aboutsummaryrefslogtreecommitdiff
AgeCommit message (Collapse)Author
2021-06-30Merge cherrypicks of [15151695, 15151716, 15151891, 15151892, 15151894, ↵android-security-8.1.0_r93android-security-8.1.0_r92oreo-mr1-security-releaseAndroid Build Coastguard Worker
15151896, 15150908, 15151384, 15151699, 15151700, 15151701] into security-aosp-oc-mr1-release Change-Id: I640b1a4308df54d0bcfb05bd54e9649ec3279168
2021-06-30Decoder: Update check for increment u2_cur_slice_numRakesh Kumar
Increment u2_cur_slice_num only if current slice had atleast one MB of memory left. Test: clusterfuzz generated poc in bug Bug: b/182152757 Bug: b/179938345 Bug: b/185112718 Change-Id: Ic5eb07e961bccb7fde954bcfd791fd879804e335 (cherry picked from commit a88e0683a420d7ee9aa4b6f41f94cb8dc0c5e040)
2021-05-14Merge cherrypicks of [14554374, 14554375, 14554376, 14554377, 14554421, ↵android-security-8.1.0_r91android-security-8.1.0_r90android-build-team Robot
14554378, 14554522, 14554523, 14554381, 14554563, 14554564, 14554566, 14554568, 14554570, 14554571, 14554573, 14554526, 14554576] into security-aosp-oc-mr1-release Change-Id: I3a7412f3adba6df78ed3bb97dd9679ab5a790423
2021-05-14encoder: fix invalid free of raw buffersNeelkamal Semwal
Return current input buffer as buffer to be freed in case of errors that are seen before picking up the input buffer to be from the input queue. Once a buffer is picked up from the queue, that is returned as the buffer to be freed. There is no need to return a buffer from ps_proc context Bug: 180643802 Test: poc in the bug description Test: atest CtsMediaV2TestCases:CodecEncoderTest Test: atest VtsHalMediaC2V1_0TargetVideoEncTest Change-Id: I1671ca1e82f522004d1f070df89b256b856f75b8 (cherry picked from commit 3e73f0d56298ba6256927928669d0cc6e4b1c9ee)
2021-04-08Merge cherrypicks of [14126780, 14127201, 14128410, 14127515, 14128647, ↵android-security-8.1.0_r89android-build-team Robot
14128745, 14128746, 14128251, 14128748, 14126431, 14125341, 14128805, 14128806] into security-aosp-oc-mr1-release Change-Id: Ifd23ee5b67d4b9e859d89bb7df401c052db0487e
2021-04-08avcenc: Add bitstream overflow check during emulation preventionNeelkamal Semwal
Bug: 176533109 Test: poc in the bug description Change-Id: Ia83383f9b65cbde8d7a50a1af8a054936daa4d78 (cherry picked from commit b59de5a25f28f0fe411526b2e50bb8052957c517) (cherry picked from commit 10910bf9106eff724390255faa48f9f61dcfc744)
2020-12-09decoder: Update check for first mb in sliceandroid-security-8.1.0_r88android-security-8.1.0_r87android-security-8.1.0_r86android-security-8.1.0_r85Harish Mahendrakar
first_mb_in_slice shouldn't be >= mbs in the picture. Test: poc in bugs Bug: b/174238784 Bug: b/174507022 Bug: oss-fuzz:27856 Bug: oss-fuzz:28039 Change-Id: Id3a41c8c2ddf814910fc2d5dd4f57bdd84d28fec (cherry picked from commit 7e06940dce7245f03fd950edf7f72ff321b2b451)
2020-01-10decoder: Fix minimum poc calculation check while adding to displayandroid-security-8.1.0_r84android-security-8.1.0_r83android-security-8.1.0_r82android-8.1.0_r81android-8.1.0_r80android-8.1.0_r79android-8.1.0_r78android-8.1.0_r77android-8.1.0_r76android-8.1.0_r75android-8.1.0_r74security-oc-mr1-releaseHarish Mahendrakar
While adding the decoded buffer to display queue, allow buffer with poc set to 0x7FFFFFFF Bug: 145364230 Test: poc in bug Change-Id: I2a15f73b8422cfa4fd3360bc21c0cea4542a3375 (cherry picked from commit ffcf2a87d66f935210ebd011eed474514d086b40)
2019-11-07decoder: Move initialization of dbp_mgr entries to init_decoder()android-8.1.0_r73android-8.1.0_r72Harish Mahendrakar
Earlier these were only initialized during static buffer allocations. Initializing them in init_decoder() will ensure that these get initialized to default values during reset() as well. Without this, in some error cases, there is a possibility of heap-use-after free, when resolution changes and these pointers point to memory that is freed Bug: 142602711 Test: poc in bug Change-Id: Ie39fee0eca56bf32cdc558099bf167d05eb89620 (cherry picked from commit 01da7b5a52a76aee615b4e32eeceb4887d3662f0)
2019-06-10Decoder: Delete node from st if lt and st point to sameandroid-8.1.0_r71android-8.1.0_r70android-8.1.0_r69android-8.1.0_r68android-8.1.0_r66Rakesh Kumar
If lt_list and st_list point to same node then delete it from st. If there is error while adding a node in bottom field of lt_list (top is already added) then this node will be pointed by st_list also. So we need to remove it from st_list bug: 73552574 Test: poc before/after on Android N security branch Change-Id: I95304c242c5854b18c5c7220d114ce6215760124 (cherry picked from commit f312a1d305dae23f9f6f663d2157bf9cf47bb92c)
2019-01-14decoder: Signal IVD_RES_CHANGED error for change in crop paramsHarish Mahendrakar
IVD_RES_CHANGED was not signaled when crop parameters changed, i.e. display dimensions changed without change in decode dimensions. In such cases, if output buffer was allocated as per the current dimension being decoded, without IVD_RES_CHANGED signalled, there can be an OOB write if the new buffer is smaller than the frame being returned as output Bug: 118399205 Test: vendor Change-Id: Ia750a99cda08a3254a6f8ea8b55d07e655b34d05 (cherry picked from commit 442a01bf37d5bd97bb6d13b382f00265051abbe8)
2018-04-17Decoder: Modify setting short term reference field flagRitu Baldwa
Do not mark bottom field as short term in case of error. Bug: 73553038 Bug: 73552574 Bug: 73552999 Test: poc before/after Change-Id: I8576861af36996a361a81f48ba9b251f0ae4e660 (cherry picked from commit 47cc04b40c94b14841d27eb3ac0b01c3f1739180)
2018-04-17Encoder: Return error for odd resolutionAkshata Jadhav
Bug: 73625898 Test: ran POC before/after under ASAN Change-Id: I9765b57f4afc6a2b6ad9cd19c8c7c5000beb9de9 (cherry picked from commit 9fa58d4db3ef176ed54af5f602970b48624be413)
2018-02-13Decoder: Set prev slice type for I slice.Ritu Baldwa
Fixed initialization of u1_pr_sl_type for I slice. Bug: 70897454 Test: ran PoC before/after patch Change-Id: I0c37317513b72236be98c2b25482a67bf2b56052 (cherry picked from commit aecdfd1aff2505da11ad48ad4f9f918054ce0c97)
2018-02-13Decoder: Fixed reset values in parse sps.Ritu Baldwa
Memset to zero whenever new sps occurs. Bug: 70897394 Test: manual Change-Id: I5936fd55265ff8ad2b275a72b175cdb540bb7933 (cherry picked from commit 9c32ad7126890dfaa79fd29affaaf07de335fa3a)
2018-01-18Decoder: Fixed memory overflow in shared display mode.Ritu Baldwa
The factor multiplication should happen only at the source, not at the destination. Bug: 71375536 Test: manual Change-Id: Ib5f00b87150a0533880346fac5464b0b1a802c36 (cherry picked from commit c3b026a87d7da17ca5196e1973137b8691e60bde)
2018-01-18Decoder: Adding Error Check for Output Buffer Size in Shared Display Mode.Ritu Baldwa
The output buffer size given by the application, needs to be checked in every process call. This is required in the case of resolution change in shared display mode. Bug: 70294343 Bug: 70350193 Bug: 70526411 Bug: 70526485 Test: manual Change-Id: I2c1e59425e84ac62a874e5ee180e1b98f0a4058f (cherry picked from commit 3692aceb1b244be3e1b36d8e7b804986f593bb69)
2018-01-02Decoder: Modified loop condition while parsing ref_list_reordering.Ritu Baldwa
When ref_pic_list_reordering_flag_l1 is equal to 1, the number of times that reordering_of_pic_nums_idc is not equal to 3 following ref_pic_list_reordering_flag_l1 should not exceed num_ref_idx_l1_active_minus1 + 1. Bug: 69478425 Change-Id: I031bb744869ac8a57f85bb97574832efd0eefc25 (cherry picked from commit 7ea47d575d26d4d5356670092af26fb6915e75bf)
2017-11-28Decoder: Handle dec_hdl memory allocation failure gracefullyHarish Mahendrakar
If memory allocation for dec_hdl fails, return gracefully with an error code. All other allocation failures are handled correctly. Bug: 68300072 Test: ran poc before/after Change-Id: I118ae71f4aded658441f1932bd4ede3536f5028b (cherry picked from commit 7720b3fe3de04523da3a9ecec2b42a3748529bbd)
2017-11-28Decoder: Detect change of mbaff flag in SPSHamsalekha S
Change in Mbaff flag needs re-initialization of NMB group and other variables in decoder context. Bug: 64380237 Test: ran poc on ASAN before/after Change-Id: I0fc65e4dfc3cc2c15528ec52da1782ecec61feab (cherry picked from commit d524ba03101c0c662c9d365d7357536b42a0265e)
2017-11-28Decoder: Increased allocation and added checks in sei parsing.Hamsalekha S
This prevents heap overflow while parsing sei_message. Bug: 63122634 Test: ran PoC on unpatched/patched Change-Id: I61c1ff4ac053a060be8c24da4671db985cac628c (cherry picked from commit f2b70d353768af8d4ead7f32497be05f197925ef)
2017-11-28Decoder: Fixed incorrect use of mmco parameters.Ritu Baldwa
Added extra structure to read mmco values and copied only once per picture. Bug: 65735716 Change-Id: I25b08a37bc78342042c52957774b089abce1a54b (cherry picked from commit 3c70b9a190875938fc57164d9295a3ec791554df)
2017-10-04Snap for 4376088 from a2d796cf560716fd46a67753022f6ae13b8675d3 to oc-mr1-releaseandroid-cts-8.1_r1android-8.1.0_r1android-build-team Robot
Change-Id: Ib88fca8164e0a459338c57ffb17952ce72772ee0
2017-10-03Merge "DO NOT MERGE Decoder: Modified setting of error code in set flush ↵oreo-mr1-devRitu Baldwa
api." into mnc-dev am: 6a09a35355 -s ours am: b288f51729 -s ours am: 458c4a866c -s ours am: e8235bbcea -s ours am: 23d505806b -s ours am: d570b32872 -s ours am: 82e6cbe7e2 -s ours am: 16aecc3c23 -s ours am: 4a356a0170 -s ours am: 301a5d4bdc -s ours am: c68f846406 -s ours Change-Id: I4cba680e65e9c0eb3317c0b03b4a03c9dc4196e1
2017-10-03Merge "DO NOT MERGE Decoder: Modified setting of error code in set flush ↵Ritu Baldwa
api." into mnc-dev am: 6a09a35355 -s ours am: b288f51729 -s ours am: 458c4a866c -s ours am: e8235bbcea -s ours am: 23d505806b -s ours am: d570b32872 -s ours am: 82e6cbe7e2 -s ours am: 16aecc3c23 -s ours am: 4a356a0170 -s ours am: 301a5d4bdc -s ours Change-Id: I9cfb90eaf44441ab12098b14c5f050b4f4e10e35
2017-10-03Merge "DO NOT MERGE Decoder: Modified setting of error code in set flush ↵Ritu Baldwa
api." into mnc-dev am: 6a09a35355 -s ours am: b288f51729 -s ours am: 458c4a866c -s ours am: e8235bbcea -s ours am: 23d505806b -s ours am: d570b32872 -s ours am: 82e6cbe7e2 -s ours am: 16aecc3c23 -s ours am: 4a356a0170 -s ours Change-Id: I03e86e7361489a3210ecbeaaff8ddb19da4ae24e
2017-10-03Merge "DO NOT MERGE Decoder: Modified setting of error code in set flush ↵Ritu Baldwa
api." into mnc-dev am: 6a09a35355 -s ours am: b288f51729 -s ours am: 458c4a866c -s ours am: e8235bbcea -s ours am: 23d505806b -s ours am: d570b32872 -s ours am: 82e6cbe7e2 -s ours am: 16aecc3c23 -s ours Change-Id: I8488f11dc27212fb3ad6cb9f8bab9e64e3b8fd1f
2017-10-03Merge "DO NOT MERGE Decoder: Modified setting of error code in set flush ↵Ritu Baldwa
api." into mnc-dev am: 6a09a35355 -s ours am: b288f51729 -s ours am: 458c4a866c -s ours am: e8235bbcea -s ours am: 23d505806b -s ours am: d570b32872 -s ours am: 82e6cbe7e2 -s ours Change-Id: I041366ad064f29c4a6d68b26915fa6bcea0b6e75
2017-10-03Merge "DO NOT MERGE Decoder: Modified setting of error code in set flush ↵Ritu Baldwa
api." into mnc-dev am: 6a09a35355 -s ours am: b288f51729 -s ours am: 458c4a866c -s ours am: e8235bbcea -s ours am: 23d505806b -s ours am: d570b32872 -s ours Change-Id: Ib46ed8947b0b5199c5c9a1db120b68016dbe9cac
2017-10-03Merge "DO NOT MERGE Decoder: Modified setting of error code in set flush ↵Ritu Baldwa
api." into mnc-dev am: 6a09a35355 -s ours am: b288f51729 -s ours am: 458c4a866c -s ours am: e8235bbcea -s ours am: 23d505806b -s ours Change-Id: Ia9d7fe958960e3d7918e3b61c42c3980c50dcfa1
2017-10-03Merge "DO NOT MERGE Decoder: Modified setting of error code in set flush ↵Ritu Baldwa
api." into mnc-dev am: 6a09a35355 -s ours am: b288f51729 -s ours am: 458c4a866c -s ours am: e8235bbcea -s ours Change-Id: I34c5addff3c61db5367d7b5017b7d91cebfed4d5
2017-10-03Merge "DO NOT MERGE Decoder: Modified setting of error code in set flush ↵Ritu Baldwa
api." into mnc-dev am: 6a09a35355 -s ours am: b288f51729 -s ours am: 458c4a866c -s ours Change-Id: I4f89fbfa370e568457a436607b93e690083a6f85
2017-10-03Merge "DO NOT MERGE Decoder: Modified setting of error code in set flush ↵Ritu Baldwa
api." into mnc-dev am: 6a09a35355 -s ours am: b288f51729 -s ours Change-Id: I673972e25b586ceb6f7c162ef1385dbb47fa3c29
2017-10-03Merge "DO NOT MERGE Decoder: Modified setting of error code in set flush ↵Ritu Baldwa
api." into mnc-dev am: 6a09a35355 -s ours Change-Id: I01c0bfe70914107bee7763ec1beec9bd7abbf175
2017-10-03Merge "DO NOT MERGE Decoder: Modified setting of error code in set flush ↵TreeHugger Robot
api." into mnc-dev
2017-10-03DO NOT MERGE Decoder: Modified setting of error code in set flush api.Ritu Baldwa
Fixed incorrect use of ps_dec->pv_dec_out to set error code. Bug: 66372937 Test: at vendor Merged-In: Ib04e0b15573b2482c9d5b43c8bc7dd30d8f8efdd Change-Id: I7b66ee010089399c050a75d6d67feb03da0b8b3e
2017-10-03Merge "Decoder: Fixed hang in the case of dangling field" into mnc-dev am: ↵Hamsalekha S
2f1ca945b1 am: 1b1e6d3ec9 am: 8ec4061310 am: 40d1b833d8 am: 73763b165e am: e9ec948685 am: 2411d507d4 am: 5795e09124 am: a55b5dd44f am: 359a2ba846 am: e127b146ff Change-Id: Ic163faee250695def214290f06c8b5ab432e98eb
2017-10-03Merge "Decoder: Fixed hang in the case of dangling field" into mnc-dev am: ↵Hamsalekha S
2f1ca945b1 am: 1b1e6d3ec9 am: 8ec4061310 am: 40d1b833d8 am: 73763b165e am: e9ec948685 am: 2411d507d4 am: 5795e09124 am: a55b5dd44f am: 359a2ba846 Change-Id: Ia72f639861505d09d38f14abc67bbf5ca5ae21f1
2017-10-03Merge "Decoder: Fixed hang in the case of dangling field" into mnc-dev am: ↵Hamsalekha S
2f1ca945b1 am: 1b1e6d3ec9 am: 8ec4061310 am: 40d1b833d8 am: 73763b165e am: e9ec948685 am: 2411d507d4 am: 5795e09124 am: a55b5dd44f Change-Id: I4393ad6185c54c0cf6cd8534e03cbca1d81f5af5
2017-10-03Merge "Decoder: Fixed hang in the case of dangling field" into mnc-dev am: ↵Hamsalekha S
2f1ca945b1 am: 1b1e6d3ec9 am: 8ec4061310 am: 40d1b833d8 am: 73763b165e am: e9ec948685 am: 2411d507d4 am: 5795e09124 Change-Id: I77647b40a35dd939e8b910afd0335c3a3027a56a
2017-10-03Merge "Decoder: Fixed hang in the case of dangling field" into mnc-dev am: ↵Hamsalekha S
2f1ca945b1 am: 1b1e6d3ec9 am: 8ec4061310 am: 40d1b833d8 am: 73763b165e am: e9ec948685 am: 2411d507d4 Change-Id: Iac44e12ba187b7f30487401397af8b9125cbfe11
2017-10-03Merge "Decoder: Fixed hang in the case of dangling field" into mnc-dev am: ↵Hamsalekha S
2f1ca945b1 am: 1b1e6d3ec9 am: 8ec4061310 am: 40d1b833d8 am: 73763b165e am: e9ec948685 Change-Id: I02529daa59d105732e09d0e7cae38794e9041b3d
2017-10-03Merge "Decoder: Fixed hang in the case of dangling field" into mnc-dev am: ↵Hamsalekha S
2f1ca945b1 am: 1b1e6d3ec9 am: 8ec4061310 am: 40d1b833d8 am: 73763b165e Change-Id: Ia96b46ff5c254047eeff4dad62a0429a6d75ddf9
2017-10-03Merge "Decoder: Fixed hang in the case of dangling field" into mnc-dev am: ↵Hamsalekha S
2f1ca945b1 am: 1b1e6d3ec9 am: 8ec4061310 am: 40d1b833d8 Change-Id: Id2268e35f95084f7c742587166c84404b979ac7a
2017-10-03Merge "Decoder: Fixed hang in the case of dangling field" into mnc-dev am: ↵Hamsalekha S
2f1ca945b1 am: 1b1e6d3ec9 am: 8ec4061310 Change-Id: Ibe841cc94763771c315c3e084b68b5f60045053e
2017-10-03Merge "Decoder: Fixed hang in the case of dangling field" into mnc-dev am: ↵Hamsalekha S
2f1ca945b1 am: 1b1e6d3ec9 Change-Id: I816a115c239a41b0008eb599fc6ff43b925f15f2
2017-10-03Merge "Decoder: Fixed hang in the case of dangling field" into mnc-devHamsalekha S
am: 2f1ca945b1 Change-Id: I203d518ad9dc60ea41dfdc88c1903b47398246ba
2017-10-03Merge "Decoder: Fixed hang in the case of dangling field" into mnc-devTreeHugger Robot
2017-10-03Snap for 4373604 from 9e1bd9758aec4d177cd1410bb852f299eb06cbc1 to oc-mr1-releaseandroid-build-team Robot
Change-Id: Ibc88851e4766ffb66b5ac1923b3ea44053065912
2017-10-03DO NOT MERGE Decoder: Increased memory allocation. am: ed7a63fbcc -s ours ↵Ritu Baldwa
am: 848428bb84 am: a838b2f7f8 am: 3a8511dfaa -s ours am: 6d33435d4f am: 85615c3618 am: 586344f327 am: 6be35a62b0 am: 70defc46d2 -s ours am: cbab4f6e43 am: 553a478695 Change-Id: I85eb67eefc9fac4e5e762e7b06ae42c890e055ab
generated by cgit v1.2.3 (git 2.25.1) at 2024-06-23 00:08:14 +0000