In GetInvInt(int) function, malicious content can access memory
outside of the invCount array. Always bound access to valid
indices.
Test: see bug for malicious content, decoded with "stagefright -s -a"
Bug: 65025048
Change-Id: I92d4a14519f45d5a329d7f69f21f2aef0a8c6daa
In GetInvInt(int) function, malicious content can access memory
outside of the invCount array. Always bound access to valid
indices.
Test: see bug for malicious content, decoded with "stagefright -s -a"
Bug: 65025048
Change-Id: I92d4a14519f45d5a329d7f69f21f2aef0a8c6daa
In GetInvInt(int) function, malicious content can access memory
outside of the invCount array. Always bound access to valid
indices.
Test: see bug for malicious content, decoded with "stagefright -s -a"
Bug: 65025048
Change-Id: I92d4a14519f45d5a329d7f69f21f2aef0a8c6daa
In GetInvInt(int) function, malicious content can access memory
outside of the invCount array. Always bound access to valid
indices.
Test: see bug for malicious content, decoded with "stagefright -s -a"
Bug: 65025048
Change-Id: I92d4a14519f45d5a329d7f69f21f2aef0a8c6daa
In GetInvInt(int) function, malicious content can access memory
outside of the invCount array. Always bound access to valid
indices.
Test: see bug for malicious content, decoded with "stagefright -s -a"
Bug: 65025048
Change-Id: I92d4a14519f45d5a329d7f69f21f2aef0a8c6daa
In TRANSPOSER_SETTINGS, initialize the whole bwBorders array to a
reasonable value to guarantee correct termination in while loop
in lppTransposer function. This fixes the reported bug.
For completeness:
- clear the whole bwIndex array instead of noOfPatches entries only.
- abort criterion in while loop to prevent potential
infinite loop, and limit bwIndex[patch] to a valid range.
Test: see bug for malicious content, decoded with "stagefright -s -a"
Bug: 65280786
Change-Id: I16ed2e1c0f1601926239a652ca20a91284151843
In GetInvInt(int) function, malicious content can access memory
outside of the invCount array. Always bound access to valid
indices.
Test: see bug for malicious content, decoded with "stagefright -s -a"
Bug: 65025048
Change-Id: Iff889601828f95b82d9291075f3909922ef533ef
In GetInvInt(int) function, malicious content can access memory
outside of the invCount array. Always bound access to valid
indices.
Test: see bug for malicious content, decoded with "stagefright -s -a"
Bug: 65025048
Change-Id: Id1f1582bc5afc76e3e90128d92034a5899a9b51e
In GetInvInt(int) function, malicious content can access memory
outside of the invCount array. Always bound access to valid
indices.
Test: see bug for malicious content, decoded with "stagefright -s -a"
Bug: 65025048
Change-Id: Iff889601828f95b82d9291075f3909922ef533ef
Bug: 66996870
Test: build with WITH_TIDY=1
Exempt-From-Owner-Approval: Colin +2 should be the owner approval
Change-Id: I167f73ee9dc5e977fd6976f48732ae1e1fe13c8b
This fixes cases where an ADTS header could set numberOfRawDataBlocks
to a number larger than 1, which would lead to transportDec_FillData
not feeding any more data, even though the input buffer was depleted.
Fixes: 3014/clusterfuzz-testcase-5425740193464320
Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Software codecs and their dependencies are marked as VNDK (or just
vendor_available:true for static/header libs).
Bug: 37343418
Test: build the software codecs with BOARD_VNDK_VERSION=current
Change-Id: I9ecedb5a95abc9978ff7ed3538bd2dedec750c7d
Alternatively, the bits read in CProgramConfig_ReadHeightExt could
be checked right there instead.
Fixes: 2802/clusterfuzz-testcase-minimized-6752357788418048
Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
If channel numbers are changed on the fly (in invalid bitstreams),
we can end up with a channel mapping with fewer channels mapped
than we actually try to output.
Ideally, this condition should probably be checked somewhere
closer to where it enters such a state, not when using the
channel mapping though.
Fixes: 2808/clusterfuzz-testcase-minimized-4694952892170240
Fixes: 2275/clusterfuzz-testcase-minimized-6205444085252096
Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
This probably doesn't fix the root cause, but at least fixes
the issues found in this particular fuzzed sample.
Compared to the previous fix in 39e13c1acbca94f562f9776e1555ced50dd0dfcd,
this doesn't break HE-AACv2 encoding, by allowing the case with
usb==no_channels.
Fixes: 1973/clusterfuzz-testcase-minimized-6319232084082688
Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
This reverts commit 39e13c1acbca94f562f9776e1555ced50dd0dfcd.
This turned out to break HE-AACv2 encoding. Will look for a better
fix for the issue found by the fuzzed sample.
This fixes issue #69.
This probably doesn't fix the root cause, but at least fixes
the issues found in this particular fuzzed sample.
Fixes: 1994/clusterfuzz-testcase-minimized-6368089497141248
Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
This probably doesn't fix the root cause, but at least fixes
the issues found in this particular fuzzed sample.
Fixes: 1973/clusterfuzz-testcase-minimized-6319232084082688
Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
This fixes assert failures, when a (corrupt/fuzzed) bitstream
doesn't trigger starting/ending CRCs properly (or when decoding
is aborted halfway when an error is encountered). Skipping ending
a CRC region doesn't trigger an assert failure, but when a later
CRC region is started and ended, an assert fails when the end
doesn't match the expected CRC region.
Fixes: 1928/clusterfuzz-testcase-minimized-6480505958563840
Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
