summaryrefslogtreecommitdiffstats
Commit message (Collapse)AuthorAgeFilesLines
* libstagefright: check overflow before memory allocation in OMXCodec.cppHEADmasterWei Jia2015-10-191-0/+3
| | | | | | Bug: 23416608 Change-Id: I4dacd38ed42db8f4887c3ee386dc909451f4346f Tested-by: Wolfgang Wiedmeyer <wolfgit@wiedmeyer.de>
* Check RTSP payload lengthMarco Nelissen2015-10-191-2/+3
| | | | | | Bug: 23346388 Change-Id: Ifd918cefc90527c2f52177c3ce0da7a13259ad08 Tested-by: Wolfgang Wiedmeyer <wolfgit@wiedmeyer.de>
* Sanity check padding/delay values for gapless playbackMarco Nelissen2015-10-191-0/+7
| | | | | | Bug: 23306638 Change-Id: I2b5160e0f58f90d3f67c3964f41f5734ec0da053 Tested-by: Wolfgang Wiedmeyer <wolfgit@wiedmeyer.de>
* Prevent integer issues in ID3::Iterator::findFrameJoshua J. Drake2015-10-191-2/+21
| | | | | | | | | | Integer overflows could occur a few places within findFrame. These can lead to out-of-bounds reads and potentially infinite loops. Ensure that arithmetic does not wrap around to prevent these behaviors. Bug: 23285192 Change-Id: I72a61df7d5719d1d3f2bd0b37fba86f0f4bbedee Tested-by: Wolfgang Wiedmeyer <wolfgit@wiedmeyer.de>
* Fix for memory corruption in ID3::removeUnsynchronizationV2_4().Neel Mehta2015-10-191-1/+1
| | | | | | | | Bug: 23227354 Change-Id: Iaa36cfda4fd84ca7e039f56086fd61b4118020db (cherry picked from commit 77e23413a539df16503e356bd4df4a952f3abc47) Tested-by: Wolfgang Wiedmeyer <wolfgit@wiedmeyer.de>
* Fix comparison sign warnings.Dan Albert2015-10-191-1/+1
| | | | | | | | Bug:23213430 Change-Id: I6f2e2b03b968a569b122004b4803c5d17fccfb12 (cherry picked from commit 635bc8f90429b2fdcaf7f8d43f7f59bcd0fe951c) Tested-by: Wolfgang Wiedmeyer <wolfgit@wiedmeyer.de>
* libstagefright: fix possible overflow in ID3.Wei Jia2015-10-191-2/+5
| | | | | | | Bug: 23129786 Change-Id: I2e6b7a6927aa4362ab49dd6824bbb1abf7b4e661 (cherry picked from commit 09da86913ca97d7a818a8917b6601527e5e18a24) Tested-by: Wolfgang Wiedmeyer <wolfgit@wiedmeyer.de>
* Fix Ogg album artMarco Nelissen2015-10-191-4/+9
| | | | | | | | Bug: 23036083 Bug: https://code.google.com/p/android/issues/detail?id=182053 Change-Id: I1a5cbe06990900160c2addade238c1e9feab8f71 (cherry picked from commit c63cc509404b9328aedd1be3adc4e87cd07b4eb1) Tested-by: Wolfgang Wiedmeyer <wolfgit@wiedmeyer.de>
* MatroskaExtractor: detect infinite loop when parsing NALsRobert Shih2015-10-191-1/+7
| | | | | | | Bug: 21335999 Change-Id: I76bd34610e52048ffcf16e41aa6175afc8a14ee4 (cherry picked from commit 2dcf6138ebc9c5688aeae151d2fbde55a2826128) Tested-by: Wolfgang Wiedmeyer <wolfgit@wiedmeyer.de>
* libstagefright: check remaining data size before parsing it.Wei Jia2015-10-191-0/+3
| | | | | | | Bug: 23248776 Change-Id: I45cf53e58e4375afcf260b122264c968ec0ff6c8 (cherry picked from commit 3bf1e0fdf27e1188b8d3574ed073595b8eacb114) Tested-by: Wolfgang Wiedmeyer <wolfgit@wiedmeyer.de>
* Check integer overflow to prevent memory corruptionJeff Tinker2015-10-191-1/+2
| | | | | | | bug: 23016072 Change-Id: If3c9a835408773847c0024a812bd8b4915ebd680 (cherry picked from commit fa8ebb45fd850f56ca1bf64fbed3ac11e10c7d3d) Tested-by: Wolfgang Wiedmeyer <wolfgit@wiedmeyer.de>
* ABuffer: reset members when memory allocation fails.Wei Jia2015-10-191-4/+9
| | | | | | | Bug: 22077698 Change-Id: I2beb724662d041ad2339d0f4c7f983e7ac5e5e6f (cherry picked from commit 94b0badc025b14141ff234e3e4e2745411742bac) Tested-by: Wolfgang Wiedmeyer <wolfgit@wiedmeyer.de>
* DO NOT MERGE - SoftwareRenderer: sanity check buffer size before copying data.Wei Jia2015-10-191-0/+7
| | | | | | | | Bug: 21443020 Change-Id: I63cf86217b8201fb41809c23e4b752b845a93ee2 (cherry picked from commit 760f92f8b6da9c9cf128cb18fe3c09402fdde6cd) Signed-off-by: Wolfgang Wiedmeyer <wolfgit@wiedmeyer.de>
* SoftAVCEnc: check requested memory size before allocation.Wei Jia2015-10-191-0/+16
| | | | | | | | Bug: 20674674 Change-Id: If80186a7b9078e575d389220f3bebe9f7630a956 (cherry picked from commit f6fe4340219a8e674f3250fe32d4697ec8184b24) Tested-by: Wolfgang Wiedmeyer <wolfgit@wiedmeyer.de>
* libstagefright: fix overflow in pvdec_api.cpp.Wei Jia2015-10-191-2/+2
| | | | | | | Bug: 20674086 Change-Id: Ie2c711865c3b92f3fa2f3c7a436fa0e3687eb8b3 (cherry picked from commit d7bb1cd786e5ea4ac61119cc1a08082474f7787b) Tested-by: Wolfgang Wiedmeyer <wolfgit@wiedmeyer.de>
* libstagefright: check memory size for overflow before allocation.Wei Jia2015-10-192-0/+65
| | | | | | | Bug: 20674086 Change-Id: I431aa2b7d30a942350ab6d105451c6b77e2f99d4 (cherry picked from commit 42cccd7c8811597d56fb86afeacf6231d693dea6) Tested-by: Wolfgang Wiedmeyer <wolfgit@wiedmeyer.de>
* Fix compile failure after rI431aa2b7d30a942350ab6d105451c6b77e2f99d4Abhishek Arya2015-10-192-0/+15
| | | | | | Bug: 20674086 Change-Id: I2ee6b7e0eabbf696c0986d08b2d759d48cb9eb7b Tested-by: Wolfgang Wiedmeyer <wolfgit@wiedmeyer.de>
* Fix compile after rI431aa2b7d30a942350ab6d105451c6b77e2f99d4Abhishek Arya2015-10-192-0/+5
| | | | | | BUG: 20674086 Change-Id: Idaff17975b327adea65c39bdba1ab4e88789c0cd Tested-by: Wolfgang Wiedmeyer <wolfgit@wiedmeyer.de>
* Fix crash on malformed id3Marco Nelissen2015-10-193-13/+27
| | | | | | Bug: 22954006 Change-Id: I488cb1e2c69fc7043b6040481b30fa866000515d Tested-by: Wolfgang Wiedmeyer <wolfgit@wiedmeyer.de>
* libstagefright: fix possible overflow in amrwbenc.Wei Jia2015-10-191-8/+11
| | | | | | | Bug: 23142203 Change-Id: I309df51e4df6412655f04cc093d792bf6c7944f7 (cherry picked from commit 9dd01777aa14bbb90a6cdccf97383bb4e3d717a5) Tested-by: Wolfgang Wiedmeyer <wolfgit@wiedmeyer.de>
* DO NOT MERGE - audio flinger: fix fuzz test crashEric Laurent2015-10-192-4/+20
| | | | | | | | | | | | | | | | | | Clear output stream pointer in duplicating thread when the main output to which it is attached is closed. Also do not forward master mute and volume commands to duplicating threads as this is not applicable. Also fix logic in AudioFlinger::primaryPlaybackThread_l() that could accidentally return a duplicating thread. This never happens because the primary thread is always first in the list. Bug: 20731946. Change-Id: Ic8869699836920351b23d09544c50a258d3fb585 (cherry picked from commit f6870aefc5e31d4220f3778c4e79ff34a61f48ad) Signed-off-by: Wolfgang Wiedmeyer <wolfgit@wiedmeyer.de>
* DO NOT MERGE Part of fix for libmedia OOB write anywhereJeff Tinker2015-10-181-4/+4
| | | | | | | | | | | Clarify that decrypt destination is not a pointer for secure case. b/23223325 Change-Id: I642dcf790a9eb9e32175f3e0d8f040c82228e3ac (cherry picked from commit ed555d70d80964f40563d89a4e6d6a80f83f4b89) Signed-off-by: Wolfgang Wiedmeyer <wolfgit@wiedmeyer.de>
* Guard against codecinfo overflowMarco Nelissen2015-10-181-1/+6
| | | | | | | | Bug: 21296336 Change-Id: I78be5141b3108142f12d7cb94839fa50f776d84a Conflicts: media/libstagefright/matroska/MatroskaExtractor.cpp
* DO NOT MERGE: Add AUtils::isInRange, and use it to detect malformed MPEG4 ↵Lajos Molnar2015-10-183-4/+167
| | | | | | | | | | nal sizes Bug: 19641538 Change-Id: I5aae3f100846c125decc61eec7cd6563e3f33777 Conflicts: media/libstagefright/MPEG4Extractor.cpp
* DO NOT MERGE - IOMX: Add buffer range check to emptyBufferAndy Hung2015-10-181-0/+6
| | | | | Bug: 20634516 Change-Id: If351dbd573bb4aeb6968bfa33f6d407225bc752c
* HDCP: buffer over flow check -- DO NOT MERGEChong Zhang2015-10-181-1/+12
| | | | | | | | | bug: 20222489 Change-Id: I3a64a5999d68ea243d187f12ec7717b7f26d93a3 (cherry picked from commit 532cd7b86a5fdc7b9a30a45d8ae2d16ef7660a72) Conflicts: media/libmedia/IHDCP.cpp
* MPEG4Extractor.cpp: handle chunk_size > SIZE_MAXNick Kralevich2015-08-311-1/+1
| | | | | | | | | | | | | chunk_size is a uint64_t, so it can legitimately be bigger than SIZE_MAX, which would cause the subtraction to underflow. https://code.google.com/p/android/issues/detail?id=182251 Bug: 23034759 Change-Id: Ic1637fb26bf6edb0feb1bcf2876fd370db1ed547 Signed-off-by: Nick Kralevich <nnk@google.com> Tested-by: Moritz Bandemer <replicant@posteo.mx>
* Fix integer underflow in covr MPEG4 processingJoshua J. Drake2015-08-311-0/+4
| | | | | | | | | | | | When the 'chunk_data_size' variable is less than 'kSkipBytesOfDataBox', an integer underflow can occur. This causes an extraordinarily large value to be passed to MetaData::setData, leading to a buffer overflow. Bug: 20923261 Change-Id: Icd28f63594ad941eabb3a12c750a4a2d5d2bf94b Signed-off-by: Joshua J. Drake <android-open-source@qoop.org> Tested-by: Moritz Bandemer <replicant@posteo.mx>
* Fix integer overflow when handling MPEG4 tx3g atomJoshua J. Drake2015-08-311-0/+7
| | | | | | | | | | | | | | When the sum of the 'size' and 'chunk_size' variables is larger than 2^32, an integer overflow occurs. Using the result value to allocate memory leads to an undersized buffer allocation and later a potentially exploitable heap corruption condition. Ensure that integer overflow does not occur. Bug: 20923261 Change-Id: Id050a36b33196864bdd98b5ea24241f95a0b5d1f Signed-off-by: Joshua J. Drake <android-open-source@qoop.org> Tested-by: Moritz Bandemer <replicant@posteo.mx>
* Prevent integer overflow when processing covr MPEG4 atomsJoshua J. Drake2015-08-311-1/+5
| | | | | | | | | | | | | If the 'chunk_data_size' value is SIZE_MAX, an integer overflow will occur and cause an undersized buffer to be allocated. The following processing then overfills the resulting memory and creates a potentially exploitable condition. Ensure that integer overflow does not occur. Bug: 20923261 Change-Id: I75cce323aec04a612e5a230ecd7c2077ce06035f Signed-off-by: Joshua J. Drake <android-open-source@qoop.org> Tested-by: Moritz Bandemer <replicant@posteo.mx>
* Fix null-pointer-dereferences accessing the SampleTableJoshua J. Drake2015-08-311-0/+18
| | | | | | | | | | | | While processing various sample table related FourCC values, methods are called on a NULL mLastTrack or sampleTable object. This leads to undefined behavior which typically results in a crash (denial of service condition). Bug: 20139950 Change-Id: I39a894f8709d9937a0456ae5b3a201f7ecf12ed0 Signed-off-by: Joshua J. Drake <android-open-source@qoop.org> Tested-by: Moritz Bandemer <replicant@posteo.mx>
* MPEG4Extractor: still more NULL derefernce fixesJoshua J. Drake2015-08-311-0/+41
| | | | | | | | | | | | When processing various FourCC values within MP4 media, mLastTrack is accessed without first ensuring that a track has been encoutered. Check for NULL and bail out instead of crashing. Bug: 20139950 Change-Id: I3b86377030d73b3134b8769c590509c4f23d9f19 Signed-off-by: Joshua J. Drake <android-open-source@qoop.org> Tested-by: Moritz Bandemer <replicant@posteo.mx>
* Fix integer underflow in ESDS processingJoshua J. Drake2015-08-311-0/+6
| | | | | | | | | | | | Several arithmetic operations within parseESDescriptor could underflow, leading to an out-of-bounds read operation. Ensure that subtractions from 'size' do not cause it to wrap around. Bug: 20139950 Change-Id: Ie987c58e49323ff273fd57db410534fa83db1cb2 Signed-off-by: Joshua J. Drake <android-open-source@qoop.org> Tested-by: Moritz Bandemer <replicant@posteo.mx>
* SampleTable: fix integer overflow checks.Wei Jia2015-08-311-2/+2
| | | | | | | | Bug: 20139950 Change-Id: I6f4e3d4c734872074475d9346ed692a4baf77d79 Signed-off-by: Wei Jia <wjia@google.com> Tested-by: Moritz Bandemer <replicant@posteo.mx>
* Fix integer overflow during MP4 atom processingJoshua J. Drake2015-08-311-0/+3
| | | | | | | | | | | | | A few sample table related FourCC values are handled by the setSampleToChunkParams function. An integer overflow exists within this function. Validate that mNumSampleToChunkOffets will not cause an integer overflow. Bug: 20139950 Change-Id: I4fc78c80d01ec4b7475e573a8e7d37ace4b5e399 Signed-off-by: Joshua J. Drake <android-open-source@qoop.org> Tested-by: Moritz Bandemer <replicant@posteo.mx>
* Detect allocation failures and bail gracefullyJoshua J. Drake2015-08-311-5/+16
| | | | | | | | | | | | | During the processing of several sample table related MP4 atoms, allocation sizes could be large enough cause a std::bad_alloc exception to be raised. This typically causes a crash (denial of service condition). Use std::nothrow to catch allocation failures and return gracefully. Bug: 20139950 Change-Id: Id70546c9a9d7a1af58ccbf732b000246bc6bb22e Signed-off-by: Joshua J. Drake <android-open-source@qoop.org> Tested-by: Moritz Bandemer <replicant@posteo.mx>
* Fix several ineffective integer overflow checksJoshua J. Drake2015-08-311-0/+13
| | | | | | | | | | | | | | Commit edd4a76 (which addressed bugs 15328708, 15342615, 15342751) added several integer overflow checks. Unfortunately, those checks fail to take into account integer promotion rules and are thus themselves subject to an integer overflow. Cast the sizeof() operator to a uint64_t to force promotion while multiplying. Bug: 20139950 Change-Id: I2e70584ab566dbaa2fba4df6ca7a89b348ae9a06 Signed-off-by: Joshua J. Drake <android-open-source@qoop.org> Tested-by: Moritz Bandemer <replicant@posteo.mx>
* audio effects: fix heap overflowEric Laurent2015-08-315-139/+90
| | | | | | | | | | | | | | Check consistency of effect command reply sizes before copying to reply address. Also add null pointer check on reply size. Also remove unused parameter warning. Bug: 21953516. Change-Id: I4cf00c12eaed696af28f3b7613f7e36f47a160c4 Signed-off-by: Eric Laurent <elaurent@google.com> Tested-by: Moritz Bandemer <replicant@posteo.mx>
* libstagefright: Add support for custom LPA buffer sizeArne Coucheron2013-09-051-1/+4
| | | | | | | | | | | | | * On msm8930, during playback over A2DP with DSP Manager effects enabled, there's a lot of stuttering with the default buffer size. Stock kernel used a buffer size of 32, but that caused no audio at all in CM because of mismatch in buffer size between kernel and user space. So up until now I've been using a buffer size of 256 to get audio working at all, but unfortunately it causes stuttering as mentioned. Hence add support for a custom buffer size so we can revert to stock value used in kernel, and enjoy no stuttering. Change-Id: Id4d090bc6cf90782c24f3832a35ddeca43bd72fc
* camera: Fix preview on SEMC msm7x30 devicesMichael Bestas2013-08-211-1/+1
| | | | | | Signed-off-by: Michael Bestas <mikeioannina@gmail.com> Change-Id: Iaf1d36db1787e6cebecf31eb2c0d2050c530e208
* Add LG camera HAL parametersmadmack2013-08-182-0/+46
| | | | Change-Id: I0a1d8c4216654abeb3de9882637ad15bc9c23dc9
* Add some Samsung camera color effectsJavier Ferrer2013-07-192-0/+18
| | | | Change-Id: I6bf0c7fa0b9b86ed56d8f974fe49564c02e6b47d
* Merge "Camera: Add more htc parameters" into cm-10.1Daniel Hillenbrand2013-07-042-0/+6
|\
| * Camera: Add more htc parametersatis1122013-06-302-0/+6
| | | | | | | | Change-Id: Ica43a42f6ec6e25671b22536c768140469fb9824
* | Fix includes for media-cafNicholas Flintham2013-07-032-2/+12
| | | | | | | | Change-Id: I5d6dedbb9ba03fc313ab27f91bf83376fa20a7a9
* | libstagefright: [Reworked] Fix incorrectness nPortIndex value for QueryCodecDheeraj CVR2013-07-031-0/+4
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | http://review.cyanogenmod.org/#/c/32358/ was intended to fix issues with OMX Components failing on ME722 (OMAP3). This patch was working fine on OMAP3 devices and was required to fix issues DSP MMU FAULTS. It has been reverted with patch http://review.cyanogenmod.org/44486 which again broke OMX on OMAP3. Implement a Workaround for OMAP using OMAP_ENHANCEMENT Log for this issue observed on P970 (OMAP3) during Gallery Thumbnail Generation: http://pastebin.com/qRTpm7RN DmmMap():1600 DSPProcessor_ReserveMemory() failed - error 0xfffffffb Change-Id: Ifd0c784e354c6c00401686cc0f2188842df9496c
* | audioflinger: remove redundand ifdefGiulio Cervera2013-07-031-5/+0
|/ | | | Change-Id: Iefc64cf477fd58a29984a9c198d84e876dbcf1c5
* camera: add more htc parametersDaniel Hillenbrand2013-06-272-0/+2
| | | | | | Google Edition Change-Id: I67968ea749dec0bf3810110f99bccdd3edee3428
* libstagefright: Fix a video lag bug after audio reached EOS.Yunji Kim2013-06-241-0/+12
| | | | | | http://git.insignal.co.kr/samsung/exynos/android/platform/frameworks/av/commit/?h=exynos-jb&id=da4104e5f934633b4ba7fda06bc9ef3ba0f85a31 Change-Id: I14931cad92df48e1233c5a8a704bb18585b1795a
* libstagefright: fix indefinate loop in QueryCodecDheeraj CVR2013-06-241-1/+2
| | | | | | | | | | | | | | portFormat.nIndex is being incremented which is not trustworthy since the nIndex value could be overriden by the OMX Component, which causes an indefinate loop which inturn causes a memory leak and crashes the system. OMX Component on encore and p970 exhibits this behaviour (OMX.TI.720P.Decoder). This patch prevents stagefright freezes when QueryCodec is called during Gallery Thumbnail generation for videos and Adobe Flash playback. Change-Id: I825c99ddecacbb927e22ac7d1a53facb26d95ff2