frameworks-av

Fork

Merge remote-tracking branch 'cm/cm-14.1' into cm-14.1-x86

Merge remote-tracking branch 'cm/cm-14.1' into cm-14.1-x86

Merge remote-tracking branch 'x86/nougat-x86' into cm-14.1-x86

Conflicts:
media/libeffects/lvm/wrapper/Bundle/EffectBundle.cpp

Fix OOB access in mpeg4/h263 decoder

The decoder does not support an increase in frame width, and
would exceed its buffer if the width increased mid-stream.
There was an existing check to prevent the total frame size
(width*height) from increasing, but in fact the decoder also
does not even support a width increase, even if the height
decreases correspondingly.

Bug: 136175447
Bug: 136173699
Test: manual
Change-Id: Ic2d28bb0503635dadeb69ba3be9412d58684e910
(cherry picked from commit ef4ce157000b2b5bcbf2bcb36a228ec604803547)

m4v_h263: add a test for invalid/negative value

Test: run poc with and without the patch.
Bug: 134578122
Change-Id: I2d11826d1d9e2669aa5627065dc627729ddc823b
(cherry picked from commit 7802c68aebf7908983508fd4a52a7d53746a80eb)

AMR WB encoder: prevent OOB write in ACELP_4t64_fx

In ACELP_4t64_fx, when iterating over ind array, check index against
array size to prevent OOB write, log an error if such an access
was about to happen.

Bug 132647222
Test: atest EncoderTest#testAMRWBEncoders
Merged-in: I33f476d94baec2feffc7bcccd0ad0481b8452518

Change-Id: I814a05217f20ea3b941deddb70edb31cd342de6b
(cherry picked from commit 04e48ed870c1c4163948bceee034d750ae60b5d4)

httplive: detect oom if playlist is infinite

Bug: 68399439
Test: StagefrightTest#testStagefright_cve_2017_13279
Change-Id: Icf39c2ae58d9d6ba7c74bbcfbe2154e66e6c9e40
(cherry picked from commit f3808d3a2e8c646d5edad451a80daa61a4e5d836)

Fix overflow/dos in 3gg text description parsing

Bug: 124781927
Test: run pocs
Change-Id: I8765ac9746c3de7d711ef866d4ec0e29972320c0
(cherry picked from commit 851e22d1dc89a7f708b9d2b56947f69cd1a08b94)

DO NOT MERGE: audiopolicy: Remove raw pointer references to AudioMix

AudioInputDescriptor, AudioOutputDescriptor, and AudioSession used
to reference AudioMix instances using a raw pointer. This isn't
safe as AudioMix was owned by AudioPolicyMix, which is not
referenced by descriptors.

Change AudioMix* pointers in Audio{Input|Output}Descriptor and
AudioSession to wp<AudioPolicyMix> which reflects their
relationship correctly.

To ensure that code does not operate on AudioMix instances
independently from AudioPolicyMix, and to avoid introducing
a lot of getter / setter methods into AudioPolicyMix, make
the latter to inherit AudioMix. This makes sense because
AudioPolicyMix is essentially a ref-counted version of AudioMix.

Bug: 124899895
Test: build and sanity check on angler,
build angler with USE_CONFIGURABLE_AUDIO_POLICY := 1
Merged-In: Ic508caedefe721ed7e7ba6ee3e9175ba9e8dc23a
Change-Id: Ic508caedefe721ed7e7ba6ee3e9175ba9e8dc23a
(cherry picked from commit 24ea4727726adbeebfc5779614a3cb0e44208cde)

Remove unused AVIExtractor source

Bug: 130651570
Test: compilation
Change-Id: I36e8221879593e0560002e404215c6efcd531ab8
(cherry picked from commit 5eaa57a5de115b50bfbe1b8d6764116c9f39a10f)

AudioFlinger: Prevent multiple effect chains with same sessionId

Allow at most one effect chain with same sessionId on mPlaybackThreads.

Test: poc, CTS effect tests
Bug: 123237974
Merged-In: Ide46cd23b0a9f4295f0dca2fea23379a76b836ee
Change-Id: Ide46cd23b0a9f4295f0dca2fea23379a76b836ee
(cherry picked from commit 1631f06feb36df5406ad00e850dcca9394f67772)
(cherry picked from commit f963b2bfdaf406b42d371322402172b4380bbba5)

audio: ensure effect chain with specific session id is unique

It's possible that tracks with the same session id running on various
playback outputs, which causes effect chain being created on the same
session twice. As a result, the same effect engine will be released
twice as the same context is reused.

Output that has effect chain with same session id is more preferable.

Test: No regression with Play Music and Effects
Bug: 123082420
Bug: 123237974
Merged-In: I690ea3cb942d1fdc96b46048e271557d48000f43
Change-Id: I690ea3cb942d1fdc96b46048e271557d48000f43
(cherry picked from commit 9aeb1770d49bab13ea5c6454c969a713641fe686)
(cherry picked from commit 5945746bcabff8d833229a6c230cbe873474087f)

NuPlayerCCDecoder: fix memory OOB

Test: cts
Bug: 129068792
Change-Id: Id78ddc983f245feda3a81da3448196340b57f5c9
(cherry picked from commit e1c7348e1c3fed25c16ae4673101f48b1ed95b7e)
(cherry picked from commit 0f7ff70737d58abda69fa6d4524b1943d6c41461)

Reserve enough space for RTSP CSD

make parameters to GetSizeWidth() reflect values being used in
corresponding EncodeSize() invocations so we won't overflow the buffer.

Bug: 123701862
Test: y
Change-Id: I78596176e6042c95582494a8ae1b9c3160bf5955
(cherry picked from commit c025be8ce5f1b34bdf293ac367685c969bd430ba)

CTS error while media dump()

MediaExtractor should not dump information. CTS is
checking and failing due to the dump.

Bug: 114770654
Change-Id: Ie5bae5de39545dede6da4198240b4f38c50050b7
(cherry picked from commit c20825bd3b751cffcd8d7e66e97c3b1a91ef21e0)

MediaExtractor: stop rendering when an error occurs

Bug: 68664359
Bug: 110435401

Test: cts-tradefed run cts -m CtsSecurityTestCases -t android.security.cts.StagefrightTest#testStagefright_bug_68664359
Test: cts-tradefed run cts -m CtsSecurityTestCases -t android.security.cts.StagefrightTest#testStagefright_bug_110435401

Change-Id: Icff96fcaa76a5871e7f175b0384d47d5dca7313f
Merged-In: If1322524fcfebc6c5f139288f044b0189da66c1b

Fix information disclosure in mediadrmserver

Test:POC provided in bug
Bug:79218474
(cherry picked from commit c1bf68a8d1321d7cdf7da6933f0b89b171d251c6)

Backported-By: Vasyl Gello <vasek.gello@gmail.com>
Change-Id: Iba12c07a5e615f8ed234b01ac53e3559ba9ac12e

Check for overflow of crypto size

Bug: 111603051
Test: CTS
Change-Id: Ib5b1802b9b35769a25c16e2b977308cf7a810606
(cherry picked from commit d1fd02761236b35a336434367131f71bef7405c9)

M3UParser: handle missing EXT-X-MEDIA URIs

Bug: 111381540
Test: http://devimages.apple.com.edgekey.net/streaming/examples/bipbop_16x9/bipbop_16x9_variant.m3u8
Change-Id: I57f6cea59ce4c25267385289ab805eefe74b04ac
(cherry picked from commit b8c3a74de55a76e2ee21c731828a8afca7aa4ae0)

M3UParser: make url on demand

Bug: 77823362
Test: adb shell am start -a android.intent.action.VIEW -d http://10.42.0.1:8080
Change-Id: Ieaf8a13985277eee5b085ed243205a597627cf5e
(cherry picked from commit 26e236bd426770869644a9962778dedea7bf59be)

Fix possible out of bounds read

Bug: 78656554
Test: manual
Change-Id: I677f827483dcc80afac57fd7ef6807e633542252
(cherry picked from commit 3762e0615273f25b059556d5b5f65102e9c55c35)

Speed up id3v2 unsynchronization

Instead of doing many overlapping memmoves, do a single copy pass
that skips over the inserted unsynchronization bytes. For some
files this reduces parsing time from minutes to milliseconds.

Similar to commit 72a43b68da but for v2.2 and v2.3.

Bug: 78029004
Test: poc
Change-Id: I735b7051e77a093d86fb7a3e46209875946225ed
(cherry picked from commit f9d87cc850a589b9b0cc3658cf222187822bcc00)
CVE-2018-9412

EffectsFactory: add debug and trace wrappers for NXP LifeVibes

This patch adds wrappers to direct NXP LifeVibes (LVVE) proprietary
effect logging and trace messages to Android logcat.

* Output of error messages is turned on by default

* Output of debug and trace log is controlled by newly-added system
property "audioflinger.nxp.lvve.tracelvl" (add into build.prop):

audioflinger.nxp.lvve.tracelvl=1

Change-Id: Idc6c6f83b72a8ba8cddbbc76b64c2ca5b3b21744

Add check preventing div0 issue

There might be a scenario while period is zero or after including
precision would be zero, prevent from division in that case and
return false (to use previously used period).

Bug: 73898703
bug: 74067957
Test: run playback as stability test

Change-Id: I3fad1060b095b7b5ea4c1f9cb3f9d42a4c503560
(cherry picked from commit 27e47ce3c3bbc0b4dc629163de7ebbba7e80b149)
CVE-2018-9354

Sanitize effect descriptors for AudioPolicyService binder calls.

Zero initialize structs before parcel read, if status is not checked.
Sanitize parcel read audio_port_config.

Test: Audio CTS, See bug for POC
Bug: 73126106
Merged-in: Iece43eb463385927e6babcf93654eea8aaebc29c
Change-Id: Iece43eb463385927e6babcf93654eea8aaebc29c
(cherry picked from commit 498bdcc90bc470a79bf8943cbac64502f7c1c091)
CVE-2018-9378

Init gain config to prevent uninit leak.

In AudioPortConfig, we only initialize index for audio_gain_config, but
not other fields. That may cause uninit leak at listAudioPorts and
listAudioPatches.

Bug: 77238250
Bug: 77238762
Test: try repo steps at the bug description.
Change-Id: I57e3bd0598f9aa698a6fa3d3c0218b046de34e2f
(cherry picked from commit ebe0777edcf3b9c6bde9771d65399e2363dc6e40)
CVE-2018-9345, CVE-2018-9346

audioflinger: Fix effect creation handling

The code flow was incorrect for sure. The 'if' branch is chosen
if 'effect == 0', and 'effectRegistered' is set to 'true' before
the effect is even created.

Test: audioflinger doesn't crash if effect failed to get created
Change-Id: I00d5f28e8b96acd765867e212c5b8193e21f9b4a

Handle bad bitrate index in mp3dec.

Reference:
https://www.mp3-tech.org/programmer/frame_header.html

Test: run poc with and without this patch.
Bug: 71868329
Change-Id: Ibf6196eba0b99459e84989ac8c13db57c816c572
(cherry picked from commit 8b638123760bd93958f6cc2f5c7c4f5dbd0a754a)
CVE-2017-13319

better mpeg2 TS elementary stream Access Unit parsing

mpeg2 es stream access units have a 3 byte prefix and a 1 byte start
code. Searching for the next access unit started after the prefix
instead of after the start byte.

Bug: 74114680
Test: ran POC before/after
(cherry picked from commit 371066d073c5db289b0f38b9d2bfd3e326c78c66)

Change-Id: I3c51c62355c810e1b8dbc644cad3de335b7d8108
CVE-2017-13313

Merge remote-tracking branch 'cm/cm-14.1' into cm-14.1-x86