id: Idaac61b4b9f4058b94e84093644593ba315d72ff
(cherry picked from commit c1a104aa)

61d9a7eb

Fix comparison sign warnings. · e15476a5

Dan Albert authored 10 years ago

Bug:23213430

Change-Id: I6f2e2b03b968a569b122004b4803c5d17fccfb12
(cherry picked from commit 635bc8f9)

e15476a5

ABuffer: reset members when memory allocation fails. · 6fd029ee

Wei Jia authored 9 years ago

Bug: 22077698
Change-Id: I2beb724662d041ad2339d0f4c7f983e7ac5e5e6f
(cherry picked from commit 94b0badc)

6fd029ee

Check vector size before accessing · 6de921d1

Marco Nelissen authored 9 years ago

Bug: 22388975
Change-Id: I3c157b1029d37f6a22e6302ea7b52077fe27ce53
(cherry picked from commit 529c595b)

6de921d1

libstagefright: fix possible overflow in amrwbenc. · dedaadbd

Wei Jia authored 9 years ago

Bug: 23142203
Change-Id: I309df51e4df6412655f04cc093d792bf6c7944f7
(cherry picked from commit 9dd01777)

dedaadbd

libstagefright: fix possible overflow in ID3. · 1e40ab34

Wei Jia authored 9 years ago

Bug: 23129786
Change-Id: I2e6b7a6927aa4362ab49dd6824bbb1abf7b4e661
(cherry picked from commit 09da8691)

1e40ab34

Fix Ogg album art · 0ff5f3e9

Marco Nelissen authored 9 years ago

Bug: 23036083
Bug: https://code.google.com/p/android/issues/detail?id=182053
Change-Id: I1a5cbe06990900160c2addade238c1e9feab8f71
(cherry picked from commit c63cc509)

0ff5f3e9

MPEG4Extractor.cpp: Add check for size == SIZE_MAX · ef387c27

Nick Kralevich authored 9 years ago

If size == SIZE_MAX, the line:

  uint8_t *buffer = new (std::nothrow) uint8_t[size + 1];

ends up allocating zero bytes, which is obviously incorrect.

(cherry picked from commit b2d33aee)

Bug: 23031033
Change-Id: I8027247a4e24d2c8a8b4eac88c3643eccda108b9

ef387c27

Extra sanity checks on sample size and resolution · f72b2906

Marco Nelissen authored 9 years ago

Instead of rejecting the samples later when they don't fit in the
buffer, reject the entire file early.

Bug: 22882938
Change-Id: I748153b0e9e827e3f2526468756295b4b5000de6
(cherry picked from commit beef7e58)

f72b2906

Fix crash on malformed id3 · 0dc89f5c
Marco Nelissen authored 9 years ago
```
Bug: 22954006
Change-Id: I488cb1e2c69fc7043b6040481b30fa866000515d
```
0dc89f5c

SampleTable: fix integer overflow checks. · 07f19bad

Wei Jia authored 10 years ago

Bug: 20139950
Bug: 22935234
(cherry picked from commit a105482a)

Change-Id: I408d261de1a6dd5c4343bcf3a7dfd8a259e0e2f3

07f19bad

DO NOT MERGE - IAudioFlinger: add checks on binder calls · 0bfc3754

Eric Laurent authored 10 years ago

Limit number of ports and patches listed by
LIST_AUDIO_PATCHES and LIST_AUDIO_PORTS.

Also fix typo causing wring pointer to be used when writing to Parcel.

Bug: 19573085.
Change-Id: I41a9c710e45738a4f11990160587856c429a4646

0bfc3754

15 Aug, 2015 1 commit
- Revert "DO NOT MERGE: Lock drm plugin API calls globally, not per MediaDrm instance" · 11202b50
  Baligh Uddin authored 9 years ago
```
This reverts commit d3831760.

Change-Id: I0509f7eadb3a27c4cadbd3088cb57a588463f457
```
  11202b50
14 Aug, 2015 3 commits

DO NOT MERGE: Lock drm plugin API calls globally, not per MediaDrm instance · e29953f3

Jeff Tinker authored 10 years ago

Bug: 22414321

Change-Id: I062c662a440a1becccd248c3b8ddf711c51e53cc
related-to-bug: 18394494
related-to-bug: 19664283
(cherry picked from commit 2fb561a6)

e29953f3

MPEG4Extractor.cpp: handle chunk_size > SIZE_MAX · 6fe85f7e

Nick Kralevich authored 9 years ago

chunk_size is a uint64_t, so it can legitimately be bigger
than SIZE_MAX, which would cause the subtraction to underflow.

https://code.google.com/p/android/issues/detail?id=182251

Bug: 23034759
Change-Id: Ic1637fb26bf6edb0feb1bcf2876fd370db1ed547

6fe85f7e

Guard against codecinfo overflow · 304ef916
Marco Nelissen authored 9 years ago
```
Bug: 21296336
Change-Id: I78be5141b3108142f12d7cb94839fa50f776d84a
```
304ef916

05 Aug, 2015 1 commit
- Revert "DO NOT MERGE: Lock drm plugin API calls globally, not per MediaDrm instance" · a5d9298a
  Baligh Uddin authored 9 years ago
```
This reverts commit d3831760.

Change-Id: I0509f7eadb3a27c4cadbd3088cb57a588463f457
```
  a5d9298a
23 Jul, 2015 1 commit

DO NOT MERGE: Lock drm plugin API calls globally, not per MediaDrm instance · d776139c

Jeff Tinker authored 10 years ago

Bug: 22414321

Change-Id: I062c662a440a1becccd248c3b8ddf711c51e53cc
related-to-bug: 18394494
related-to-bug: 19664283
(cherry picked from commit 2fb561a6)

d776139c

09 Jul, 2015 12 commits

Prevent integer underflow if size is below 6 · f4f7e0c1

Joshua J. Drake authored 10 years ago

When processing 3GPP metadata, a subtraction operation may underflow and
lead to a rather large linear byteswap operation in the subsequent
framedata decoding code. Bound the 'size' value to prevent this from
occurring.

Bug: 20923261
Change-Id: I35dfbc8878c6b65cfe8b8adb7351a77ad4d604e5
(cherry picked from commit 9458e715)

f4f7e0c1

Prevent integer overflow when processing covr MPEG4 atoms · 2674a721

Joshua J. Drake authored 10 years ago

If the 'chunk_data_size' value is SIZE_MAX, an integer overflow will occur
and cause an undersized buffer to be allocated. The following processing
then overfills the resulting memory and creates a potentially exploitable
condition. Ensure that integer overflow does not occur.

Bug: 20923261
Change-Id: I75cce323aec04a612e5a230ecd7c2077ce06035f

2674a721

Prevent reading past the end of the buffer in 3GPP · e846a5f3

Joshua J. Drake authored 10 years ago

Metadata processed within the parse3GPPMetaData function may not be NUL
terminated and thus calling setCString may read out of bounds. Ensure
proper NUL termination, but take care not to interfere with other special
cases (ie, albm).

Bug: 20923261
Change-Id: Ie93b3038b534b4c4460571a68f4d734cff7ad324
(cherry picked from commit 5cea0155)

e846a5f3

audio effects: fix heap overflow · aeea52da

Eric Laurent authored 10 years ago

Check consistency of effect command reply sizes before
copying to reply address.

Also add null pointer check on reply size.
Also remove unused parameter warning.

Bug: 21953516.
Change-Id: I4cf00c12eaed696af28f3b7613f7e36f47a160c4
(cherry picked from commit 0f714a46)

aeea52da

Fix integer overflow when handling MPEG4 tx3g atom · 463a6f80

Joshua J. Drake authored 10 years ago

When the sum of the 'size' and 'chunk_size' variables is larger than 2^32,
an integer overflow occurs. Using the result value to allocate memory
leads to an undersized buffer allocation and later a potentially
exploitable heap corruption condition. Ensure that integer overflow does
not occur.

Bug: 20923261
Change-Id: Id050a36b33196864bdd98b5ea24241f95a0b5d1f

463a6f80

Fix integer underflow in covr MPEG4 processing · f4a88c8e

Joshua J. Drake authored 10 years ago

When the 'chunk_data_size' variable is less than 'kSkipBytesOfDataBox', an
integer underflow can occur. This causes an extraordinarily large value to
be passed to MetaData::setData, leading to a buffer overflow.

Bug: 20923261
Change-Id: Icd28f63594ad941eabb3a12c750a4a2d5d2bf94b

f4a88c8e

IOMX: Enable buffer ptr to buffer id translation for arm32 · 3cb1b694
Andy Hung authored 10 years ago
```
Bug: 20634516
Change-Id: Iac9eac3cb251eccd9bbad5df7421a07edc21da0c
(cherry picked from commit 2d6b6601)
```
3cb1b694

IOMX: Add buffer range check to emptyBuffer · 086d84f4

Andy Hung authored 10 years ago

Bug: 20634516
Change-Id: If351dbd573bb4aeb6968bfa33f6d407225bc752c
(cherry picked from commit d971df0e)

086d84f4

HDCP: buffer over flow check -- DO NOT MERGE · c82e31a7

Chong Zhang authored 10 years ago

bug: 20222489
Change-Id: I3a64a5999d68ea243d187f12ec7717b7f26d93a3
(cherry picked from commit 532cd7b8)

c82e31a7

Add AUtils::isInRange, and use it to detect malformed MPEG4 nal sizes · d48f0f14
Lajos Molnar authored 10 years ago
```
Bug: 19641538
Change-Id: I5aae3f100846c125decc61eec7cd6563e3f33777
```
d48f0f14
Add some sanity checks · 51504928
Marco Nelissen authored 10 years ago
```
Bug: 19400722
Change-Id: Ib3afdf73fd4647eeea5721c61c8b72dbba0647f6
```
51504928

Fix integer underflow in ESDS processing · 5e751957

Joshua J. Drake authored 10 years ago

Several arithmetic operations within parseESDescriptor could underflow, leading
to an out-of-bounds read operation. Ensure that subtractions from 'size' do not
cause it to wrap around.

Bug: 20139950

(cherry picked from commit 07c0f59d)

Change-Id: I377d21051e07ca654ea1f7037120429d3f71924a

5e751957