In TRANSPOSER_SETTINGS, initialize the whole bwBorders array to a
reasonable value to guarantee correct termination in while loop
in lppTransposer function. This fixes the reported bug.
For completeness:
- clear the whole bwIndex array instead of noOfPatches entries only.
- abort criterion in while loop to prevent potential
infinite loop, and limit bwIndex[patch] to a valid range.
Test: see bug for malicious content, decoded with "stagefright -s -a"
Bug: 65280786
Change-Id: I16ed2e1c0f1601926239a652ca20a91284151843
In GetInvInt(int) function, malicious content can access memory
outside of the invCount array. Always bound access to valid
indices.
Test: see bug for malicious content, decoded with "stagefright -s -a"
Bug: 65025048
Change-Id: Id1f1582bc5afc76e3e90128d92034a5899a9b51e
In GetInvInt(int) function, malicious content can access memory
outside of the invCount array. Always bound access to valid
indices.
Test: see bug for malicious content, decoded with "stagefright -s -a"
Bug: 65025048
Change-Id: Iff889601828f95b82d9291075f3909922ef533ef
Parse DVB DRC data only when numThreads is below
MAX_DRC_THREADS. The post-increment is necessary as
it is used in fill element DRC data section.
This solution parses as many DRC payloads as allowed by
MAX_DRC_THREADS and skips all remaining DRC elements in the stream.
Bug 27792766
Bug 26751339
Change-Id: Ie1641888bac1757c4d1491119f977fc5d436eaea
In the aacDecoder_drcExtractAndMap() function, self->numThreads
can be used after having exceeded its intended max value,
MAX_DRC_THREADS, causing memory to be cleared after the
threadBs[MAX_DRC_THREADS] array.
The crash is prevented by never using self->numThreads with
a value equal to or greater than MAX_DRC_THREADS.
A proper fix will be required as there seems to be an issue as
to which entry in the threadBs array is meant to be initialized
and used.
Bug 26751339
Change-Id: I655cc40c35d4206ab72e83b2bdb751be2fe52b5a
The __aeabi_memcpy functions are already defined in Android libc.
Redefining them to call memcpy will become recursive when clang/llvm
converts the memcpy call to __aeabi_memcpy.
With this change, we can enable clang/llvm by removing LOCAL_CLANG from Android.mk.
BUG: 12216385
Change-Id: I8b8b4ba7f3ff1e66f8110fc3b6356865a582c1d8
{Front,Side,Back}ElementIsCpe is an array (per-channel). The check for
pPce->{Front,Side,Back}ElementIsCpe without an index checks the address
of the array, and will always evaluate to true. The elTagSce++
statements are unreachable.
Change-Id: If530371788a44038c500d6f9f7ac67681f77cc71
This code depends on narrowing hex literals to a signed long, which
trips -Wc++11-narrowing (the fix would be to explicitly cast each
value to signed).
Change-Id: I581a02ef0eeee5a2d95ce0ff2ec6f7ff26f3a074
Revise decoder output delay determination. The output delay consisted of
concealment and limiter delay. SBR delay was not covered but must be
considered for gapless playback delay compensation.
Bug 9428126
Change-Id: I67483712c284de9b5378694f9db7acbed2547dd7
Provide relevant DRC metadata information via API needed for DRC
presentation mode wrapper.
Bug 9428126
Change-Id: I827cd6bdfd2a8799c21935ae32af23739c90a9b6
Improve flushing and seeking.
Add field to the API stream info structure signaling the additional output
delay for flushing and delay compensation.
Bug 9428126
Change-Id: I808412905563ea3de50a2e77a9b5dfee829cd2ed
