diff options
| author | Xin Li <delphij@google.com> | 2018-06-08 11:07:11 -0700 |
|---|---|---|
| committer | Xin Li <delphij@google.com> | 2018-06-08 11:07:11 -0700 |
| commit | 4539d77f0d48d6eaf00e3d19add00243ab8f76b1 (patch) | |
| tree | edc33e6862d21c05630757334773a65d637b1f71 | |
| parent | 16bee61d002fbb26d1a22c9e913061fdd022f3d3 (diff) | |
| parent | 5980f5ebe81eafd2c58ac3ec26a1fc65c7b5363c (diff) | |
| download | libavc-4539d77f0d48d6eaf00e3d19add00243ab8f76b1.tar.gz | |
Merge pi-dev-plus-aosp-without-vendor into stage-aosp-master
Bug: 79597307
Change-Id: I6db3d9db067a59b1fbbd50fd84544646282e3767
| -rw-r--r-- | Android.bp | 16 | ||||
| -rw-r--r-- | OWNERS | 1 | ||||
| -rw-r--r-- | cfi_blacklist.txt | 1 | ||||
| -rw-r--r-- | decoder/ih264d_api.c | 91 | ||||
| -rw-r--r-- | decoder/ih264d_defs.h | 3 | ||||
| -rw-r--r-- | decoder/ih264d_dpb_mgr.c | 13 | ||||
| -rw-r--r-- | decoder/ih264d_parse_headers.c | 18 | ||||
| -rw-r--r-- | decoder/ih264d_parse_slice.c | 11 | ||||
| -rw-r--r-- | decoder/ih264d_sei.c | 7 | ||||
| -rw-r--r-- | decoder/ih264d_structs.h | 1 | ||||
| -rw-r--r-- | decoder/ih264d_utils.c | 7 | ||||
| -rw-r--r-- | encoder/ih264e_api.c | 18 |
12 files changed, 161 insertions, 26 deletions
@@ -231,6 +231,14 @@ cc_library_static { ], }, }, + + sanitize: { + cfi: true, + diag: { + cfi: true, + }, + blacklist: "cfi_blacklist.txt", + }, } cc_library_static { @@ -492,6 +500,14 @@ cc_library_static { ], }, }, + + sanitize: { + cfi: true, + diag: { + cfi: true, + }, + blacklist: "cfi_blacklist.txt", + }, } subdirs = ["test"] @@ -1,3 +1,4 @@ marcone@google.com essick@google.com lajos@google.com +hkuang@google.com diff --git a/cfi_blacklist.txt b/cfi_blacklist.txt new file mode 100644 index 0000000..1571e0e --- /dev/null +++ b/cfi_blacklist.txt @@ -0,0 +1 @@ +src:*external/libavc/* diff --git a/decoder/ih264d_api.c b/decoder/ih264d_api.c index 0341389..c6999a6 100644 --- a/decoder/ih264d_api.c +++ b/decoder/ih264d_api.c @@ -1490,20 +1490,37 @@ WORD32 ih264d_allocate_static_bufs(iv_obj_t **dec_hdl, void *pv_api_ip, void *pv /*****************************************************************************/ WORD32 ih264d_create(iv_obj_t *dec_hdl, void *pv_api_ip, void *pv_api_op) { + ih264d_create_ip_t *ps_create_ip; ih264d_create_op_t *ps_create_op; WORD32 ret; + ps_create_ip = (ih264d_create_ip_t *)pv_api_ip; ps_create_op = (ih264d_create_op_t *)pv_api_op; ps_create_op->s_ivd_create_op_t.u4_error_code = 0; - + dec_hdl = NULL; ret = ih264d_allocate_static_bufs(&dec_hdl, pv_api_ip, pv_api_op); /* If allocation of some buffer fails, then free buffers allocated till then */ - if((IV_FAIL == ret) && (NULL != dec_hdl)) + if(IV_FAIL == ret) { - ih264d_free_static_bufs(dec_hdl); + if(dec_hdl) + { + if(dec_hdl->pv_codec_handle) + { + ih264d_free_static_bufs(dec_hdl); + } + else + { + void (*pf_aligned_free)(void *pv_mem_ctxt, void *pv_buf); + void *pv_mem_ctxt; + + pf_aligned_free = ps_create_ip->s_ivd_create_ip_t.pf_aligned_free; + pv_mem_ctxt = ps_create_ip->s_ivd_create_ip_t.pv_mem_ctxt; + pf_aligned_free(pv_mem_ctxt, dec_hdl); + } + } ps_create_op->s_ivd_create_op_t.u4_error_code = IVD_MEM_ALLOC_FAILED; ps_create_op->s_ivd_create_op_t.u4_error_code = 1 << IVD_FATALERROR; @@ -1681,8 +1698,8 @@ WORD32 check_app_out_buf_size(dec_struct_t *ps_dec) } else { - /* In case of shared mode, do not check validity of ps_dec->ps_out_buffer */ - return (IV_SUCCESS); + pic_wd = ps_dec->u2_frm_wd_y; + pic_ht = ps_dec->u2_frm_ht_y; } if(ps_dec->u4_app_disp_width > pic_wd) @@ -1692,14 +1709,34 @@ WORD32 check_app_out_buf_size(dec_struct_t *ps_dec) ps_dec->u1_chroma_format, &au4_min_out_buf_size[0]); - if(ps_dec->ps_out_buffer->u4_num_bufs < u4_min_num_out_bufs) - return IV_FAIL; - for(i = 0; i < u4_min_num_out_bufs; i++) + if(0 == ps_dec->u4_share_disp_buf) { - if(ps_dec->ps_out_buffer->u4_min_out_buf_size[i] - < au4_min_out_buf_size[i]) - return (IV_FAIL); + if(ps_dec->ps_out_buffer->u4_num_bufs < u4_min_num_out_bufs) + return IV_FAIL; + + for(i = 0; i < u4_min_num_out_bufs; i++) + { + if(ps_dec->ps_out_buffer->u4_min_out_buf_size[i] + < au4_min_out_buf_size[i]) + return (IV_FAIL); + } + } + else + { + if(ps_dec->disp_bufs[0].u4_num_bufs < u4_min_num_out_bufs) + return IV_FAIL; + + for(i = 0; i < u4_min_num_out_bufs; i++) + { + /* We need to check only with the disp_buffer[0], because we have + * already ensured that all the buffers are of the same size in + * ih264d_set_display_frame. + */ + if(ps_dec->disp_bufs[0].u4_bufsize[i] < au4_min_out_buf_size[i]) + return (IV_FAIL); + } + } return (IV_SUCCESS); @@ -2052,7 +2089,8 @@ WORD32 ih264d_video_decode(iv_obj_t *dec_hdl, void *pv_api_ip, void *pv_api_op) void *pv_buf; void *pv_mem_ctxt = ps_dec->pv_mem_ctxt; size = MAX(256000, ps_dec->u2_pic_wd * ps_dec->u2_pic_ht * 3 / 2); - pv_buf = ps_dec->pf_aligned_alloc(pv_mem_ctxt, 128, size); + pv_buf = ps_dec->pf_aligned_alloc(pv_mem_ctxt, 128, + size + EXTRA_BS_OFFSET); RETURN_IF((NULL == pv_buf), IV_FAIL); ps_dec->pu1_bits_buf_dynamic = pv_buf; ps_dec->u4_dynamic_bits_buf_size = size; @@ -2648,6 +2686,7 @@ WORD32 ih264d_set_display_frame(iv_obj_t *dec_hdl, void *pv_api_op) { + UWORD32 u4_disp_buf_size[3], u4_num_disp_bufs; ivd_set_display_frame_ip_t *dec_disp_ip; ivd_set_display_frame_op_t *dec_disp_op; @@ -2667,8 +2706,36 @@ WORD32 ih264d_set_display_frame(iv_obj_t *dec_hdl, u4_num_bufs = MIN(u4_num_bufs, MAX_DISP_BUFS_NEW); ps_dec->u4_num_disp_bufs = u4_num_bufs; + + /* Get the number and sizes of the first buffer. Compare this with the + * rest to make sure all the buffers are of the same size. + */ + u4_num_disp_bufs = dec_disp_ip->s_disp_buffer[0].u4_num_bufs; + + u4_disp_buf_size[0] = + dec_disp_ip->s_disp_buffer[0].u4_min_out_buf_size[0]; + u4_disp_buf_size[1] = + dec_disp_ip->s_disp_buffer[0].u4_min_out_buf_size[1]; + u4_disp_buf_size[2] = + dec_disp_ip->s_disp_buffer[0].u4_min_out_buf_size[2]; + for(i = 0; i < u4_num_bufs; i++) { + if(dec_disp_ip->s_disp_buffer[i].u4_num_bufs != u4_num_disp_bufs) + { + return IV_FAIL; + } + + if((dec_disp_ip->s_disp_buffer[i].u4_min_out_buf_size[0] + != u4_disp_buf_size[0]) + || (dec_disp_ip->s_disp_buffer[i].u4_min_out_buf_size[1] + != u4_disp_buf_size[1]) + || (dec_disp_ip->s_disp_buffer[i].u4_min_out_buf_size[2] + != u4_disp_buf_size[2])) + { + return IV_FAIL; + } + ps_dec->disp_bufs[i].u4_num_bufs = dec_disp_ip->s_disp_buffer[i].u4_num_bufs; diff --git a/decoder/ih264d_defs.h b/decoder/ih264d_defs.h index 4622775..260e358 100644 --- a/decoder/ih264d_defs.h +++ b/decoder/ih264d_defs.h @@ -108,6 +108,9 @@ /* For 420SP */ #define YUV420SP_FACTOR 2 +/*To prevent buffer overflow access; in case the size of nal unit is + * greater than the allocated buffer size*/ +#define EXTRA_BS_OFFSET 16*16*2 /** *************************************************************************** diff --git a/decoder/ih264d_dpb_mgr.c b/decoder/ih264d_dpb_mgr.c index 303d4e8..b7ee498 100644 --- a/decoder/ih264d_dpb_mgr.c +++ b/decoder/ih264d_dpb_mgr.c @@ -375,9 +375,6 @@ WORD32 ih264d_insert_st_node(dpb_manager_t *ps_dpb_mgr, if((ps_dpb_info[i].ps_pic_buf == ps_pic_buf) && ps_dpb_info[i].u1_used_as_ref) { - /* Can occur only for field bottom pictures */ - ps_dpb_info[i].s_bot_field.u1_reference_info = IS_SHORT_TERM; - /*signal an error in the case of frame pic*/ if(ps_dpb_info[i].ps_pic_buf->u1_pic_type == FRM_PIC) { @@ -385,6 +382,8 @@ WORD32 ih264d_insert_st_node(dpb_manager_t *ps_dpb_mgr, } else { + /* Can occur only for field bottom pictures */ + ps_dpb_info[i].s_bot_field.u1_reference_info = IS_SHORT_TERM; return OK; } } @@ -722,7 +721,7 @@ WORD32 ih264d_ref_idx_reordering(dec_struct_t *ps_dec, UWORD8 uc_lx) UWORD16 ui_max_frame_num = ps_dec->ps_cur_sps->u2_u4_max_pic_num_minus1 + 1; - WORD32 i; + WORD32 i, count = 0; UWORD32 ui_remapIdc, ui_nextUev; WORD16 u2_pred_frame_num = u4_cur_pic_num; WORD32 i_temp; @@ -743,7 +742,8 @@ WORD32 ih264d_ref_idx_reordering(dec_struct_t *ps_dec, UWORD8 uc_lx) ui_remapIdc = ih264d_uev(pu4_bitstrm_ofst, pu4_bitstrm_buf); - while(ui_remapIdc != 3) + while((ui_remapIdc != 3) + && (count < ps_cur_slice->u1_num_ref_idx_lx_active[uc_lx])) { ui_nextUev = ih264d_uev(pu4_bitstrm_ofst, pu4_bitstrm_buf); if(ui_remapIdc != 2) @@ -812,6 +812,7 @@ WORD32 ih264d_ref_idx_reordering(dec_struct_t *ps_dec, UWORD8 uc_lx) ui_remapIdc = ih264d_uev(pu4_bitstrm_ofst, pu4_bitstrm_buf); /* Get the remapping_idc - 0/1/2/3 */ + count++; } //Handle the ref indices that were not remapped @@ -843,7 +844,7 @@ WORD32 ih264d_ref_idx_reordering(dec_struct_t *ps_dec, UWORD8 uc_lx) WORD32 ih264d_read_mmco_commands(struct _DecStruct * ps_dec) { dec_bit_stream_t *ps_bitstrm = ps_dec->ps_bitstrm; - dpb_commands_t *ps_dpb_cmds = ps_dec->ps_dpb_cmds; + dpb_commands_t *ps_dpb_cmds = &(ps_dec->s_dpb_cmds_scratch); dec_slice_params_t * ps_slice = ps_dec->ps_cur_slice; WORD32 j; UWORD8 u1_buf_mode; diff --git a/decoder/ih264d_parse_headers.c b/decoder/ih264d_parse_headers.c index 4f3136f..03ed508 100644 --- a/decoder/ih264d_parse_headers.c +++ b/decoder/ih264d_parse_headers.c @@ -30,6 +30,8 @@ * \author AI ************************************************************************** */ +#include <string.h> + #include "ih264_typedefs.h" #include "ih264_macros.h" #include "ih264_platform_macros.h" @@ -479,7 +481,7 @@ WORD32 ih264d_parse_sps(dec_struct_t *ps_dec, dec_bit_stream_t *ps_bitstrm) { UWORD8 i; dec_seq_params_t *ps_seq = NULL; - UWORD8 u1_profile_idc, u1_level_idc, u1_seq_parameter_set_id; + UWORD8 u1_profile_idc, u1_level_idc, u1_seq_parameter_set_id, u1_mb_aff_flag = 0; UWORD16 i2_max_frm_num; UWORD32 *pu4_bitstrm_buf = ps_bitstrm->pu4_buffer; UWORD32 *pu4_bitstrm_ofst = &ps_bitstrm->u4_ofst; @@ -564,6 +566,8 @@ WORD32 ih264d_parse_sps(dec_struct_t *ps_dec, dec_bit_stream_t *ps_bitstrm) /*--------------------------------------------------------------------*/ ps_seq = ps_dec->pv_scratch_sps_pps; + memset(ps_seq, 0, sizeof(dec_seq_params_t)); + if(ps_dec->i4_header_decoded & 1) { *ps_seq = *ps_dec->ps_cur_sps; @@ -802,9 +806,19 @@ WORD32 ih264d_parse_sps(dec_struct_t *ps_dec, dec_bit_stream_t *ps_bitstrm) COPYTHECONTEXT("SPS: frame_mbs_only_flag", u1_frm); if(!u1_frm) + u1_mb_aff_flag = ih264d_get_bit_h264(ps_bitstrm); + + if((ps_dec->i4_header_decoded & 1) + && (ps_seq->u1_mb_aff_flag != u1_mb_aff_flag)) + { + ps_dec->u1_res_changed = 1; + return IVD_RES_CHANGED; + } + + if(!u1_frm) { u2_pic_ht <<= 1; - ps_seq->u1_mb_aff_flag = ih264d_get_bit_h264(ps_bitstrm); + ps_seq->u1_mb_aff_flag = u1_mb_aff_flag; COPYTHECONTEXT("SPS: mb_adaptive_frame_field_flag", ps_seq->u1_mb_aff_flag); diff --git a/decoder/ih264d_parse_slice.c b/decoder/ih264d_parse_slice.c index 2d8a9af..db02bfe 100644 --- a/decoder/ih264d_parse_slice.c +++ b/decoder/ih264d_parse_slice.c @@ -1826,7 +1826,7 @@ WORD32 ih264d_parse_decode_slice(UWORD8 u1_is_idr_slice, ps_dec->ps_cur_pic->u4_pack_slc_typ |= I_SLC_BIT; ret = ih264d_parse_islice(ps_dec, u2_first_mb_in_slice); - + ps_dec->u1_pr_sl_type = u1_slice_type; if(ps_dec->i4_pic_type != B_SLICE && ps_dec->i4_pic_type != P_SLICE) ps_dec->i4_pic_type = I_SLICE; @@ -1858,6 +1858,15 @@ WORD32 ih264d_parse_decode_slice(UWORD8 u1_is_idr_slice, if(ret != OK) return ret; + if(u1_nal_ref_idc != 0) + { + if(!ps_dec->ps_dpb_cmds->u1_dpb_commands_read) + { + memcpy((void *)ps_dec->ps_dpb_cmds, (void *)(&(ps_dec->s_dpb_cmds_scratch)), + sizeof(dpb_commands_t)); + } + } + /* storing last Mb X and MbY of the slice */ ps_dec->i2_prev_slice_mbx = ps_dec->u2_mbx; ps_dec->i2_prev_slice_mby = ps_dec->u2_mby; diff --git a/decoder/ih264d_sei.c b/decoder/ih264d_sei.c index 800f2c9..098a1f3 100644 --- a/decoder/ih264d_sei.c +++ b/decoder/ih264d_sei.c @@ -336,7 +336,7 @@ WORD32 ih264d_parse_sei_message(dec_struct_t *ps_dec, ui4_payload_type = 0; u4_bits = ih264d_get_bits_h264(ps_bitstrm, 8); - while(0xff == u4_bits) + while(0xff == u4_bits && !EXCEED_OFFSET(ps_bitstrm)) { u4_bits = ih264d_get_bits_h264(ps_bitstrm, 8); ui4_payload_type += 255; @@ -345,7 +345,7 @@ WORD32 ih264d_parse_sei_message(dec_struct_t *ps_dec, ui4_payload_size = 0; u4_bits = ih264d_get_bits_h264(ps_bitstrm, 8); - while(0xff == u4_bits) + while(0xff == u4_bits && !EXCEED_OFFSET(ps_bitstrm)) { u4_bits = ih264d_get_bits_h264(ps_bitstrm, 8); ui4_payload_size += 255; @@ -370,7 +370,8 @@ WORD32 ih264d_parse_sei_message(dec_struct_t *ps_dec, { H264_DEC_DEBUG_PRINT("\nError in parsing SEI message"); } - while(0 == ih264d_check_byte_aligned(ps_bitstrm)) + while(0 == ih264d_check_byte_aligned(ps_bitstrm) + && !EXCEED_OFFSET(ps_bitstrm)) { u4_bits = ih264d_get_bit_h264(ps_bitstrm); if(u4_bits) diff --git a/decoder/ih264d_structs.h b/decoder/ih264d_structs.h index 6958a0c..706fe9d 100644 --- a/decoder/ih264d_structs.h +++ b/decoder/ih264d_structs.h @@ -968,6 +968,7 @@ typedef struct _DecStruct /* Variables for Decode Buffer Management */ dpb_manager_t *ps_dpb_mgr; dpb_commands_t *ps_dpb_cmds; + dpb_commands_t s_dpb_cmds_scratch; /* Variables Required for N MB design */ dec_mb_info_t *ps_nmb_info; diff --git a/decoder/ih264d_utils.c b/decoder/ih264d_utils.c index e85daba..edfb8f1 100644 --- a/decoder/ih264d_utils.c +++ b/decoder/ih264d_utils.c @@ -1020,12 +1020,15 @@ WORD32 ih264d_get_next_display_field(dec_struct_t * ps_dec, buf = ps_dec->disp_bufs[i].buf[1]; buf += ps_dec->disp_bufs[i].u4_ofst[1]; pv_disp_op->s_disp_frm_buf.pv_u_buf = buf - + pic_buf->u2_crop_offset_uv; + + (pic_buf->u2_crop_offset_uv + / YUV420SP_FACTOR); buf = ps_dec->disp_bufs[i].buf[2]; buf += ps_dec->disp_bufs[i].u4_ofst[2]; pv_disp_op->s_disp_frm_buf.pv_v_buf = buf - + pic_buf->u2_crop_offset_uv; + + (pic_buf->u2_crop_offset_uv + / YUV420SP_FACTOR); + } } } diff --git a/encoder/ih264e_api.c b/encoder/ih264e_api.c index 2ecfdf5..a996303 100644 --- a/encoder/ih264e_api.c +++ b/encoder/ih264e_api.c @@ -1147,6 +1147,24 @@ static IV_STATUS_T api_check_struct_sanity(iv_obj_t *ps_handle, return (IV_FAIL); } + if(ps_ip->s_ive_ip.u4_wd & 1) + { + ps_op->s_ive_op.u4_error_code |= 1 + << IVE_UNSUPPORTEDPARAM; + ps_op->s_ive_op.u4_error_code |= + IH264E_WIDTH_NOT_SUPPORTED; + return (IV_FAIL); + } + + if(ps_ip->s_ive_ip.u4_ht & 1) + { + ps_op->s_ive_op.u4_error_code |= 1 + << IVE_UNSUPPORTEDPARAM; + ps_op->s_ive_op.u4_error_code |= + IH264E_HEIGHT_NOT_SUPPORTED; + return (IV_FAIL); + } + break; } |