GitLab

When processing 3GPP metadata, a subtraction operation may underflow and
lead to a rather large linear byteswap operation in the subsequent
framedata decoding code. Bound the 'size' value to prevent this from
occurring.

Bug: 20923261
Change-Id: I35dfbc8878c6b65cfe8b8adb7351a77ad4d604e5
(cherry picked from commit 9458e715)

If the 'chunk_data_size' value is SIZE_MAX, an integer overflow will occur
and cause an undersized buffer to be allocated. The following processing
then overfills the resulting memory and creates a potentially exploitable
condition. Ensure that integer overflow does not occur.

Bug: 20923261
Change-Id: I75cce323aec04a612e5a230ecd7c2077ce06035f

Metadata processed within the parse3GPPMetaData function may not be NUL
terminated and thus calling setCString may read out of bounds. Ensure
proper NUL termination, but take care not to interfere with other special
cases (ie, albm).

Bug: 20923261
Change-Id: Ie93b3038b534b4c4460571a68f4d734cff7ad324
(cherry picked from commit 5cea0155)

Check consistency of effect command reply sizes before
copying to reply address.

Also add null pointer check on reply size.
Also remove unused parameter warning.

Bug: 21953516.
Change-Id: I4cf00c12eaed696af28f3b7613f7e36f47a160c4
(cherry picked from commit 0f714a46)

When the sum of the 'size' and 'chunk_size' variables is larger than 2^32,
an integer overflow occurs. Using the result value to allocate memory
leads to an undersized buffer allocation and later a potentially
exploitable heap corruption condition. Ensure that integer overflow does
not occur.

Bug: 20923261
Change-Id: Id050a36b33196864bdd98b5ea24241f95a0b5d1f

When the 'chunk_data_size' variable is less than 'kSkipBytesOfDataBox', an
integer underflow can occur. This causes an extraordinarily large value to
be passed to MetaData::setData, leading to a buffer overflow.

Bug: 20923261
Change-Id: Icd28f63594ad941eabb3a12c750a4a2d5d2bf94b

Bug: 20634516
Change-Id: Iac9eac3cb251eccd9bbad5df7421a07edc21da0c
(cherry picked from commit 2d6b6601)

Bug: 20634516
Change-Id: If351dbd573bb4aeb6968bfa33f6d407225bc752c
(cherry picked from commit d971df0e)

bug: 20222489
Change-Id: I3a64a5999d68ea243d187f12ec7717b7f26d93a3
(cherry picked from commit 532cd7b8)

Bug: 19641538
Change-Id: I5aae3f100846c125decc61eec7cd6563e3f33777

Bug: 19400722
Change-Id: Ib3afdf73fd4647eeea5721c61c8b72dbba0647f6

Several arithmetic operations within parseESDescriptor could underflow, leading
to an out-of-bounds read operation. Ensure that subtractions from 'size' do not
cause it to wrap around.

Bug: 20139950

(cherry picked from commit 07c0f59d)

Change-Id: I377d21051e07ca654ea1f7037120429d3f71924a

A few sample table related FourCC values are handled by the
setSampleToChunkParams function. An integer overflow exists within this
function. Validate that mNumSampleToChunkOffets will not cause an integer
overflow.

Bug: 20139950

(cherry picked from commit c24607c2)

Change-Id: I49086952451b09a234d8b82669251ab9f1ef58d9

Commit edd4a76e (which addressed bugs 15328708, 15342615, 15342751) added
several integer overflow checks. Unfortunately, those checks fail to take into
account integer promotion rules and are thus themselves subject to an integer
overflow. Cast the sizeof() operator to a uint64_t to force promotion while
multiplying.

Bug: 20139950

(cherry picked from commit e2e812e5)

Change-Id: I080eb3fa147601f18cedab86e0360406c3963d7b

Bug: 19984798
Change-Id: Iff13cf03c4ce3141380f4d7ab4a2b1045c5ce747

Fix device type comparison in DeviceVector::getDevicesFromType():
AUDIO_DEVICE_BIT_IN bit must be excluded from type comparison
and used as an orthogonal match criterium.

Manual cherry-pick from master 4c91f90c

Bug: 19957479

Change-Id: Ica9f440384bcb85e669864bd29504a4fda862ce7

Add limit on number of audio ports and patches requested by
listaudioPorts() and listAudioPatches().

Bug: 19261727.
Change-Id: I21dfdf11cf805734cc3b7b2a85762c5598f60580
(cherry picked from commit 1d670b11)

This reverts commit 7a9510dcf637cc1e5c953d77c7bd4409c80a820f.

Bug: 19317169
Change-Id: I881ce6b1592b7250f423a561dadd40d379e16104

Hold a wakelock while paused in audio offload mode, until audio
teardown event is received, or pause is canceled.

Since ARM cores are sleeping, the delayed AMessage will not be
received, and the audio output driver will not be closed.
This blocks XO shutdown.

Bug: 19297092
Change-Id: I3d11fef633e3f2783f4aa31e71285e2fa09d234c

This can be used by low-end devices

Bug: 19027495
Change-Id: I2cf90bf5a9a95b3f38c32eef2a950c9e33c70a7a

Bug:19289381
Change-Id: If7bbf1ecf1cb8796188e61bc2c42f8a099510424

Bug: 19030684
Change-Id: I6d4674fad126c26d3b6819fde91277a92dfd8862

This seems to have the same layout as OMX_COLOR_FormatYUV420SemiPlanar

Bug: 19246722
Change-Id: Ief41bfaf997426a6900c3632dadaf8f4a6a38baf

bug: 19284568
Change-Id: I2ccf1c5952c13d1332b6a91f967af0bd3ee67451

Bug: 19179927
Change-Id: I3accaa655e9bad2b0efcac98c5dd95a23f8d6671

Bug: 17906609
Bug: 19179288
Bug: 19179927
Change-Id: I3713d4e894d3350d46e25dc0206b21c0ff3b9009

Bug: 19179927
Change-Id: I3accaa655e9bad2b0efcac98c5dd95a23f8d6671

Bug: 17906609
Bug: 19179288
Bug: 19179927
Change-Id: I3713d4e894d3350d46e25dc0206b21c0ff3b9009

bug: 19266084
Change-Id: I06ef57b09b048a85f77be4dee27599c4f60aacc9

Use software renderer if codec cannot support flex-YUV on a surface

Bug: 17906609
Change-Id: I3d0e3ff5fee7d7b3e2416892968fa18f6139598a

Also add comments describing how start time and segment start time are
used.

Based on AOSP CL https://android-review.googlesource.com/127653
by Joakim Johansson <joakim.c.johansson@sonymobile.com> but uses the
lowest segment start time instead of highest.

Bug: 18821145
Change-Id: I14cf1186d0daf517a24e8423c3a708b4c9ba06c4