Merge pi-dev-plus-aosp-without-vendor into stage-aosp-master
Bug: 79597307
Change-Id: I6db3d9db067a59b1fbbd50fd84544646282e3767
diff --git a/Android.bp b/Android.bp
index 957e253..4abfa16 100644
--- a/Android.bp
+++ b/Android.bp
@@ -231,6 +231,14 @@
],
},
},
+
+ sanitize: {
+ cfi: true,
+ diag: {
+ cfi: true,
+ },
+ blacklist: "cfi_blacklist.txt",
+ },
}
cc_library_static {
@@ -492,6 +500,14 @@
],
},
},
+
+ sanitize: {
+ cfi: true,
+ diag: {
+ cfi: true,
+ },
+ blacklist: "cfi_blacklist.txt",
+ },
}
subdirs = ["test"]
diff --git a/OWNERS b/OWNERS
index 3da5c7a..acffb3a 100644
--- a/OWNERS
+++ b/OWNERS
@@ -1,3 +1,4 @@
marcone@google.com
essick@google.com
lajos@google.com
+hkuang@google.com
diff --git a/cfi_blacklist.txt b/cfi_blacklist.txt
new file mode 100644
index 0000000..1571e0e
--- /dev/null
+++ b/cfi_blacklist.txt
@@ -0,0 +1 @@
+src:*external/libavc/*
diff --git a/decoder/ih264d_api.c b/decoder/ih264d_api.c
index 0341389..c6999a6 100644
--- a/decoder/ih264d_api.c
+++ b/decoder/ih264d_api.c
@@ -1490,20 +1490,37 @@
/*****************************************************************************/
WORD32 ih264d_create(iv_obj_t *dec_hdl, void *pv_api_ip, void *pv_api_op)
{
+ ih264d_create_ip_t *ps_create_ip;
ih264d_create_op_t *ps_create_op;
WORD32 ret;
+ ps_create_ip = (ih264d_create_ip_t *)pv_api_ip;
ps_create_op = (ih264d_create_op_t *)pv_api_op;
ps_create_op->s_ivd_create_op_t.u4_error_code = 0;
-
+ dec_hdl = NULL;
ret = ih264d_allocate_static_bufs(&dec_hdl, pv_api_ip, pv_api_op);
/* If allocation of some buffer fails, then free buffers allocated till then */
- if((IV_FAIL == ret) && (NULL != dec_hdl))
+ if(IV_FAIL == ret)
{
- ih264d_free_static_bufs(dec_hdl);
+ if(dec_hdl)
+ {
+ if(dec_hdl->pv_codec_handle)
+ {
+ ih264d_free_static_bufs(dec_hdl);
+ }
+ else
+ {
+ void (*pf_aligned_free)(void *pv_mem_ctxt, void *pv_buf);
+ void *pv_mem_ctxt;
+
+ pf_aligned_free = ps_create_ip->s_ivd_create_ip_t.pf_aligned_free;
+ pv_mem_ctxt = ps_create_ip->s_ivd_create_ip_t.pv_mem_ctxt;
+ pf_aligned_free(pv_mem_ctxt, dec_hdl);
+ }
+ }
ps_create_op->s_ivd_create_op_t.u4_error_code = IVD_MEM_ALLOC_FAILED;
ps_create_op->s_ivd_create_op_t.u4_error_code = 1 << IVD_FATALERROR;
@@ -1681,8 +1698,8 @@
}
else
{
- /* In case of shared mode, do not check validity of ps_dec->ps_out_buffer */
- return (IV_SUCCESS);
+ pic_wd = ps_dec->u2_frm_wd_y;
+ pic_ht = ps_dec->u2_frm_ht_y;
}
if(ps_dec->u4_app_disp_width > pic_wd)
@@ -1692,14 +1709,34 @@
ps_dec->u1_chroma_format,
&au4_min_out_buf_size[0]);
- if(ps_dec->ps_out_buffer->u4_num_bufs < u4_min_num_out_bufs)
- return IV_FAIL;
- for(i = 0; i < u4_min_num_out_bufs; i++)
+ if(0 == ps_dec->u4_share_disp_buf)
{
- if(ps_dec->ps_out_buffer->u4_min_out_buf_size[i]
- < au4_min_out_buf_size[i])
- return (IV_FAIL);
+ if(ps_dec->ps_out_buffer->u4_num_bufs < u4_min_num_out_bufs)
+ return IV_FAIL;
+
+ for(i = 0; i < u4_min_num_out_bufs; i++)
+ {
+ if(ps_dec->ps_out_buffer->u4_min_out_buf_size[i]
+ < au4_min_out_buf_size[i])
+ return (IV_FAIL);
+ }
+ }
+ else
+ {
+ if(ps_dec->disp_bufs[0].u4_num_bufs < u4_min_num_out_bufs)
+ return IV_FAIL;
+
+ for(i = 0; i < u4_min_num_out_bufs; i++)
+ {
+ /* We need to check only with the disp_buffer[0], because we have
+ * already ensured that all the buffers are of the same size in
+ * ih264d_set_display_frame.
+ */
+ if(ps_dec->disp_bufs[0].u4_bufsize[i] < au4_min_out_buf_size[i])
+ return (IV_FAIL);
+ }
+
}
return (IV_SUCCESS);
@@ -2052,7 +2089,8 @@
void *pv_buf;
void *pv_mem_ctxt = ps_dec->pv_mem_ctxt;
size = MAX(256000, ps_dec->u2_pic_wd * ps_dec->u2_pic_ht * 3 / 2);
- pv_buf = ps_dec->pf_aligned_alloc(pv_mem_ctxt, 128, size);
+ pv_buf = ps_dec->pf_aligned_alloc(pv_mem_ctxt, 128,
+ size + EXTRA_BS_OFFSET);
RETURN_IF((NULL == pv_buf), IV_FAIL);
ps_dec->pu1_bits_buf_dynamic = pv_buf;
ps_dec->u4_dynamic_bits_buf_size = size;
@@ -2648,6 +2686,7 @@
void *pv_api_op)
{
+ UWORD32 u4_disp_buf_size[3], u4_num_disp_bufs;
ivd_set_display_frame_ip_t *dec_disp_ip;
ivd_set_display_frame_op_t *dec_disp_op;
@@ -2667,8 +2706,36 @@
u4_num_bufs = MIN(u4_num_bufs, MAX_DISP_BUFS_NEW);
ps_dec->u4_num_disp_bufs = u4_num_bufs;
+
+ /* Get the number and sizes of the first buffer. Compare this with the
+ * rest to make sure all the buffers are of the same size.
+ */
+ u4_num_disp_bufs = dec_disp_ip->s_disp_buffer[0].u4_num_bufs;
+
+ u4_disp_buf_size[0] =
+ dec_disp_ip->s_disp_buffer[0].u4_min_out_buf_size[0];
+ u4_disp_buf_size[1] =
+ dec_disp_ip->s_disp_buffer[0].u4_min_out_buf_size[1];
+ u4_disp_buf_size[2] =
+ dec_disp_ip->s_disp_buffer[0].u4_min_out_buf_size[2];
+
for(i = 0; i < u4_num_bufs; i++)
{
+ if(dec_disp_ip->s_disp_buffer[i].u4_num_bufs != u4_num_disp_bufs)
+ {
+ return IV_FAIL;
+ }
+
+ if((dec_disp_ip->s_disp_buffer[i].u4_min_out_buf_size[0]
+ != u4_disp_buf_size[0])
+ || (dec_disp_ip->s_disp_buffer[i].u4_min_out_buf_size[1]
+ != u4_disp_buf_size[1])
+ || (dec_disp_ip->s_disp_buffer[i].u4_min_out_buf_size[2]
+ != u4_disp_buf_size[2]))
+ {
+ return IV_FAIL;
+ }
+
ps_dec->disp_bufs[i].u4_num_bufs =
dec_disp_ip->s_disp_buffer[i].u4_num_bufs;
diff --git a/decoder/ih264d_defs.h b/decoder/ih264d_defs.h
index 4622775..260e358 100644
--- a/decoder/ih264d_defs.h
+++ b/decoder/ih264d_defs.h
@@ -108,6 +108,9 @@
/* For 420SP */
#define YUV420SP_FACTOR 2
+/*To prevent buffer overflow access; in case the size of nal unit is
+ * greater than the allocated buffer size*/
+#define EXTRA_BS_OFFSET 16*16*2
/**
***************************************************************************
diff --git a/decoder/ih264d_dpb_mgr.c b/decoder/ih264d_dpb_mgr.c
index 303d4e8..b7ee498 100644
--- a/decoder/ih264d_dpb_mgr.c
+++ b/decoder/ih264d_dpb_mgr.c
@@ -375,9 +375,6 @@
if((ps_dpb_info[i].ps_pic_buf == ps_pic_buf)
&& ps_dpb_info[i].u1_used_as_ref)
{
- /* Can occur only for field bottom pictures */
- ps_dpb_info[i].s_bot_field.u1_reference_info = IS_SHORT_TERM;
-
/*signal an error in the case of frame pic*/
if(ps_dpb_info[i].ps_pic_buf->u1_pic_type == FRM_PIC)
{
@@ -385,6 +382,8 @@
}
else
{
+ /* Can occur only for field bottom pictures */
+ ps_dpb_info[i].s_bot_field.u1_reference_info = IS_SHORT_TERM;
return OK;
}
}
@@ -722,7 +721,7 @@
UWORD16 ui_max_frame_num =
ps_dec->ps_cur_sps->u2_u4_max_pic_num_minus1 + 1;
- WORD32 i;
+ WORD32 i, count = 0;
UWORD32 ui_remapIdc, ui_nextUev;
WORD16 u2_pred_frame_num = u4_cur_pic_num;
WORD32 i_temp;
@@ -743,7 +742,8 @@
ui_remapIdc = ih264d_uev(pu4_bitstrm_ofst, pu4_bitstrm_buf);
- while(ui_remapIdc != 3)
+ while((ui_remapIdc != 3)
+ && (count < ps_cur_slice->u1_num_ref_idx_lx_active[uc_lx]))
{
ui_nextUev = ih264d_uev(pu4_bitstrm_ofst, pu4_bitstrm_buf);
if(ui_remapIdc != 2)
@@ -812,6 +812,7 @@
ui_remapIdc = ih264d_uev(pu4_bitstrm_ofst, pu4_bitstrm_buf);
/* Get the remapping_idc - 0/1/2/3 */
+ count++;
}
//Handle the ref indices that were not remapped
@@ -843,7 +844,7 @@
WORD32 ih264d_read_mmco_commands(struct _DecStruct * ps_dec)
{
dec_bit_stream_t *ps_bitstrm = ps_dec->ps_bitstrm;
- dpb_commands_t *ps_dpb_cmds = ps_dec->ps_dpb_cmds;
+ dpb_commands_t *ps_dpb_cmds = &(ps_dec->s_dpb_cmds_scratch);
dec_slice_params_t * ps_slice = ps_dec->ps_cur_slice;
WORD32 j;
UWORD8 u1_buf_mode;
diff --git a/decoder/ih264d_parse_headers.c b/decoder/ih264d_parse_headers.c
index 4f3136f..03ed508 100644
--- a/decoder/ih264d_parse_headers.c
+++ b/decoder/ih264d_parse_headers.c
@@ -30,6 +30,8 @@
* \author AI
**************************************************************************
*/
+#include <string.h>
+
#include "ih264_typedefs.h"
#include "ih264_macros.h"
#include "ih264_platform_macros.h"
@@ -479,7 +481,7 @@
{
UWORD8 i;
dec_seq_params_t *ps_seq = NULL;
- UWORD8 u1_profile_idc, u1_level_idc, u1_seq_parameter_set_id;
+ UWORD8 u1_profile_idc, u1_level_idc, u1_seq_parameter_set_id, u1_mb_aff_flag = 0;
UWORD16 i2_max_frm_num;
UWORD32 *pu4_bitstrm_buf = ps_bitstrm->pu4_buffer;
UWORD32 *pu4_bitstrm_ofst = &ps_bitstrm->u4_ofst;
@@ -564,6 +566,8 @@
/*--------------------------------------------------------------------*/
ps_seq = ps_dec->pv_scratch_sps_pps;
+ memset(ps_seq, 0, sizeof(dec_seq_params_t));
+
if(ps_dec->i4_header_decoded & 1)
{
*ps_seq = *ps_dec->ps_cur_sps;
@@ -802,9 +806,19 @@
COPYTHECONTEXT("SPS: frame_mbs_only_flag", u1_frm);
if(!u1_frm)
+ u1_mb_aff_flag = ih264d_get_bit_h264(ps_bitstrm);
+
+ if((ps_dec->i4_header_decoded & 1)
+ && (ps_seq->u1_mb_aff_flag != u1_mb_aff_flag))
+ {
+ ps_dec->u1_res_changed = 1;
+ return IVD_RES_CHANGED;
+ }
+
+ if(!u1_frm)
{
u2_pic_ht <<= 1;
- ps_seq->u1_mb_aff_flag = ih264d_get_bit_h264(ps_bitstrm);
+ ps_seq->u1_mb_aff_flag = u1_mb_aff_flag;
COPYTHECONTEXT("SPS: mb_adaptive_frame_field_flag",
ps_seq->u1_mb_aff_flag);
diff --git a/decoder/ih264d_parse_slice.c b/decoder/ih264d_parse_slice.c
index 2d8a9af..db02bfe 100644
--- a/decoder/ih264d_parse_slice.c
+++ b/decoder/ih264d_parse_slice.c
@@ -1826,7 +1826,7 @@
ps_dec->ps_cur_pic->u4_pack_slc_typ |= I_SLC_BIT;
ret = ih264d_parse_islice(ps_dec, u2_first_mb_in_slice);
-
+ ps_dec->u1_pr_sl_type = u1_slice_type;
if(ps_dec->i4_pic_type != B_SLICE && ps_dec->i4_pic_type != P_SLICE)
ps_dec->i4_pic_type = I_SLICE;
@@ -1858,6 +1858,15 @@
if(ret != OK)
return ret;
+ if(u1_nal_ref_idc != 0)
+ {
+ if(!ps_dec->ps_dpb_cmds->u1_dpb_commands_read)
+ {
+ memcpy((void *)ps_dec->ps_dpb_cmds, (void *)(&(ps_dec->s_dpb_cmds_scratch)),
+ sizeof(dpb_commands_t));
+ }
+ }
+
/* storing last Mb X and MbY of the slice */
ps_dec->i2_prev_slice_mbx = ps_dec->u2_mbx;
ps_dec->i2_prev_slice_mby = ps_dec->u2_mby;
diff --git a/decoder/ih264d_sei.c b/decoder/ih264d_sei.c
index 800f2c9..098a1f3 100644
--- a/decoder/ih264d_sei.c
+++ b/decoder/ih264d_sei.c
@@ -336,7 +336,7 @@
ui4_payload_type = 0;
u4_bits = ih264d_get_bits_h264(ps_bitstrm, 8);
- while(0xff == u4_bits)
+ while(0xff == u4_bits && !EXCEED_OFFSET(ps_bitstrm))
{
u4_bits = ih264d_get_bits_h264(ps_bitstrm, 8);
ui4_payload_type += 255;
@@ -345,7 +345,7 @@
ui4_payload_size = 0;
u4_bits = ih264d_get_bits_h264(ps_bitstrm, 8);
- while(0xff == u4_bits)
+ while(0xff == u4_bits && !EXCEED_OFFSET(ps_bitstrm))
{
u4_bits = ih264d_get_bits_h264(ps_bitstrm, 8);
ui4_payload_size += 255;
@@ -370,7 +370,8 @@
{
H264_DEC_DEBUG_PRINT("\nError in parsing SEI message");
}
- while(0 == ih264d_check_byte_aligned(ps_bitstrm))
+ while(0 == ih264d_check_byte_aligned(ps_bitstrm)
+ && !EXCEED_OFFSET(ps_bitstrm))
{
u4_bits = ih264d_get_bit_h264(ps_bitstrm);
if(u4_bits)
diff --git a/decoder/ih264d_structs.h b/decoder/ih264d_structs.h
index 6958a0c..706fe9d 100644
--- a/decoder/ih264d_structs.h
+++ b/decoder/ih264d_structs.h
@@ -968,6 +968,7 @@
/* Variables for Decode Buffer Management */
dpb_manager_t *ps_dpb_mgr;
dpb_commands_t *ps_dpb_cmds;
+ dpb_commands_t s_dpb_cmds_scratch;
/* Variables Required for N MB design */
dec_mb_info_t *ps_nmb_info;
diff --git a/decoder/ih264d_utils.c b/decoder/ih264d_utils.c
index e85daba..edfb8f1 100644
--- a/decoder/ih264d_utils.c
+++ b/decoder/ih264d_utils.c
@@ -1020,12 +1020,15 @@
buf = ps_dec->disp_bufs[i].buf[1];
buf += ps_dec->disp_bufs[i].u4_ofst[1];
pv_disp_op->s_disp_frm_buf.pv_u_buf = buf
- + pic_buf->u2_crop_offset_uv;
+ + (pic_buf->u2_crop_offset_uv
+ / YUV420SP_FACTOR);
buf = ps_dec->disp_bufs[i].buf[2];
buf += ps_dec->disp_bufs[i].u4_ofst[2];
pv_disp_op->s_disp_frm_buf.pv_v_buf = buf
- + pic_buf->u2_crop_offset_uv;
+ + (pic_buf->u2_crop_offset_uv
+ / YUV420SP_FACTOR);
+
}
}
}
diff --git a/encoder/ih264e_api.c b/encoder/ih264e_api.c
index 2ecfdf5..a996303 100644
--- a/encoder/ih264e_api.c
+++ b/encoder/ih264e_api.c
@@ -1147,6 +1147,24 @@
return (IV_FAIL);
}
+ if(ps_ip->s_ive_ip.u4_wd & 1)
+ {
+ ps_op->s_ive_op.u4_error_code |= 1
+ << IVE_UNSUPPORTEDPARAM;
+ ps_op->s_ive_op.u4_error_code |=
+ IH264E_WIDTH_NOT_SUPPORTED;
+ return (IV_FAIL);
+ }
+
+ if(ps_ip->s_ive_ip.u4_ht & 1)
+ {
+ ps_op->s_ive_op.u4_error_code |= 1
+ << IVE_UNSUPPORTEDPARAM;
+ ps_op->s_ive_op.u4_error_code |=
+ IH264E_HEIGHT_NOT_SUPPORTED;
+ return (IV_FAIL);
+ }
+
break;
}
