OSDN Git Service
Wei Jia [Thu, 20 Aug 2015 04:27:23 +0000 (04:27 +0000)]
Merge "libstagefright: fix handling of mSampleTimeEntries and mNumSampleSizes in SampleTable." into klp-dev
Abhishek Arya [Thu, 20 Aug 2015 04:10:51 +0000 (04:10 +0000)]
Merge "Check RTSP payload length" into klp-dev
Abhishek Arya [Thu, 20 Aug 2015 04:06:25 +0000 (04:06 +0000)]
Merge "Sanity check padding/delay values for gapless playback" into klp-dev
Wei Jia [Thu, 20 Aug 2015 04:01:18 +0000 (04:01 +0000)]
Merge "libstagefright: fix overflow in MPEG4Source::parseSampleAuxiliaryInformationOffsets." into klp-dev
Wei Jia [Tue, 18 Aug 2015 21:32:16 +0000 (14:32 -0700)]
libstagefright: fix overflow in MPEG4Source::parseSampleAuxiliaryInformationOffsets.
Bug:
23270724
Change-Id: Id7ba55c7bf6860fbfc892bbb6378aac644c82da4
(cherry picked from commit
c51ab7dd82bf4e24666fc72a55e03e2f530204d5)
Wei Jia [Thu, 20 Aug 2015 00:31:51 +0000 (17:31 -0700)]
libstagefright: fix overflow in pvdec_api.cpp.
Bug:
20674086
Change-Id: Ie2c711865c3b92f3fa2f3c7a436fa0e3687eb8b3
(cherry picked from commit
d7bb1cd786e5ea4ac61119cc1a08082474f7787b)
Marco Nelissen [Wed, 19 Aug 2015 22:36:12 +0000 (15:36 -0700)]
Check RTSP payload length
Bug:
23346388
Change-Id: Ifd918cefc90527c2f52177c3ce0da7a13259ad08
Wei Jia [Tue, 18 Aug 2015 18:17:24 +0000 (11:17 -0700)]
libstagefright: fix handling of mSampleTimeEntries and mNumSampleSizes in SampleTable.
Bug:
23247055
Change-Id: I29ef59c7ff09248063714e5013f7c33f66c5eebd
(cherry picked from commit
3564c4562f46bede6ef1ea716c4fd4f77e470ae8)
Eric Laurent [Tue, 18 Aug 2015 21:33:46 +0000 (21:33 +0000)]
Merge "DO NOT MERGE - audio flinger: fix fuzz test crash" into klp-dev
Chong Zhang [Tue, 18 Aug 2015 16:55:38 +0000 (16:55 +0000)]
Merge "stagefright: check IMemory::pointer() before using the allocation" into klp-dev
Marco Nelissen [Tue, 18 Aug 2015 16:55:24 +0000 (09:55 -0700)]
Sanity check padding/delay values for gapless playback
Bug:
23306638
Change-Id: I2b5160e0f58f90d3f67c3964f41f5734ec0da053
Jon Larimer [Tue, 18 Aug 2015 15:04:20 +0000 (15:04 +0000)]
Merge "Check integer overflow to prevent memory corruption" into klp-dev
Jon Larimer [Tue, 18 Aug 2015 15:00:42 +0000 (15:00 +0000)]
Merge "do not dequeue from native window after we hit fatal error -- DO NOT MERGE" into klp-dev
Jon Larimer [Tue, 18 Aug 2015 14:25:45 +0000 (14:25 +0000)]
Merge "MPEG4Source::fragmentedRead: check range before writing into buffers" into klp-dev
Jon Larimer [Tue, 18 Aug 2015 14:24:26 +0000 (14:24 +0000)]
Merge "Check buffer size before using it" into klp-dev
Abhishek Arya [Tue, 18 Aug 2015 13:28:34 +0000 (13:28 +0000)]
Merge "Check vector size before accessing" into klp-dev
Abhishek Arya [Tue, 18 Aug 2015 13:24:21 +0000 (13:24 +0000)]
Merge "MatroskaExtractor: detect infinite loop when parsing NALs" into klp-dev
Robert Shih [Thu, 16 Jul 2015 22:04:12 +0000 (15:04 -0700)]
MatroskaExtractor: detect infinite loop when parsing NALs
Bug:
21335999
Change-Id: I76bd34610e52048ffcf16e41aa6175afc8a14ee4
(cherry picked from commit
2dcf6138ebc9c5688aeae151d2fbde55a2826128)
Neel Mehta [Sat, 15 Aug 2015 00:38:48 +0000 (17:38 -0700)]
Fix for memory corruption in ID3::removeUnsynchronizationV2_4().
Bug:
23227354
Change-Id: Iaa36cfda4fd84ca7e039f56086fd61b4118020db
(cherry picked from commit
77e23413a539df16503e356bd4df4a952f3abc47)
Abhishek Arya [Tue, 18 Aug 2015 01:31:42 +0000 (01:31 +0000)]
Merge "Revert "Fix compile after rI431aa2b7d30a942350ab6d105451c6b77e2f99d4"" into klp-dev
Abhishek Arya [Tue, 18 Aug 2015 01:24:11 +0000 (18:24 -0700)]
Fix compile failure after rI431aa2b7d30a942350ab6d105451c6b77e2f99d4
Bug:
20674086
Change-Id: I2ee6b7e0eabbf696c0986d08b2d759d48cb9eb7b
Eric Laurent [Fri, 8 May 2015 17:50:03 +0000 (10:50 -0700)]
DO NOT MERGE - audio flinger: fix fuzz test crash
Clear output stream pointer in duplicating thread
when the main output to which it is attached is closed.
Also do not forward master mute and volume commands to
duplicating threads as this is not applicable.
Also fix logic in AudioFlinger::primaryPlaybackThread_l()
that could accidentally return a duplicating thread.
This never happens because the primary thread is always
first in the list.
Bug:
20731946.
Change-Id: Ic8869699836920351b23d09544c50a258d3fb585
Wei Jia [Tue, 18 Aug 2015 00:48:01 +0000 (00:48 +0000)]
Merge "libstagefright: check remaining data size before parsing it." into klp-dev
Abhishek Arya [Mon, 17 Aug 2015 22:34:16 +0000 (22:34 +0000)]
Revert "Fix compile after rI431aa2b7d30a942350ab6d105451c6b77e2f99d4"
This reverts commit
c23e3dd8af7397f023aae040c4a03dd14091cbed.
This speculative fix didn't fix the compile failure, do checking locally.
Change-Id: I1598f7208c8232ca38c0fcad17f211598591594e
Robert Shih [Tue, 23 Jun 2015 00:58:27 +0000 (17:58 -0700)]
MPEG4Source::fragmentedRead: check range before writing into buffers
Bug:
22008959
Change-Id: I5f6e188adcc593796455bdaf7b0b8aba672b106e
Abhishek Arya [Mon, 17 Aug 2015 21:50:02 +0000 (14:50 -0700)]
Fix compile after rI431aa2b7d30a942350ab6d105451c6b77e2f99d4
BUG:
20674086
Change-Id: Idaff17975b327adea65c39bdba1ab4e88789c0cd
Wei Jia [Mon, 17 Aug 2015 19:49:39 +0000 (19:49 +0000)]
Merge "SoftAVCEnc: check requested memory size before allocation." into klp-dev
Abhishek Arya [Mon, 17 Aug 2015 18:39:11 +0000 (18:39 +0000)]
Merge "libstagefright: check memory size for overflow before allocation." into klp-dev
Chong Zhang [Fri, 15 May 2015 20:40:15 +0000 (13:40 -0700)]
stagefright: check IMemory::pointer() before using the allocation
bug:
19779574
Change-Id: I4ffe8c3fadc07da211f421e75ee83010b01d9cbb
Chong Zhang [Fri, 14 Aug 2015 20:50:02 +0000 (13:50 -0700)]
do not dequeue from native window after we hit fatal error -- DO NOT MERGE
bug:
22845824
Change-Id: I8c375790c697e02b6ab3ea54b84d3f70d5e78141
(cherry picked from commit
346de3c26a8fbd0fa0c8102f4a21ea4dcee4432a)
Wei Jia [Mon, 17 Aug 2015 00:41:50 +0000 (17:41 -0700)]
libstagefright: check remaining data size before parsing it.
Bug:
23248776
Change-Id: I45cf53e58e4375afcf260b122264c968ec0ff6c8
(cherry picked from commit
3bf1e0fdf27e1188b8d3574ed073595b8eacb114)
Wei Jia [Mon, 17 Aug 2015 00:46:34 +0000 (17:46 -0700)]
SoftAVCEnc: check requested memory size before allocation.
Bug:
20674674
Change-Id: If80186a7b9078e575d389220f3bebe9f7630a956
(cherry picked from commit
f6fe4340219a8e674f3250fe32d4697ec8184b24)
Wei Jia [Sun, 16 Aug 2015 20:20:57 +0000 (20:20 +0000)]
Merge "ABuffer: reset members when memory allocation fails." into klp-dev
Wei Jia [Sun, 16 Aug 2015 18:19:37 +0000 (18:19 +0000)]
Merge "Revert "SoftAVCEnc: check requested memory size before allocation."" into klp-dev
Wei Jia [Sun, 16 Aug 2015 18:14:33 +0000 (18:14 +0000)]
Revert "SoftAVCEnc: check requested memory size before allocation."
This reverts commit
479b4de0d267eb7d4c419f4da0069186a952ad17.
Change-Id: I014746db3f861cb1cd5bf1b76f86b0356836a128
Wei Jia [Sun, 16 Aug 2015 18:02:05 +0000 (18:02 +0000)]
Merge "Fix comparison sign warnings." into klp-dev
Jeff Tinker [Tue, 11 Aug 2015 22:52:26 +0000 (15:52 -0700)]
Check integer overflow to prevent memory corruption
bug:
23016072
Change-Id: If3c9a835408773847c0024a812bd8b4915ebd680
(cherry picked from commit
fa8ebb45fd850f56ca1bf64fbed3ac11e10c7d3d)
Marco Nelissen [Wed, 1 Jul 2015 20:05:50 +0000 (13:05 -0700)]
Check buffer size before using it
Bug:
21814993
Change-Id: Idaac61b4b9f4058b94e84093644593ba315d72ff
(cherry picked from commit
c1a104aaad2d84a57bf5d87dd030d2bef56bf541)
Dan Albert [Fri, 8 May 2015 17:43:54 +0000 (10:43 -0700)]
Fix comparison sign warnings.
Bug:
23213430
Change-Id: I6f2e2b03b968a569b122004b4803c5d17fccfb12
(cherry picked from commit
635bc8f90429b2fdcaf7f8d43f7f59bcd0fe951c)
Wei Jia [Mon, 20 Jul 2015 18:34:22 +0000 (11:34 -0700)]
ABuffer: reset members when memory allocation fails.
Bug:
22077698
Change-Id: I2beb724662d041ad2339d0f4c7f983e7ac5e5e6f
(cherry picked from commit
94b0badc025b14141ff234e3e4e2745411742bac)
Wei Jia [Sat, 15 Aug 2015 00:16:46 +0000 (17:16 -0700)]
SoftAVCEnc: check requested memory size before allocation.
Bug:
20674674
Change-Id: I569e7a9b33fe64779a40e55539929c3dc4303c19
(cherry picked from commit
f6fe4340219a8e674f3250fe32d4697ec8184b24)
Marco Nelissen [Fri, 24 Jul 2015 16:18:36 +0000 (09:18 -0700)]
Check vector size before accessing
Bug:
22388975
Change-Id: I3c157b1029d37f6a22e6302ea7b52077fe27ce53
(cherry picked from commit
529c595b083f8a4c3175e2350fba5547e6008e00)
Wei Jia [Wed, 3 Jun 2015 20:47:51 +0000 (13:47 -0700)]
libstagefright: check memory size for overflow before allocation.
Bug:
20674086
Change-Id: I431aa2b7d30a942350ab6d105451c6b77e2f99d4
(cherry picked from commit
42cccd7c8811597d56fb86afeacf6231d693dea6)
Wei Jia [Wed, 12 Aug 2015 17:08:41 +0000 (10:08 -0700)]
libstagefright: fix possible overflow in amrwbenc.
Bug:
23142203
Change-Id: I309df51e4df6412655f04cc093d792bf6c7944f7
(cherry picked from commit
9dd01777aa14bbb90a6cdccf97383bb4e3d717a5)
Wei Jia [Wed, 12 Aug 2015 17:41:00 +0000 (10:41 -0700)]
libstagefright: fix possible overflow in ID3.
Bug:
23129786
Change-Id: I2e6b7a6927aa4362ab49dd6824bbb1abf7b4e661
(cherry picked from commit
09da86913ca97d7a818a8917b6601527e5e18a24)
Nick Kralevich [Tue, 11 Aug 2015 03:31:38 +0000 (03:31 +0000)]
am
9d9491f9: am
0dbd0d7b: am
c9924410: am
2fe61ed0: am
3b8d3fa0: am
186d1fb9: am
f4dfe12e: am
54d88fe2: am
aa8dab77: Merge "MPEG4Extractor.cpp: Add check for size == SIZE_MAX" into jb-dev
* commit '
9d9491f9fb83523cfe68f2aa26c14f72f70812fc':
MPEG4Extractor.cpp: Add check for size == SIZE_MAX
Nick Kralevich [Tue, 11 Aug 2015 03:24:13 +0000 (03:24 +0000)]
am
0dbd0d7b: am
c9924410: am
2fe61ed0: am
3b8d3fa0: am
186d1fb9: am
f4dfe12e: am
54d88fe2: am
aa8dab77: Merge "MPEG4Extractor.cpp: Add check for size == SIZE_MAX" into jb-dev
* commit '
0dbd0d7bfe340ac46271c7f87969431b62a023ed':
MPEG4Extractor.cpp: Add check for size == SIZE_MAX
Nick Kralevich [Tue, 11 Aug 2015 03:07:29 +0000 (03:07 +0000)]
am
c9924410: am
2fe61ed0: am
3b8d3fa0: am
186d1fb9: am
f4dfe12e: am
54d88fe2: am
aa8dab77: Merge "MPEG4Extractor.cpp: Add check for size == SIZE_MAX" into jb-dev
* commit '
c99244105803ac32f4cc698b5b2a85b225d925a2':
MPEG4Extractor.cpp: Add check for size == SIZE_MAX
Nick Kralevich [Tue, 11 Aug 2015 02:57:48 +0000 (02:57 +0000)]
am
2fe61ed0: am
3b8d3fa0: am
186d1fb9: am
f4dfe12e: am
54d88fe2: am
aa8dab77: Merge "MPEG4Extractor.cpp: Add check for size == SIZE_MAX" into jb-dev
* commit '
2fe61ed032e083dc39265f3b88274fcb8fbeed9b':
MPEG4Extractor.cpp: Add check for size == SIZE_MAX
Nick Kralevich [Tue, 11 Aug 2015 02:49:10 +0000 (02:49 +0000)]
am
3b8d3fa0: am
186d1fb9: am
f4dfe12e: am
54d88fe2: am
aa8dab77: Merge "MPEG4Extractor.cpp: Add check for size == SIZE_MAX" into jb-dev
* commit '
3b8d3fa0dd97c05f77c4686986812e40203678d2':
MPEG4Extractor.cpp: Add check for size == SIZE_MAX
Nick Kralevich [Tue, 11 Aug 2015 02:37:17 +0000 (02:37 +0000)]
am
186d1fb9: am
f4dfe12e: am
54d88fe2: am
aa8dab77: Merge "MPEG4Extractor.cpp: Add check for size == SIZE_MAX" into jb-dev
* commit '
186d1fb9b72439c1c3317d72e4a0f52f466e6861':
MPEG4Extractor.cpp: Add check for size == SIZE_MAX
Nick Kralevich [Tue, 11 Aug 2015 02:32:49 +0000 (02:32 +0000)]
am
f4dfe12e: am
54d88fe2: am
aa8dab77: Merge "MPEG4Extractor.cpp: Add check for size == SIZE_MAX" into jb-dev
* commit '
f4dfe12ecd26e7d6965a2abc062709b6d7d942c4':
MPEG4Extractor.cpp: Add check for size == SIZE_MAX
Nick Kralevich [Tue, 11 Aug 2015 02:26:38 +0000 (02:26 +0000)]
am
54d88fe2: am
aa8dab77: Merge "MPEG4Extractor.cpp: Add check for size == SIZE_MAX" into jb-dev
* commit '
54d88fe2f17b1c5c6e4d0d1d1e36089fea3a1df0':
MPEG4Extractor.cpp: Add check for size == SIZE_MAX
Nick Kralevich [Tue, 11 Aug 2015 02:20:00 +0000 (02:20 +0000)]
am
aa8dab77: Merge "MPEG4Extractor.cpp: Add check for size == SIZE_MAX" into jb-dev
* commit '
aa8dab77aa9ef1bb6e5414ee5e773001de725bef':
MPEG4Extractor.cpp: Add check for size == SIZE_MAX
Nick Kralevich [Sat, 8 Aug 2015 16:41:15 +0000 (16:41 +0000)]
am
0080e03e: am
3ebcce0e: am
2c0f9591: am
fea5921b: am
9fff1d37: am
d9d35098: am
af6b3a6b: am
bce77a36: am
0e20b209: MPEG4Extractor.cpp: handle chunk_size > SIZE_MAX
* commit '
0080e03e2a69dcb5ecbcb2848f358ca73163714c':
MPEG4Extractor.cpp: handle chunk_size > SIZE_MAX
Nick Kralevich [Sat, 8 Aug 2015 16:34:15 +0000 (16:34 +0000)]
am
3ebcce0e: am
2c0f9591: am
fea5921b: am
9fff1d37: am
d9d35098: am
af6b3a6b: am
bce77a36: am
0e20b209: MPEG4Extractor.cpp: handle chunk_size > SIZE_MAX
* commit '
3ebcce0e3fda1ffae9453ca0cc389ee852e1d0a2':
MPEG4Extractor.cpp: handle chunk_size > SIZE_MAX
Nick Kralevich [Sat, 8 Aug 2015 16:23:51 +0000 (16:23 +0000)]
am
2c0f9591: am
fea5921b: am
9fff1d37: am
d9d35098: am
af6b3a6b: am
bce77a36: am
0e20b209: MPEG4Extractor.cpp: handle chunk_size > SIZE_MAX
* commit '
2c0f959112a1d9048e8dc527f2f9dc0cc3e490c9':
MPEG4Extractor.cpp: handle chunk_size > SIZE_MAX
Nick Kralevich [Sat, 8 Aug 2015 16:16:08 +0000 (16:16 +0000)]
am
fea5921b: am
9fff1d37: am
d9d35098: am
af6b3a6b: am
bce77a36: am
0e20b209: MPEG4Extractor.cpp: handle chunk_size > SIZE_MAX
* commit '
fea5921b975cf43c88b8f93d4f2500abde6088be':
MPEG4Extractor.cpp: handle chunk_size > SIZE_MAX
Nick Kralevich [Sat, 8 Aug 2015 16:08:43 +0000 (16:08 +0000)]
am
9fff1d37: am
d9d35098: am
af6b3a6b: am
bce77a36: am
0e20b209: MPEG4Extractor.cpp: handle chunk_size > SIZE_MAX
* commit '
9fff1d37d6129dfce7a6f89004ec4a9cea9c9cad':
MPEG4Extractor.cpp: handle chunk_size > SIZE_MAX
Nick Kralevich [Sat, 8 Aug 2015 16:01:24 +0000 (16:01 +0000)]
am
d9d35098: am
af6b3a6b: am
bce77a36: am
0e20b209: MPEG4Extractor.cpp: handle chunk_size > SIZE_MAX
* commit '
d9d35098aaaa546d79d0707734aac9b4b12c5be1':
MPEG4Extractor.cpp: handle chunk_size > SIZE_MAX
Nick Kralevich [Sat, 8 Aug 2015 15:19:26 +0000 (15:19 +0000)]
am
af6b3a6b: am
bce77a36: am
0e20b209: MPEG4Extractor.cpp: handle chunk_size > SIZE_MAX
* commit '
af6b3a6bc44e65e6dbf95c1e5dadf76aa78018d9':
MPEG4Extractor.cpp: handle chunk_size > SIZE_MAX
Nick Kralevich [Sat, 8 Aug 2015 14:55:23 +0000 (14:55 +0000)]
Merge "MPEG4Extractor.cpp: Add check for size == SIZE_MAX" into jb-dev
Marco Nelissen [Thu, 6 Aug 2015 15:03:47 +0000 (08:03 -0700)]
Fix Ogg album art
Bug:
23036083
Bug: https://code.google.com/p/android/issues/detail?id=182053
Change-Id: I1a5cbe06990900160c2addade238c1e9feab8f71
(cherry picked from commit
c63cc509404b9328aedd1be3adc4e87cd07b4eb1)
Marco Nelissen [Sat, 8 Aug 2015 00:59:49 +0000 (00:59 +0000)]
Merge "Extra sanity checks on sample size and resolution" into klp-dev
Nick Kralevich [Fri, 7 Aug 2015 23:09:03 +0000 (23:09 +0000)]
am
bce77a36: am
0e20b209: MPEG4Extractor.cpp: handle chunk_size > SIZE_MAX
* commit '
bce77a36125b25ce864b40bd5938ca89becea898':
MPEG4Extractor.cpp: handle chunk_size > SIZE_MAX
Nick Kralevich [Fri, 7 Aug 2015 18:41:28 +0000 (18:41 +0000)]
am
0e20b209: MPEG4Extractor.cpp: handle chunk_size > SIZE_MAX
* commit '
0e20b2093aa2bbc93afed8d68d3765d18a431b74':
MPEG4Extractor.cpp: handle chunk_size > SIZE_MAX
Nick Kralevich [Fri, 7 Aug 2015 18:19:24 +0000 (11:19 -0700)]
MPEG4Extractor.cpp: handle chunk_size > SIZE_MAX
chunk_size is a uint64_t, so it can legitimately be bigger
than SIZE_MAX, which would cause the subtraction to underflow.
https://code.google.com/p/android/issues/detail?id=182251
Bug:
23034759
Change-Id: Ic1637fb26bf6edb0feb1bcf2876fd370db1ed547
Joshua J. Drake [Fri, 7 Aug 2015 17:19:23 +0000 (17:19 +0000)]
am
9364bdc9: am
905aae46: am
11c88f66: am
2796ba1c: am
a555788d: am
0e33cb2d: am
e4ccf3a1: am
3329a19b: am
c87faed6: Fix integer underflow in covr MPEG4 processing
* commit '
9364bdc9a1298a609eb825be051c393cbf3d7a38':
Fix integer underflow in covr MPEG4 processing
Joshua J. Drake [Fri, 7 Aug 2015 17:19:22 +0000 (17:19 +0000)]
am
3621c056: am
bcc8e581: am
bb99a362: am
8d60fc3e: am
338bbf53: am
fd334e34: am
03d539a7: am
a5b9055d: am
f1ce97dd: Fix integer overflow when handling MPEG4 tx3g atom
* commit '
3621c05605c5a3f2c452668beacb71a08dc2d7c8':
Fix integer overflow when handling MPEG4 tx3g atom
Nick Kralevich [Fri, 7 Aug 2015 17:19:20 +0000 (17:19 +0000)]
am
d0af1ded: (-s ours) am
a421314f: am
430475da: resolved conflicts for merge of
0b3eca88 to jb-mr1-dev-plus-aosp
* commit '
d0af1dedf5d903a52fac58f694b3f8edbf20e656':
Prevent integer overflow when processing covr MPEG4 atoms
Nick Kralevich [Fri, 7 Aug 2015 17:02:37 +0000 (10:02 -0700)]
MPEG4Extractor.cpp: Add check for size == SIZE_MAX
If size == SIZE_MAX, the line:
uint8_t *buffer = new (std::nothrow) uint8_t[size + 1];
ends up allocating zero bytes, which is obviously incorrect.
This is conceptually a cherrypick of commit
b2d33aee5122c91a59c2a676c0b89ad340232450 , but specifically for
Android 4.1 through Android 4.4. In Android 5.0, new code
was introduced which caused the function parseMetaData()
to be renamed.
Bug:
23031033
Change-Id: Ib34e740f3292a484f8a24e513c1cce58f2f33ecb
Joshua J. Drake [Fri, 7 Aug 2015 16:29:36 +0000 (16:29 +0000)]
am
905aae46: am
11c88f66: am
2796ba1c: am
a555788d: am
0e33cb2d: am
e4ccf3a1: am
3329a19b: am
c87faed6: Fix integer underflow in covr MPEG4 processing
* commit '
905aae465fa88d6d793c670c08c360900c6cb3f7':
Fix integer underflow in covr MPEG4 processing
Joshua J. Drake [Fri, 7 Aug 2015 16:29:35 +0000 (16:29 +0000)]
am
bcc8e581: am
bb99a362: am
8d60fc3e: am
338bbf53: am
fd334e34: am
03d539a7: am
a5b9055d: am
f1ce97dd: Fix integer overflow when handling MPEG4 tx3g atom
* commit '
bcc8e5817fa3dc624f214e58f756098053ac5682':
Fix integer overflow when handling MPEG4 tx3g atom
Nick Kralevich [Fri, 7 Aug 2015 16:29:34 +0000 (16:29 +0000)]
am
a421314f: am
430475da: resolved conflicts for merge of
0b3eca88 to jb-mr1-dev-plus-aosp
* commit '
a421314f9cc1b061d94a79e2aa1a92916ea4b9bf':
Prevent integer overflow when processing covr MPEG4 atoms
Joshua J. Drake [Fri, 7 Aug 2015 16:17:11 +0000 (16:17 +0000)]
am
11c88f66: am
2796ba1c: am
a555788d: am
0e33cb2d: am
e4ccf3a1: am
3329a19b: am
c87faed6: Fix integer underflow in covr MPEG4 processing
* commit '
11c88f66205dd9095cbe87f3486ef7262e4d2e22':
Fix integer underflow in covr MPEG4 processing
Joshua J. Drake [Fri, 7 Aug 2015 16:17:10 +0000 (16:17 +0000)]
am
bb99a362: am
8d60fc3e: am
338bbf53: am
fd334e34: am
03d539a7: am
a5b9055d: am
f1ce97dd: Fix integer overflow when handling MPEG4 tx3g atom
* commit '
bb99a362dc76f9bf040f6256369fabf27ad1c2f5':
Fix integer overflow when handling MPEG4 tx3g atom
Nick Kralevich [Fri, 7 Aug 2015 16:13:44 +0000 (16:13 +0000)]
am
430475da: resolved conflicts for merge of
0b3eca88 to jb-mr1-dev-plus-aosp
* commit '
430475da7f0edb86ee6a85378d1583ab07f7f93d':
Prevent integer overflow when processing covr MPEG4 atoms
Joshua J. Drake [Fri, 7 Aug 2015 16:11:07 +0000 (16:11 +0000)]
am
2796ba1c: am
a555788d: am
0e33cb2d: am
e4ccf3a1: am
3329a19b: am
c87faed6: Fix integer underflow in covr MPEG4 processing
* commit '
2796ba1c511517a4904d10d1fdc830c86d161342':
Fix integer underflow in covr MPEG4 processing
Joshua J. Drake [Fri, 7 Aug 2015 16:11:05 +0000 (16:11 +0000)]
am
8d60fc3e: am
338bbf53: am
fd334e34: am
03d539a7: am
a5b9055d: am
f1ce97dd: Fix integer overflow when handling MPEG4 tx3g atom
* commit '
8d60fc3e3ecd4d7c2b18f25962f0ea42f3644ebd':
Fix integer overflow when handling MPEG4 tx3g atom
Nick Kralevich [Fri, 7 Aug 2015 15:50:46 +0000 (08:50 -0700)]
resolved conflicts for merge of
0b3eca88 to jb-mr1-dev-plus-aosp
Bug:
20923261
Change-Id: I6fe12a7c5768f77454bd0391b07f4c3181607d14
Marco Nelissen [Tue, 4 Aug 2015 15:38:24 +0000 (08:38 -0700)]
Extra sanity checks on sample size and resolution
Instead of rejecting the samples later when they don't fit in the
buffer, reject the entire file early.
Bug:
22882938
Change-Id: I748153b0e9e827e3f2526468756295b4b5000de6
(cherry picked from commit
beef7e58c1f1837bdaed6ac37414d8c48a133813)
Marco Nelissen [Tue, 4 Aug 2015 23:49:28 +0000 (16:49 -0700)]
Fix crash on malformed id3
Bug:
22954006
Change-Id: I488cb1e2c69fc7043b6040481b30fa866000515d
Joshua J. Drake [Tue, 4 Aug 2015 21:42:34 +0000 (21:42 +0000)]
am
a555788d: am
0e33cb2d: am
e4ccf3a1: am
3329a19b: am
c87faed6: Fix integer underflow in covr MPEG4 processing
* commit '
a555788d9cd4a22a8f5d7dccd288f7d185cef209':
Fix integer underflow in covr MPEG4 processing
Joshua J. Drake [Tue, 4 Aug 2015 21:42:34 +0000 (21:42 +0000)]
am
338bbf53: am
fd334e34: am
03d539a7: am
a5b9055d: am
f1ce97dd: Fix integer overflow when handling MPEG4 tx3g atom
* commit '
338bbf53be077a99f532e813d4cf14a192c55f74':
Fix integer overflow when handling MPEG4 tx3g atom
Joshua J. Drake [Tue, 4 Aug 2015 21:42:33 +0000 (21:42 +0000)]
am
cd5cf679: am
df1ecfe3: am
52d1defc: am
9481a101: am
a81b3779: Prevent integer overflow when processing covr MPEG4 atoms
* commit '
cd5cf6797c26ca7d3ce2f9a379bdef099dae2aae':
Prevent integer overflow when processing covr MPEG4 atoms
Joshua J. Drake [Tue, 4 Aug 2015 21:37:01 +0000 (21:37 +0000)]
am
0e33cb2d: am
e4ccf3a1: am
3329a19b: am
c87faed6: Fix integer underflow in covr MPEG4 processing
* commit '
0e33cb2dd5ccf6f4db8c694cb2c233bb1d2a2d0b':
Fix integer underflow in covr MPEG4 processing
Joshua J. Drake [Tue, 4 Aug 2015 21:37:00 +0000 (21:37 +0000)]
am
fd334e34: am
03d539a7: am
a5b9055d: am
f1ce97dd: Fix integer overflow when handling MPEG4 tx3g atom
* commit '
fd334e346bd0fc9b11756539d1635eabdb6b04cb':
Fix integer overflow when handling MPEG4 tx3g atom
Joshua J. Drake [Tue, 4 Aug 2015 21:36:59 +0000 (21:36 +0000)]
am
df1ecfe3: am
52d1defc: am
9481a101: am
a81b3779: Prevent integer overflow when processing covr MPEG4 atoms
* commit '
df1ecfe3913b9c3bce17947d877498093a42a56f':
Prevent integer overflow when processing covr MPEG4 atoms
Joshua J. Drake [Tue, 4 Aug 2015 21:31:51 +0000 (21:31 +0000)]
am
e4ccf3a1: am
3329a19b: am
c87faed6: Fix integer underflow in covr MPEG4 processing
* commit '
e4ccf3a14beabfeeb6c7df47ae118f3db999c1ce':
Fix integer underflow in covr MPEG4 processing
Joshua J. Drake [Tue, 4 Aug 2015 21:31:40 +0000 (21:31 +0000)]
am
03d539a7: am
a5b9055d: am
f1ce97dd: Fix integer overflow when handling MPEG4 tx3g atom
* commit '
03d539a7a9c8ae7aef9cb8bda9042187327566a2':
Fix integer overflow when handling MPEG4 tx3g atom
Joshua J. Drake [Tue, 4 Aug 2015 21:31:38 +0000 (21:31 +0000)]
am
52d1defc: am
9481a101: am
a81b3779: Prevent integer overflow when processing covr MPEG4 atoms
* commit '
52d1defcfe51bd3b5f4e191fb70a0a0a406c33dc':
Prevent integer overflow when processing covr MPEG4 atoms
Joshua J. Drake [Tue, 4 Aug 2015 21:25:41 +0000 (21:25 +0000)]
am
3329a19b: am
c87faed6: Fix integer underflow in covr MPEG4 processing
* commit '
3329a19b4d11d3c1310bbe9aa54b6a66488ab862':
Fix integer underflow in covr MPEG4 processing
Joshua J. Drake [Tue, 4 Aug 2015 21:25:40 +0000 (21:25 +0000)]
am
a5b9055d: am
f1ce97dd: Fix integer overflow when handling MPEG4 tx3g atom
* commit '
a5b9055d7ce1d82ee29ed2f45aa4f8a82ccc76f2':
Fix integer overflow when handling MPEG4 tx3g atom
Joshua J. Drake [Tue, 4 Aug 2015 21:25:38 +0000 (21:25 +0000)]
am
9481a101: am
a81b3779: Prevent integer overflow when processing covr MPEG4 atoms
* commit '
9481a101f8246263d969af66a7b39fad7346772e':
Prevent integer overflow when processing covr MPEG4 atoms
Joshua J. Drake [Tue, 4 Aug 2015 21:18:33 +0000 (21:18 +0000)]
am
c87faed6: Fix integer underflow in covr MPEG4 processing
* commit '
c87faed60483afb2466e03892bda80b72e5822c7':
Fix integer underflow in covr MPEG4 processing
Joshua J. Drake [Tue, 4 Aug 2015 21:18:32 +0000 (21:18 +0000)]
am
f1ce97dd: Fix integer overflow when handling MPEG4 tx3g atom
* commit '
f1ce97ddc2f82d844a6fb8341585eb7b2e655f44':
Fix integer overflow when handling MPEG4 tx3g atom
Joshua J. Drake [Tue, 4 Aug 2015 21:18:30 +0000 (21:18 +0000)]
am
a81b3779: Prevent integer overflow when processing covr MPEG4 atoms
* commit '
a81b3779cc6f6046c8a9149bf544e9d726c9b2b2':
Prevent integer overflow when processing covr MPEG4 atoms
Joshua J. Drake [Mon, 4 May 2015 22:14:11 +0000 (17:14 -0500)]
Fix integer underflow in covr MPEG4 processing
When the 'chunk_data_size' variable is less than 'kSkipBytesOfDataBox', an
integer underflow can occur. This causes an extraordinarily large value to
be passed to MetaData::setData, leading to a buffer overflow.
Bug:
20923261
(cherry picked from commit
4a492bf2ac47b9844d2527e1fcdf0064c3d8d52e)
Change-Id: I83490cbaf5b368073fcd8668a9241dfc90bebd90
Joshua J. Drake [Mon, 4 May 2015 23:29:08 +0000 (18:29 -0500)]
Fix integer overflow when handling MPEG4 tx3g atom
When the sum of the 'size' and 'chunk_size' variables is larger than 2^32,
an integer overflow occurs. Using the result value to allocate memory
leads to an undersized buffer allocation and later a potentially
exploitable heap corruption condition. Ensure that integer overflow does
not occur.
Bug:
20923261
(cherry picked from commit
e5f0966c76bd0a7e81e4205c8d8b55e6b34c833e)
Change-Id: I3f240f75fd681becbf89cb7e7554388471c28059
Joshua J. Drake [Mon, 4 May 2015 23:36:35 +0000 (18:36 -0500)]
Prevent integer overflow when processing covr MPEG4 atoms
If the 'chunk_data_size' value is SIZE_MAX, an integer overflow will occur
and cause an undersized buffer to be allocated. The following processing
then overfills the resulting memory and creates a potentially exploitable
condition. Ensure that integer overflow does not occur.
(cherrypicked from commit
05ddc499b9d50c90f552ed1333110f28a1406e7c)
Bug:
20923261
Change-Id: If09a02738759acdff8d95149bb9cb5f18a0a123e