Permalink
Commits on Aug 18, 2015
  1. audio effects: fix heap overflow

    Eric Laurent authored and ciwrl committed Jun 19, 2015
    Check consistency of effect command reply sizes before
    copying to reply address.
    
    Also add null pointer check on reply size.
    Also remove unused parameter warning.
    
    Bug: 21953516.
    Change-Id: I4cf00c12eaed696af28f3b7613f7e36f47a160c4
    (cherry picked from commit 0f714a4)
Commits on Aug 13, 2015
  1. MPEG4Extractor.cpp: handle chunk_size > SIZE_MAX

    nickkral authored and ciwrl committed Aug 7, 2015
    chunk_size is a uint64_t, so it can legitimately be bigger
    than SIZE_MAX, which would cause the subtraction to underflow.
    
    https://code.google.com/p/android/issues/detail?id=182251
    
    Bug: 23034759
    Change-Id: Ic1637fb26bf6edb0feb1bcf2876fd370db1ed547
Commits on Aug 12, 2015
  1. IOMX: Add buffer range check to emptyBuffer

    Andy Hung authored and ciwrl committed May 26, 2015
    Bug: 20634516
    Change-Id: If351dbd573bb4aeb6968bfa33f6d407225bc752c
    (cherry picked from commit d971df0)
  2. HDCP: buffer over flow check -- DO NOT MERGE

    Chong Zhang authored and ciwrl committed Apr 28, 2015
    bug: 20222489
    Change-Id: I3a64a5999d68ea243d187f12ec7717b7f26d93a3
    (cherry picked from commit 532cd7b)
  3. Add some sanity checks

    Marco Nelissen authored and ciwrl committed Apr 20, 2015
    Bug: 19400722
    Change-Id: Ib3afdf73fd4647eeea5721c61c8b72dbba0647f6
  4. Add AUtils::isInRange, and use it to detect malformed MPEG4 nal sizes

    medialajos authored and ciwrl committed Apr 2, 2015
    Bug: 19641538
    Change-Id: I5aae3f100846c125decc61eec7cd6563e3f33777
Commits on Aug 4, 2015
  1. Guard against codecinfo overflow

    Marco Nelissen Brint E. Kriebel
    Marco Nelissen authored and Brint E. Kriebel committed Jul 29, 2015
    Bug: 21296336
    Change-Id: I78be5141b3108142f12d7cb94839fa50f776d84a
    Ticket: CYNGNOS-676
Commits on Jul 14, 2015
  1. Prevent reading past the end of the buffer in 3GPP

    jduck authored and ciwrl committed May 4, 2015
    Metadata processed within the parse3GPPMetaData function may not be NUL
    terminated and thus calling setCString may read out of bounds. Ensure
    proper NUL termination, but take care not to interfere with other special
    cases (ie, albm).
    
    Bug: 20923261
    Change-Id: Ie93b3038b534b4c4460571a68f4d734cff7ad324
    (cherry picked from commit 5cea015)
  2. Prevent integer underflow if size is below 6

    jduck authored and ciwrl committed May 4, 2015
    When processing 3GPP metadata, a subtraction operation may underflow and
    lead to a rather large linear byteswap operation in the subsequent
    framedata decoding code. Bound the 'size' value to prevent this from
    occurring.
    
    Bug: 20923261
    Change-Id: I35dfbc8878c6b65cfe8b8adb7351a77ad4d604e5
    (cherry picked from commit 9458e71)
  3. Fix integer overflow when handling MPEG4 tx3g atom

    jduck authored and ciwrl committed May 4, 2015
    When the sum of the 'size' and 'chunk_size' variables is larger than 2^32,
    an integer overflow occurs. Using the result value to allocate memory
    leads to an undersized buffer allocation and later a potentially
    exploitable heap corruption condition. Ensure that integer overflow does
    not occur.
    
    Change-Id: Id050a36b33196864bdd98b5ea24241f95a0b5d1f
  4. Fix integer underflow in covr MPEG4 processing

    jduck authored and ciwrl committed May 4, 2015
    When the 'chunk_data_size' variable is less than 'kSkipBytesOfDataBox', an
    integer underflow can occur. This causes an extraordinarily large value to
    be passed to MetaData::setData, leading to a buffer overflow.
    
    Bug: 20923261
    Change-Id: Icd28f63594ad941eabb3a12c750a4a2d5d2bf94b
  5. Prevent integer overflow when processing covr MPEG4 atoms

    jduck authored and ciwrl committed May 4, 2015
    If the 'chunk_data_size' value is SIZE_MAX, an integer overflow will occur
    and cause an undersized buffer to be allocated. The following processing
    then overfills the resulting memory and creates a potentially exploitable
    condition. Ensure that integer overflow does not occur.
    
    Bug: 20923261
    Change-Id: I75cce323aec04a612e5a230ecd7c2077ce06035f
Commits on Jul 7, 2015
  1. Fix integer underflow in ESDS processing

    jduck authored and ciwrl committed Apr 9, 2015
    Several arithmetic operations within parseESDescriptor could underflow, leading
    to an out-of-bounds read operation. Ensure that subtractions from 'size' do not
    cause it to wrap around.
    
    Bug: 20139950
    
    (cherry picked from commit 07c0f59)
    
    Change-Id: I377d21051e07ca654ea1f7037120429d3f71924a
  2. Fix integer overflow during MP4 atom processing

    jduck authored and ciwrl committed Apr 9, 2015
    A few sample table related FourCC values are handled by the
    setSampleToChunkParams function. An integer overflow exists within this
    function. Validate that mNumSampleToChunkOffets will not cause an integer
    overflow.
    
    Bug: 20139950
    
    (cherry picked from commit c24607c)
    
    Change-Id: I49086952451b09a234d8b82669251ab9f1ef58d9
  3. Fix several ineffective integer overflow checks

    jduck authored and ciwrl committed Apr 9, 2015
    Commit edd4a76 (which addressed bugs 15328708, 15342615, 15342751) added
    several integer overflow checks. Unfortunately, those checks fail to take into
    account integer promotion rules and are thus themselves subject to an integer
    overflow. Cast the sizeof() operator to a uint64_t to force promotion while
    multiplying.
    
    Bug: 20139950
    
    (cherry picked from commit e2e812e)
    
    Change-Id: I080eb3fa147601f18cedab86e0360406c3963d7b
Commits on Apr 21, 2015
  1. Ensure there is no two same storages showing on the computer.

    renjian849 committed Apr 15, 2015
    [Preconditions]
    1. Insert a SIM card into phone and set the SIM lock as "on"
    2. Select MTP mode
    3. Power off the mobile
    
    [Procedures]
    1.Connected the phone and PC with usb cable
    2.Power on the phone->Input PIN code of SIM lock to enter the IDLE view
    3.Check the storage list on PC
    
    [Reproduce]
    Rarely
    
    Change-Id: I8efc3f812b669f2d4e2c3be89e3f97b5cc895628
Commits on Apr 9, 2015
  1. MediaExtractor: Add more skip conditions for the second-pass extractors

    rmcc authored and Gerrit Code Review committed Jun 6, 2014
    If the stream's container is opaque (DRM) or a known skip condition
    (cached-source MPEG4), don't push it through the deep scanner
    
    Change-Id: Ia9d60180b5d177714d206fc7dc94da93b37a048e
  2. stagefright: Don't ever try to use extended sniffers on DRM

    Steve Kondik authored and cyanogen committed Apr 9, 2015
     * This can cause long retry intervals during key exchange. Don't do it!
    
    Change-Id: Id9a87dcbe43cd0cc9919fe07f0a963e087baccad
Commits on Mar 30, 2015
  1. mediatek: Port AV changes

    defer authored and rmcc committed Sep 15, 2014
    This ports the changes required to perform video decoding
    and enconding.
    
    The changes are ported from the mediatek BSP for mt6592
    with the minimum required feature set and confined to
    allow co-existance with changes from other vendors.
    
    [Trimmed down for L]
    
    Change-Id: I3709de0e5b9e4e0f68a71e182549e72a3dab26a7
  2. camera: Add support for mediatek cameras

    rmcc committed Nov 11, 2014
    Change-Id: I69ea758645922c433844ab191a737de2ff2e1491
Commits on Mar 24, 2015
  1. audioflinger: refresh fast track underrun state upon start

    Weiyin Jiang authored and intervigilium committed Mar 11, 2015
    False underrun is detected when starting recycled fast tracks, which
    leads to continuous fatal assertion failures and even AP reboot.
    
    Track's last mObservedUnderruns isn't updated one at previous stop()
    call. Hence, when we start the same track again, we should synchronize
    it to the latest state instead of relying on stale one.
    
    Change-Id: Ia003a49c6896dba965798c062c98b8c367ef8369
    CRs-Fixed: 803389
Commits on Mar 23, 2015
  1. audiopolicy: Fix call recording for legacy qcom HAL

    nadlabak committed Mar 23, 2015
    Change-Id: I774f75b493c47386ca1eaf004d663432f1041a66
Commits on Mar 19, 2015
  1. Revert "soundpool: reuse channel for same sample if available"

    arco authored and intervigilium committed Mar 16, 2015
     * Causing issues with touch tones. Randomly loosing them
       altogether, and skipping tones when typing fast on the keyboard.
    
    This reverts commit 1abd0c5.
    
    Change-Id: Ib1c02f1b30750dc1600371656541b41947e889ab
Commits on Mar 18, 2015
  1. Fix MTP delete

    Marco Nelissen Brint E. Kriebel
    Marco Nelissen authored and Brint E. Kriebel committed Jan 23, 2015
    Bug: 18836972
    Change-Id: I55335abc6181ba3a861773cd13ee3a72a179a926
  2. Fix bounds checking for GetPartialObject command

    Mike Lockwood Brint E. Kriebel
    Mike Lockwood authored and Brint E. Kriebel committed Dec 17, 2014
    GetPartialObject has only 3 arguments, whereas the 64 bit version takes 4.
    
    Bug: 18786282
    Change-Id: Ica67fdf9569372b89d379c8b0f3e0a64dacf150a
  3. MTP: add strict bounds checking for all incoming packets

    Mike Lockwood Brint E. Kriebel
    Mike Lockwood authored and Brint E. Kriebel committed Nov 12, 2014
    Previously we did not sanity check incoming MTP packets,
    which could result in crashes due to reading off the edge of a packet.
    Now all MTP packet getter functions return a boolean result
    (true for OK, false for reading off the edge of the packet)
    and we now return errors for malformed packets.
    
    Bug: 18113092
    Change-Id: I8be3df2c36fe730ad64e7ea9a5ee856ad815b904
  4. audio policy service: fix possible memory overflow

    Eric Laurent Brint E. Kriebel
    Eric Laurent authored and Brint E. Kriebel committed Feb 6, 2015
    Add limit on number of audio ports and patches requested by
    listaudioPorts() and listAudioPatches().
    
    Bug: 19261727.
    Change-Id: I21dfdf11cf805734cc3b7b2a85762c5598f60580
    (cherry picked from commit 1d670b1)
  5. audio policy: validate stream type received from binder calls.

    Eric Laurent Brint E. Kriebel
    Eric Laurent authored and Brint E. Kriebel committed Oct 28, 2014
    Bug: 18001784.
    Bug: 18002005.
    Change-Id: I8efa674dceff5a6e10251b1c7a55e9bb2d532395
  6. IAudioPolicyService: bound array size in queryDefaultPreProcessing

    Eric Laurent Gerrit Code Review
    Eric Laurent authored and Gerrit Code Review committed Nov 5, 2014
    Bug: 18226810.
    Change-Id: Ib8e2bfe835a8681aac50bf23161db14e50c9a124
    (cherry picked from commit 74adca9)
Commits on Mar 14, 2015
  1. libmedia: Tone down logging

    mikeNG committed Mar 14, 2015
    * Originally added in 8c6297e
    
    Change-Id: Ieca88e86fff3540a46112c8f9bcf8c9ce92bcb7c
  2. audiopolicy: Do not route VoIP call to HDMI

    Divya Narayanan Poojary authored and intervigilium committed Feb 17, 2015
    getDeviceForStrategy is returning AUDIO_DEVICE_OUT_AUX_DIGITAL
    even  when setForceUse is called with FORCE_NONE(earpiece)
    during VOIP call. Actual Intention is to route audio for phone
    strategy to AUX device even after setForceUse is called with
    FORCE_NONE when not in voice call. It is supposed to exclude
    VOIP call too
    
    Added isInCall check so that it returns EARPIECE when
    setForceUse is called with FORCE_NONE
    
    CRs-Fixed: 793649
    
    Change-Id: I88d515c351f066305f9eed240b1fe5f60ef34f85
Commits on Mar 13, 2015
  1. stagefright: Correct ifdeffage of some QC codecs

    Steve Kondik
    Steve Kondik committed Mar 11, 2015
    Change-Id: Ie8cc7287967b84e09941283559ca542efd928d91
  2. libstagefright: Add check for bits avail to read

    Pavan Chikkala Steve Kondik
    Pavan Chikkala authored and Steve Kondik committed Feb 18, 2015
    - If number of bits available to read from ABitReader
      is zero,do not call getBits.
    
    Change-Id: I4b7332b03ed6ee1d7b6711e5b4c5dce396151b03
    CRs-Fixed: 777657
  3. soundpool: reuse channel for same sample if available

    Dhananjay Kumar Steve Kondik
    Dhananjay Kumar authored and Steve Kondik committed Dec 31, 2014
    Reuse channel for same sample if the channel completed
    current playback and is not reallocated to another sample,
    i.e. not stolen by other sample.
    
    CRs-Fixed: 769440
    Change-Id: Ibe7ee318c7dc11f3c4fd3a2f57d861318b10973b
  4. httplive: HLS enhancements

    Santhosh Behara Steve Kondik
    Santhosh Behara authored and Steve Kondik committed Feb 16, 2015
    - Use the property persist.sys.media.hls-custom to have all
      the customizations enabled in HLS stack.
    
    - Start playback from first segment, in VOD if the
      playback happens at variant corresponding to actual
      bandwidth.
    
    - Increase the duration to buffer to 25sec before
      pausing the PlayListFetcher.
    
    Change-Id: I8a676c77db54205521bf6db7a69e0766da3220c5