summaryrefslogtreecommitdiffstats
Commit message (Collapse)AuthorAgeFilesLines
* Merge branch 'cm-13.0' of https://github.com/LineageOS/android_frameworks_av ↵HEADreplicant-6.0-0001replicant-6.0Wolfgang Wiedmeyer2017-05-0215-190/+394
|\ | | | | | | into replicant-6.0
| * resolve merge conflicts of 79cf158c51 to mnc-devMarco Nelissen2017-04-051-4/+10
| | | | | | | | | | | | | | | | | | | | AOSP-Change-Id: Ied32e83215e386c801c02991a0b2fa4baa25b643 CVE-2017-0558 (cherry picked from commit 50358a80b1724f6cf1bcdf003e1abf9cc141b122) Change-Id: Ic2e40c7d6aec8427444a1fd145726e490e994d08
| * Fix overflow check and check read resultMarco Nelissen2017-04-051-8/+10
| | | | | | | | | | | | | | | | | | | | | | | | Bug: 33861560 Test: build AOSP-Change-Id: Ia85519766e19a6e37237166f309750b3e8323c4e CVE-2017-0547 (cherry picked from commit 9667e3eff2d34c3797c3b529370de47b2c1f1bf6) Change-Id: I171aa1c7c4a4a5095ac7041371db14e3a4f3676a
| * EffectBundle: check nb channels to write speaker anglesJean-Michel Trivi2017-04-051-8/+16
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | When speaker angles are queried, the size of the array for the returned data is 3x the number of channels (where really it should be max(2, nbChannels)). The code assumed it was at least 3x2 (where 2 is the number of virtual speakers this effect supports) and would thus crash when called for a mono channel mask. Test: see repro steps in bug Bug: 32591350 AOSP-Change-Id: I33d4bff6b2e19a9fc4284a85a446804878d3a410 CVE-2017-0545 Change-Id: Ie4480d9abcfafcd53fca15ab2fd8ef7ecb6fd48d (cherry picked from commit e5a54485e08400a976092cd5b1c6d909d0e1a4ab)
| * CameraBase: Don't return an sp<> by referenceEino-Ville Talvala2017-04-052-6/+6
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | If the server dies, the binder death callback clears out the global camera service sp<>, and any current references to it will become quite unhappy. Test: Camera CTS passes Bug: 31992879 AOSP-Change-Id: I2966bed35d0319e3f26e3d4b1b8dc08006a22348 CVE-2017-0544 Change-Id: Ib7ef455366927b0471f8fcabdd5a54e38e375d41 (cherry picked from commit 4b49489c12e6862e9a320ebcb53872e809ed20ec)
| * avc_utils: skip empty NALs from malformed bistreamsRobert Shih2017-03-221-1/+4
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Avoid a CHECK and make it the decoder's repsonsibility to handle a malformed bistream gracefully. Bug: 34509901 Bug: 33137046 Test: StagefrightTest#testStagefright_bug_27855419_CVE_2016_2463 CVE-2017-0483 Change-Id: I2d94f8da63d65a86a9c711c45546e4c695e0f3b4 (cherry picked from commit 91fe76a157847825601b8f7a627efd1c9cbadcae) (cherry picked from commit 5cabe32a59f9be1e913b6a07a23d4cfa55e3fb2f)
| * Don't initialize sync sample parameters until the endMarco Nelissen2017-03-221-9/+12
| | | | | | | | | | | | | | | | | | | | | | | | | | to avoid leaving them in a partially initialized state. Bug: 33137046 Test: ran CTS tests CVE-2017-0483 Change-Id: I1f5c070233c5917d85da9e930e01a3fc51a0a0ec (cherry picked from commit a9660fe122ca382e1777e0c5d3c42ca67ffb0377) (cherry picked from commit bc62c086e9ba7530723dc8874b83159f4d77d976)
| * DO NOT MERGE - audioflinger: fix recursive mutex lock in EffectHandle.Eric Laurent2017-03-221-7/+25
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Bug: 33661708 Bug: 32707507 Bug: 32095713 Test: run CTS AudioEffectTest#test5_0Command, Custom binder test CVE-2017-0479 CVE-2017-0480 Change-Id: I03f674f126c191143bd8bdfe236f793e975826a5 (cherry picked from commit 31a4598a1908b3ccac7ddb33c511ce66840aa911) (cherry picked from commit 8415635765380be496da9b4578d8f134a527d86b)
| * DO NOT MERGE - improve audio effect framwework thread safetyEric Laurent2017-03-227-123/+225
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | - Reorganize handle effect creation code to make sure the effect engine is created with both thread and effect chain mutex held. - Reorganize handle disconnect code to make sure the effect engine is released with both thread and effect chain mutex held. - Protect IEffect interface methods in EffectHande with a Mutex. - Only pin effect if the session was acquired first. - Do not use strong pointer to EffectModule in EffectHandles: only the EffectChain has a single strong reference to the EffectModule. Bug: 32707507 CVE-2017-0479 CVE-2017-0480 CVE-2017-0499 Change-Id: Ia1098cba2cd32cc2d1c9dfdff4adc2388dfed80e (cherry picked from commit b378b73dd7480b584340b8028802c9ca2d625123) (cherry picked from commit 22e26d8ee73488c58ba3e7928e5da155151abfd0 with backport by <sultanxda@gmail.com>)
| * Fix security vulnerability: potential OOB write in audioserverrago2017-03-133-6/+49
| | | | | | | | | | | | | | | | | | Bug: 32705438 Bug: 32703959 Test: cts security test Change-Id: I8900c92fa55b56c4c2c9d721efdbabe6bfc8a4a4 (cherry picked from commit e275907e576601a3579747c3a842790bacf111e2) (cherry picked from commit b0bcddb44d992e74140a3f5eedc7177977ea8e34)
| * Effect: Use local cached data for Effect commitAndy Hung2017-03-131-19/+38
| | | | | | | | | | | | | | | | | | Test: POC, Cts Effect, BassBoost, EnvReverb, Equalizer, Test: LoudnessEnhancer, PresetReverb, Virtualizer, Visualizer Bug: 32220769 Change-Id: Iea96ba0daf71691ee8954cca4ba1c10fe827626e (cherry picked from commit dd79ccda92c1e9b982b2d0f8877d98e5258fbb73) (cherry picked from commit a155de4d70e0b9ac8fc02b2bdcbb2e8e6cca46ff)
* | Merge branch 'cm-13.0' of https://github.com/LineageOS/android_frameworks_av ↵Wolfgang Wiedmeyer2017-02-117-47/+126
|\ \ | |/ | | | | into replicant-6.0
| * IOMX: convert ANWB to Gralloc meta if using useBuffer in the same processLajos Molnar2017-02-031-3/+5
| | | | | | | | | | | | | | | | This was disabled by a previous commit. Bug: 32436178 Change-Id: I9f9c6a372a039226d61f3651be3af207fed63e60 (cherry picked from commit 4fb1e42a16e77d7abf1d84bedbc20f901af26524)
| * stagefright: remove allottedSize equality check in IOMX::useBufferLajos Molnar2017-02-031-7/+0
| | | | | | | | | | | | | | | | | | This was meant for buffers shared cross-process, but we are not gaining anything from this check even if it was at the correct place. Bug: 32436178 Change-Id: I6919e8ac6e35092273e171f49f6711ba577ba2e6 (cherry picked from commit 58388aa7be1c6963eb4b8464d46938ba9b0a04b0)
| * Effects: Check get parameter command sizeAndy Hung2017-02-031-0/+7
| | | | | | | | | | | | | | | | | | | | Test: Custom test. Bug: 32438594 Bug: 32624850 Bug: 32635664 Change-Id: I9b1315e2c02f11bea395bfdcf5c1ccddccbad8a6 (cherry picked from commit 3d34cc76e315dfa8c3b1edf78835b0dab4980505) (cherry picked from commit 26965db50a617f69bdefca0d7533796c80374f2c)
| * Visualizer: Check capture size and latency parametersAndy Hung2017-02-031-11/+32
| | | | | | | | | | | | | | Bug: 31781965 Change-Id: I1c439a0d0f6aa0057b3c651499f28426e1e1f5e4 (cherry picked from commit 9a2732ba0a8d609ab040d2c1ddee28577ead9772) (cherry picked from commit 557bd7bfe6c4895faee09e46fc9b5304a956c8b7)
| * Make VBRISeeker more robustMarco Nelissen2017-01-131-2/+16
| | | | | | | | | | | | | | Bug: 32577290 Change-Id: I9bcc9422ae7dd3ae4a38df330c9dcd7ac4941ec8 (cherry picked from commit 7fdd36418e945cf6a500018632dfb0ed8cb1a343) (cherry picked from commit 453b351ac5bd2b6619925dc966da60adf6b3126c)
| * DO NOT MERGE: defensive parsing of mp3 album art informationRay Essick2017-01-131-17/+39
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | several points in stagefrights mp3 album art code used strlen() to parse user-supplied strings that may be unterminated, resulting in reading beyond the end of a buffer. This changes the code to use strnlen() for 8-bit encodings and strengthens the parsing of 16-bit encodings similarly. It also reworks how we watch for the end-of-buffer to avoid all over-reads. Bug: 32377688 Test: crafted mp3's w/ good/bad cover art. See what showed in play music Change-Id: Ia9f526d71b21ef6a61acacf616b573753cd21df6 (cherry picked from commit fa0806b594e98f1aed3ebcfc6a801b4c0056f9eb) (cherry picked from commit 7a3246b870ddd11861eda2ab458b11d723c7f62c)
| * Fix security vulnerability: Effect command might allow negative indexesrago2017-01-131-6/+26
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Bug: 32448258 Bug: 32095626 Test: Use POC bug or cts security test Change-Id: I69f24eac5866f8d9090fc4c0ebe58c2c297b63df (cherry picked from commit 01183402d757f0c28bfd5e3b127b3809dfd67459) (cherry picked from commit 321ea5257e37c8edb26e66fe4ee78cca4cd915fe) Fix security vulnerability: Equalizer command might allow negative indexes Bug: 32247948 Bug: 32438598 Bug: 32436341 Test: use POC on bug or cts security test Change-Id: I91bd6aadb6c7410163e03101f365db767f4cd2a3 (cherry picked from commit 0872b65cff9129633471945431b9a5a28418049c) (cherry picked from commit e981cca9fff3608af22bdf8fc1acef5470e25663) (cherry picked from commit c66c43ad571ed2590dcd55a762c73c90d9744bac)
| * soundtrigger: fix memory corruptionSam Mortimer2016-12-131-1/+1
| | | | | | | | | | | | | | Fixes hotword on angler. Change-Id: Ic15a617c0f79f03785feaddd2dfa6deb90842a06 (cherry picked from commit 5f72b2213b9dc96ce91871398b539ad6aa653142)
* | Merge branch 'cm-13.0' of ↵Wolfgang Wiedmeyer2016-12-132-8/+26
|\ \ | |/ | | | | https://github.com/CyanogenMod/android_frameworks_av into replicant-6.0
| * DO NOT MERGE Fix divide by zeroMarco Nelissen2016-12-121-5/+18
| | | | | | | | | | | | | | | | | | | | and be stricter about the layout of various boxes in mp4 files. CYNGNOS-3312 Bug: 31318219 Change-Id: I50034d5b6b1967ca6e88aabeacf49f26ba3c0d32 (cherry picked from commit 2e211d38a3124849ef46376256d01e69549c422f) (cherry picked from commit d4eb1e1ca163d6ab0eaf0d80ca138f851f87c3d2)
| * Fix potential NULL dereference in Visualizer effectrago2016-12-121-3/+8
| | | | | | | | | | | | | | | | | | | | | | CYNGNOS-3312 Bug: 30229821 Test: fixing CL. Existing unit tests still pass. Change-Id: I6e4abd759d5d2abc3b391e92e2e18f060cab7af0 (cherry picked from commit 874f9e0b8eb0cbe508d15c8c03796c863851f21f) (cherry picked from commit 244e7fd2a45b4e7d70d2c2e550181220371b7edf)
* | Merge branch 'cm-13.0' of ↵Wolfgang Wiedmeyer2016-12-12177-1279/+2715
|\ \ | |/ | | | | https://github.com/CyanogenMod/android_frameworks_av into replicant-6.0
| * Merge tag 'android-6.0.1_r74' into HEADJessica Wagantall2016-11-0916-80/+275
| |\ | | | | | | | | | | | | | | | | | | | | | CYNGNOS-3303 Android 6.0.1 release 74 Change-Id: I0a14578751f4ecb8d13def26b9ffe5dcba4afd72
| | * stagefright: don't fail MediaCodec.configure if clients use store-meta keyLajos Molnar2016-10-111-1/+4
| | | | | | | | | | | | | | | | | | | | | | | | | | | Even though storing metadata is not supported in MediaCodec.configure and is only meant to be used by Stagefright recorder, don't fail configure. Bug: 31986922 Change-Id: Id9f083be6e857e7a0d8d4a74159be5b8894e28be (cherry picked from commit ae52fd383a43ac239f459078fd003ce8ac2efb55)
| | * IOMX: do not clear buffer if it's allocated by componentChong Zhang2016-09-301-1/+0
| | | | | | | | | | | | | | | | | | | | | | | | | | | The component might depends on their buffers to be initialized in certain ways to work. Don't clear unless we're allocating it. bug: 31586647 Change-Id: Ia0a125797e414998ef0cd8ce03672f5b1e0bbf7a (cherry picked from commit ea76573aa276f51950007217a97903c4fe64f685)
| | * IOMX: allow configuration after going to loaded stateLajos Molnar2016-09-301-2/+8
| | | | | | | | | | | | | | | | | | | | | | | | | | | This was disallowed recently but we still use it as MediaCodcec.stop only goes to loaded state, and does not free component. Bug: 31450460 Change-Id: I72e092e4e55c9f23b1baee3e950d76e84a5ef28d (cherry picked from commit e03b22839d78c841ce0a1a0a1ee1960932188b0b)
| | * IOMX: restrict conversion of ANWB to gralloc source in emptyBufferLajos Molnar2016-09-301-2/+7
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | This is only allowed in-process (if backup and codec buffers are connected.) Bug: 29422020 Bug: 31412859 Change-Id: If48e3e0b6f1af99a459fdc3f6f03744bbf0dc375 (cherry picked from commit 087ff38490016f4a0b6a1e717ae8af781d9b750c)
| | * Limit mp4 atom size to something reasonableMarco Nelissen2016-09-271-0/+13
| | | | | | | | | | | | | | | | | | Bug: 28615448 Change-Id: I5916f6839b4a9bbee4388a106e7373bcd4154f5a (cherry picked from commit cb898dca47ac03738db91ddc371207435d2a1526)
| | * SampleIterator: clear members on seekTo errorRobert Shih2016-09-271-3/+4
| | | | | | | | | | | | | | | | | | Bug: 31091777 Change-Id: Iddf99d0011961d0fd3d755e57db4365b6a6a1193 (cherry picked from commit 03237ce0f9584c98ccda76c2474a4ae84c763f5b)
| | * Check mprotect resultMarco Nelissen2016-09-271-24/+28
| | | | | | | | | | | | | | | | | | | | | | | | | | | mprotect can theoretically fail, which could then let one exploit a vulnerable codec if one exists on the device. Bug: 31350239 Change-Id: I7b99c190619f0fb2eb93119596e6da0d2deb8ba5 (cherry picked from commit 866c800c0624bb13eee44973cc8a2ecd0012de6e)
| | * Radio: get service by value.Eric Laurent2016-09-272-4/+4
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Get strong pointer to service interface by value and not reference to prevent race conditions where the service pointer can be cleared by another thread while in use. Bug: 30907212 Change-Id: Iae838b3b672562c1d0cd63968399a6bfdda7f5ab (cherry picked from commit 28a0e9ec74e5192aacffb279c80619ef284062b0)
| | * SoundTrigger: get service by value.Eric Laurent2016-09-272-5/+5
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Get strong pointer to service interface by value and not reference to prevent race conditions where the service pointer can be cleared by another thread while in use. Bug: 30907212 Change-Id: I6f02ec3fd1e6392b842b334e1cc4f9aa23916009 (cherry picked from commit 3b01b3019b1c62132792a1a94e2dc1f7cfc84f2e)
| | * Fix stack content leak vulnerability in mediaserverJeff Tinker2016-09-271-1/+1
| | | | | | | | | | | | | | | | | | bug: 30875060 Change-Id: I03f4d08b7b31ac5b507cfc9e65e5607c73972d95 (cherry picked from commit 9a6861cbd3bb0e1b8fe4c105795256ee032f9664)
| | * Fix potential overflow in Visualizer effectrago2016-09-271-0/+9
| | | | | | | | | | | | | | | | | | | | | Bug: 30229821 Change-Id: Idd3c1563dc9d3261e6e168e945005bf133ab2cdb (cherry picked from commit 099ab280775946e7c36c73fde47f2ee5a2579f53) (cherry picked from commit 46dc714d523a41a4f886eecbe5b9947a4c900510)
| | * IOMX: work against metadata buffer spoofingLajos Molnar2016-09-277-41/+196
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | - Prohibit direct set/getParam/Settings for extensions meant for OMXNodeInstance alone. This disallows enabling metadata mode without the knowledge of OMXNodeInstance. - Do not share metadata mode buffers cross process. - Disallow setting up metadata mode/tunneling/input surface after first sendCommand. - Disallow store-meta for input cross process. - Disallow emptyBuffer for surface input (via IOMX). - Fix checking for input surface. Bug: 29422020 Change-Id: I801c77b80e703903f62e42d76fd2e76a34e4bc8e (cherry picked from commit f8a4cb410115045278f534e54b41ac78d6bf6c07)
| | * MediaPlayerService: allow next player to be NULLWei Jia2016-08-301-1/+1
| | | | | | | | | | | | | | | | | | | | | Bug: 31155917 Bug: 30204103 Change-Id: I9a2a59ddb900fc942e7c19b31b53a110d790474c (cherry picked from commit 282841278723166e74039329ca56e444ad472daf)
| | * Fix build breakage caused by commitPawin Vongmasa2016-08-251-2/+2
| | | | | | | | | | | | | | | | | | | | | 940829f69b52d6038db66a9c727534636ecc456d. Change-Id: I4776db4a26fb3c31bb994d48788373fe569c812a (cherry picked from commit baa9146401e28c5acf54dea21ddd197f0d3a8fcd)
| | * Add EFFECT_CMD_SET_PARAM parameter checkingAndy Hung2016-08-251-0/+23
| | | | | | | | | | | | | | | | | | Bug: 30204301 Change-Id: Ib9c3ee1c2f23c96f8f7092dd9e146bc453d7a290 (cherry picked from commit e4a1d91501d47931dbae19c47815952378787ab6)
| | * soundtrigger: add size check on sound model and recogntion dataEric Laurent2016-08-251-8/+30
| | | | | | | | | | | | | | | | | | | | | | | | Bug: 30148546 Change-Id: I082f535a853c96571887eeea37c6d41ecee7d8c0 (cherry picked from commit bb00d8f139ff51336ab3c810d35685003949bcf8) (cherry picked from commit ef0c91518446e65533ca8bab6726a845f27c73fd)
| | * MediaPlayerService: avoid invalid static castRobert Shih2016-08-252-0/+11
| | | | | | | | | | | | | | | | | | Bug: 30204103 Change-Id: Ie0dd3568a375f1e9fed8615ad3d85184bcc99028 (cherry picked from commit ee0a0e39acdcf8f97e0d6945c31ff36a06a36e9d)
| | * better validation lengths of strings in ID3 tagsRay Essick2016-08-251-15/+42
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Validate lengths on strings in ID3 tags, particularly around 0. Also added code to handle cases when we can't get memory for copies of strings we want to extract from these tags. Affects L/M/N/master, same patch for all of them. Bug: 30744884 Change-Id: I2675a817a39f0927ec1f7e9f9c09f2e61020311e Test: play mp3 file which caused a <0 length. (cherry picked from commit d23c01546c4f82840a01a380def76ab6cae5d43f)
| | * SoftMPEG4: Check the buffer size before writing the reference frame.Pawin Vongmasa2016-08-252-2/+24
| | | | | | | | | | | | | | | | | | | | | | | | Also prevent overflow in SoftMPEG4 and division by zero in SoftMPEG4Encoder. Bug: 30033990 Change-Id: I7701f5fc54c2670587d122330e5dc851f64ed3c2 (cherry picked from commit 695123195034402ca76169b195069c28c30342d3)
| * | Allow to use baseline profile for AVC recordingAndreas Blaesius2016-11-082-1/+5
| | | | | | | | | | | | | | | | | | - some encoder seem to crash using higher h264 profiles Change-Id: I2beb881e76519f872e3e99957f8b981eeaa53b56
| * | libstagefright: wfd: don't use intra macroblock refresh mode on omap4Ziyan2016-11-062-0/+6
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Most, if not all OMAP4 Ducatis doesn't support intra macroblock refresh mode, causing the encoder to fail initializing. This patch disables intra macroblock refresh mode for wifi display on omap4. Note: Ideally, the decoder shouldn't fail if intra macroblock refresh mode can't be configured. However, that would trick higher layers into thinking that it's on, because they set that parameter. As of now, this mode seems to only ever be used for wifi display. Change-Id: I9696af8f22db82cc436a351e4d93bf7323588f43
| * | Merge tag 'android-6.0.1_r72' into HEADJessica Wagantall2016-10-067-25/+130
| |\ \ | | | | | | | | | | | | | | | | | | | | Android 6.0.1 Release 72 (M4B30X) Change-Id: I617426a3fbf7a8d013c5be838ad4c80a00b61a5f
| | * | MediaPlayerService: allow next player to be NULLWei Jia2016-08-301-1/+1
| | | | | | | | | | | | | | | | | | | | | | | | | | | | Bug: 31155917 Bug: 30204103 Change-Id: I9a2a59ddb900fc942e7c19b31b53a110d790474c (cherry picked from commit 282841278723166e74039329ca56e444ad472daf)
| | * | Fix build breakage caused by commitPawin Vongmasa2016-08-261-2/+2
| | | | | | | | | | | | | | | | | | | | | | | | | | | | 940829f69b52d6038db66a9c727534636ecc456d. Change-Id: I4776db4a26fb3c31bb994d48788373fe569c812a (cherry picked from commit baa9146401e28c5acf54dea21ddd197f0d3a8fcd)
| | * | soundtrigger: add size check on sound model and recogntion dataEric Laurent2016-08-261-8/+30
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Bug: 30148546 Change-Id: I082f535a853c96571887eeea37c6d41ecee7d8c0 (cherry picked from commit bb00d8f139ff51336ab3c810d35685003949bcf8) (cherry picked from commit ef0c91518446e65533ca8bab6726a845f27c73fd)
generated by cgit v1.1 at 2024-04-26 20:02:31 +0000