Commits · v1-pie · e / devices / smdk4412 / android_frameworks_av

This project is mirrored from https://github.com/LineageOS/android_frameworks_av. Pull mirroring updated Jan 20, 2025.

Jan 28, 2022
- Merge remote-tracking branch 'origin/lineage-16.0' into v1-pie · b8869a49
  Rohit Sekhar authored Jan 28, 2022
  
  b8869a49
Jan 09, 2022

Merge tag 'android-security-9.0.0_r76' into staging/lineage-16.0_merge-android-security-9.0.0_r76 · 5d3bb3a0

Kevin F. Haggerty authored Jan 09, 2022

Android security 9.0.0 release 76

* tag 'android-security-9.0.0_r76':
  SimpleDecodingSource:Prevent OOB write in heap mem

Change-Id: I8e52c31a3390bf416d356451b1c6b952c7643294

5d3bb3a0

Dec 19, 2021
- Merge remote-tracking branch 'origin/lineage-16.0' into v1-pie · 0117cd65
  Rohit Sekhar authored Dec 19, 2021
  
  0117cd65
Dec 16, 2021

Merge tag 'android-security-9.0.0_r75' into staging/lineage-16.0_merge-android-security-9.0.0_r75 · 4bf20590

Kevin F. Haggerty authored Dec 15, 2021

Android security 9.0.0 release 75

* tag 'android-security-9.0.0_r75':
  Fix heap-buffer-overflow in MPEG4Extractor

Change-Id: I723becfe47538a2cf4dbe8804aea954055450c09

4bf20590

Nov 12, 2021

Merge cherrypicks of [16187628] into security-aosp-pi-release. · c448c498
Android Build Coastguard Worker authored Nov 12, 2021
```
Change-Id: Ic3bed4ae9bab164293fe89fca04ae6428a025dad
```
c448c498

SimpleDecodingSource:Prevent OOB write in heap mem · 2090bfce

Gopalakrishnan Nallasamy authored Sep 29, 2021

doRead() doesn't handle situations when received byte do not fit into
input buffer in case of vorbis audio compression. It results in OOB
write in heap memory right after the allocated input buffer. Added
code to copy kKeyValidSamples only if there was enough space.
Otherwise, print a warning log.

Bug: 194105348

Test: post-submit media cts tests
Change-Id: I2b27580deff9ad937b68703a1e7c3ff2a6dccc60
(cherry picked from commit a625b40e)
(cherry picked from commit f3590a1b)
Merged-In:I2b27580deff9ad937b68703a1e7c3ff2a6dccc60

2090bfce

Oct 08, 2021

Merge cherrypicks of [16009369, 16012240, 16012308, 16012309, 16012331,... · 5cb599be

Android Build Coastguard Worker authored Oct 08, 2021

Merge cherrypicks of [16009369, 16012240, 16012308, 16012309, 16012331, 16012215, 16012281, 16012282, 16012283, 16012332, 16012284] into security-aosp-pi-release

Change-Id: I0b3fb9198a6668ce2a1a3815385ed652ff510d8f

5cb599be

Fix heap-buffer-overflow in MPEG4Extractor · dfcc2ca2

Santiago Seifert authored Sep 02, 2021

Caused by the extractor assuming that sample size will never exceed
the declared max input size (as in AMEDIAFORMAT_KEY_MAX_INPUT_SIZE).

Bug: 188893559
Test: Ran the fuzzer using the bug's testcase.
Change-Id: I31f2b9a4f1b561c4466c76ea2af8dd532622102a
Merged-In: I31f2b9a4f1b561c4466c76ea2af8dd532622102a
(cherry picked from commit 621f0e12)
(cherry picked from commit d13a4efc)

dfcc2ca2

Aug 17, 2021

Merge branch '3300-pie-fork_av' into 'v1-pie' · 50ac962d

Rohit Sekhar authored Aug 17, 2021

libstagefright: Make it possible to skip OMX buffer reallocation (2)

See merge request e/devices/n8010/android_frameworks_av!2

50ac962d

libstagefright: Make it possible to skip OMX buffer reallocation (2) · 4799dc2d

Ziyan authored Jan 11, 2015 and

Peter Schelchshorn committed Aug 17, 2021

Some devices don't like the call to setParameter() at this point, so
skip this call if enough buffers are already allocated. This check
was present in KitKat but got removed when code to allocate extra-
buffers was introduced.

This is activated only for omap4 for now.

Based on, and requires http://review.cyanogenmod.org/#/c/79137/

This patch skips another possible buffer reallocation, which
can be fatal on these devices.

Change-Id: Iae33c69e7fa5acf2f720ad67f2eb17697f6ad8ef

[html6405]: Drop ifdefs since this fork is exclusive to smdk4412 devices

4799dc2d

av: Add CI sync file · f3ec9386
Rohit Sekhar authored Aug 17, 2021

f3ec9386

Jun 10, 2021

Merge tag 'android-security-9.0.0_r69' into staging/lineage-16.0_merge_android-security-9.0.0_r69 · eb9cbb2d

Kevin F. Haggerty authored Jun 09, 2021

Android Security 9.0.0 Release 69 (7269718)

* tag 'android-security-9.0.0_r69':
  [RESTRICT AUTOMERGE] Fix clearkey CryptoPlugin use after free vulnerability.
  [RESTRICT AUTOMERGE] Fix possible uaf of play policy state
  [RESTRICT AUTOMERGE] Fix potential decrypt destPtr overflow.

Change-Id: I71bfd903405c066b5fcd0b64febab9e6a8e3286d

eb9cbb2d

May 05, 2021

Merge tag 'android-security-9.0.0_r68' into staging/lineage-16.0_merge_android-security-9.0.0_r68 · 31ff32d1

Kevin F. Haggerty authored May 05, 2021

Android Security 9.0.0 Release 68 (7249336)

* tag 'android-security-9.0.0_r68':
  Prevent read of uninitialized memory

Change-Id: I29bd0c1fc5a98bf58c01fc7f1e730045b4a9eb70

31ff32d1

Apr 09, 2021

Merge cherrypicks of [14132525, 14131687] into security-aosp-pi-release · 46792d9b
android-build-team Robot authored Apr 09, 2021
```
Change-Id: I5f2224e5ad09bf454950b5fb823600b97edd8afa
```
46792d9b

[RESTRICT AUTOMERGE] Fix clearkey CryptoPlugin use after free vulnerability. · ac2858d6

Edwin Wong authored Jan 22, 2021

The shared memory buffer used by srcPtr can be freed by another
thread because it is not protected by a mutex. Subsequently,
a use after free AIGABRT can occur in a race condition.

SafetyNet logging is not added to avoid log spamming. The
mutex lock is called to setup for decryption, which is
called frequently.

The crash was reproduced on the device before the fix.
Verified the test passes after the fix.

Test: sts
  sts-tradefed run sts-engbuild-no-spl-lock -m StsHostTestCases --test android.security.sts.Bug_176495665#testPocBug_176495665

Test: push to device with target_hwasan-userdebug build
  adb shell /data/local/tmp/Bug-176495665_sts64

Bug: 176495665
Bug: 176444161
Change-Id: Ie6e73804d8b764e53b1bd7a16cfbf04b4f3669b9
(cherry picked from commit 7a398e72)

ac2858d6

Apr 08, 2021

Merge cherrypicks of [14126781, 14126782, 14127202, 14128466, 14127516,... · e183d9f4

android-build-team Robot authored Apr 08, 2021

Merge cherrypicks of [14126781, 14126782, 14127202, 14128466, 14127516, 14128057, 14127204, 14128747, 14128708, 14128059, 14128686, 14128127, 14128507, 14128809, 14128810, 14128811, 14128812] into security-aosp-pi-release

Change-Id: Id0ac10a19c8eadc98092a7e6fab88c7cdd7e88df

e183d9f4

[RESTRICT AUTOMERGE] Fix possible uaf of play policy state · 91324850

Edwin Wong authored Feb 04, 2021

Access to the play policy state may happen after
the state is freed in a race condition, which will
result in a SIGARBT.

SafetyNet logging is not added to avoid log spamming.
queryKeyStatus can be called often.

The crash was reproduced on the device before the fix.
Verified the test passes after the fix.

Test: sts-tradefed
  sts-tradefed run sts-engbuild-no-spl-lock -m StsHostTestCases --test android.security.sts.Bug_176486806#testPocBug_176486806

Test: push to device with target_hwasan-userdebug build
  adb shell /data/local/tmp/Bug-17648680664

Test: sts-tradefed
  sts-tradefed run sts-engbuild-no-spl-lock -m StsHostTestCases --test android.security.sts.Bug_176444154#testPocBug_176444154

Test: push to device with target_hwasan-userdebug build
  adb shell /data/local/tmp/Bug-17644415464

Bug: 176444154
Bug: 176486806
Change-Id: I07cc93c255942d56e866d0b08fb786f154f6e0d3
(cherry picked from commit e11a4819)

91324850

[RESTRICT AUTOMERGE] Fix potential decrypt destPtr overflow. · 91f4cef3

Edwin Wong authored Feb 02, 2021

There is a potential integer overflow to bypass the
destination base size check in decrypt. The destPtr
can then point to the outside of the destination buffer.

Test: sts-tradefed
  sts-tradefed run sts-engbuild-no-spl-lock -m StsHostTestCases --test android.security.sts.Bug_176444622#testPocBug_176444622

Test: push to device with target_hwasan-userdebug build
  adb shell /data/local/tmp/Bug-17644462264

Bug: 176444622
Bug: 176496353
Change-Id: I38e25c63c67b8acfa69649cc906483430da2ead6
(cherry picked from commit a44d2447)

91f4cef3

Apr 07, 2021

Merge tag 'android-security-9.0.0_r67' into staging/lineage-16.0_merge_android-security-9.0.0_r67 · 1703c868

Kevin F. Haggerty authored Apr 07, 2021

Android security 9.0.0 release 67

* tag 'android-security-9.0.0_r67':
  Fix double free of play policy in a race condition.
  [RESTRICT AUTOMERGE] Fix potential decrypt srcPtr  overflow.

Change-Id: I7121387f34c799859f54d0c432ce299efc91bcf9

1703c868

Mar 11, 2021

Prevent read of uninitialized memory · e153e5bc

Santiago Seifert authored Feb 08, 2021

Bug: 173720767
Test: atest IMediaPlayerTest
Change-Id: Ib6a3d24e07915e8af9d019e54d0501b74aa4671d
Merged-In: Ib6a3d24e07915e8af9d019e54d0501b74aa4671d
(cherry picked from commit 42a97f56)
(cherry picked from commit 6f400642)

e153e5bc

Feb 15, 2021

ACodec: Fix video autoscaling on old OMX decoders · b3145b99

zakooz authored Jan 30, 2017 and

Jan Altensen committed Feb 15, 2021

To enable: TARGET_OMX_LEGACY_RESCALING := true

On Android N video autoscaling will cause the video to zoom in, being mostly outside of the frame of the video.
This is because android no longer tries to match output ports before putting the new resolution in effect.
Exynos OMX decoders send a message to get the new output crop, but it's lost along the way.
Similarly to how Android M handles it, send the format change right before transitioning to ExecutingState.

Change-Id: I19f974d37f9b11161efc7ee470301f444691fde6
(cherry picked from commit a3daed99)

b3145b99

Feb 05, 2021

Fix double free of play policy in a race condition. · 88ad2719

Edwin Wong authored Jan 05, 2021

The mPlayPolicy can be freed twice if there is a race condition.
mPlayPolicy should be protected with a mutex lock.

SafetyNet logging is not added to avoid log spamming. The
mutex lock is called whenever a license request is made.
That can happen quite often.

Bug: 176168330

Test: sts-tradefed
  sts-tradefed run sts-engbuild-no-spl-lock -m StsHostTestCases -t android.security.sts.Poc21_01#testPocBug_176168330

Test: run sts test on master build
  run sts test from http://go/ag/13308312

Change-Id: Ibc338e0a98293807dbf12500f7e82e62b6c4a04a
(cherry picked from commit 537144f7)

88ad2719

[RESTRICT AUTOMERGE] Fix potential decrypt srcPtr overflow. · 6b810d6f

Edwin Wong authored Jan 26, 2021

There is a potential integer overflow to bypass the
source base size check in decrypt. The source pointer
can then point to the outside of the source buffer,
which could potentially leak arbitrary memory content
to destination pointer.

Test: sts-tradefed
  sts-tradefed run sts-engbuild-no-spl-lock -m StsHostTestCases --test android.security.sts.Bug_176496160#testPocBug_176496160

Test: push to device with target_hwasan-userdebug build
  adb shell /data/local/tmp/Bug-17649616064

Bug: 176496160
Bug: 176444786
Change-Id: Iea3dcd44d0f4f61de3288ed1e26d8bd5e39115d2
(cherry picked from commit a7dd68bd)

6b810d6f

Jan 14, 2021

Merge tag 'android-security-9.0.0_r64' into staging/lineage-16.0_merge_android-security-9.0.0_r64 · bbd360d5

Kevin F. Haggerty authored Jan 14, 2021

Android security 9.0.0 release 64

* tag 'android-security-9.0.0_r64':
  Fix potential overflow in WAV extractor
  Fix memory overflow in ESQueue

Change-Id: I542903a39eecf84f63058f0293ee51a6495afffe

bbd360d5

Jan 12, 2021
- fw/av: Require service UID for LIST_AUDIO_SESSIONS · 63b4f792
  Michael W authored Jan 12, 2021
  
  * Should prevent an information disclosure Change-Id: I83e1dc2d175c37fdc6057c2ddca94ad4d7d5b6c4
  63b4f792
Nov 12, 2020

Fix potential overflow in WAV extractor · 3758604e

Marco Nelissen authored Nov 02, 2020

Bug: 170583712
Test: fuzzer poc, atest DecoderTest#testDecodeWav
Change-Id: I73edd5fc0da80dc2cdd26c6fcd09496b2c828ba9
Merged-In: I73edd5fc0da80dc2cdd26c6fcd09496b2c828ba9
(cherry picked from commit d3d872da)

3758604e

Fix memory overflow in ESQueue · 5c042e8e

Marco Nelissen authored Oct 06, 2020

Bug: 170240631
Test: poc
Change-Id: I92433cd10cba05168f42fe8552bc6a02e1f203e7
(cherry picked from commit 91fed774)

5c042e8e

Sep 09, 2020

Merge tag 'android-9.0.0_r60' into staging/lineage-16.0_merge-android-9.0.0_r60 · 533b5117

Kevin F. Haggerty authored Sep 09, 2020

Android 9.0.0 release 60

* tag 'android-9.0.0_r60':
  clearkey hidl: fix oob read in decrypt

Change-Id: Ic98f0bb5c16c947317eae421e07d280bee974857

533b5117

Aug 03, 2020

Merge tag 'android-9.0.0_r59' of... · bdad61ab

Kevin F. Haggerty authored Aug 03, 2020

Merge tag 'android-9.0.0_r59' of https://android.googlesource.com/platform/frameworks/av into staging/lineage-16.0_merge-android-9.0.0_r59

Android 9.0.0 Release 59 (6559974)

* tag 'android-9.0.0_r59' of https://android.googlesource.com/platform/frameworks/av:
  Fix potential use-after-free issue
  Expand nuplayer mutex for mediametrics management
  m4v_h263: Return error for zero width and height

Change-Id: Ib5268277b091fbd3269344f74b3ef3e9b8d26a82

bdad61ab

Jun 30, 2020

clearkey hidl: fix oob read in decrypt · fb027a5e

Robert Shih authored May 01, 2020

Validate sum of subsample sizes do not overrun source buffer.

Bug: 154123412
Test: poc_CryptoPlugin_cpp_183
Test: MediaDrmClearkeyTest
Test: NativeMediaDrmClearkeyTest
Change-Id: I27b05479202e0caedfd052c683aa1ef187f65679
Merged-In: I27b05479202e0caedfd052c683aa1ef187f65679
(cherry picked from commit fa3781fe)

fb027a5e

Jun 04, 2020

Fix potential use-after-free issue · 9ed3872b

Andrew Lewis authored May 20, 2020

NuPlayerListener passed this out of its constructor to
IStreamSource->setListener, and it would get wrapped in a smart pointer,
then free'd when that method returned.

Move the setListener call after instantiation of NuPlayerListener to
avoid passing this out of the NuPlayerListener constructor.

Test: tested in presubmit
Bug: 151456667
Change-Id: I996d9ad9eaf0e52992b7f9e10fd94a94c350ad73
(cherry picked from commit aad519df)
(cherry picked from commit 6aaef5a9)

9ed3872b

Expand nuplayer mutex for mediametrics management · 1b848072

Ray Essick authored May 04, 2020

refactor some mutex for how nuplayer sets up mediametrics data.
expanded locking to eliminate a couple race conditions.

Bug: 151644303
Bug: 151643722
Test: poc attached to bugs
Merged-In: I75f29a6254c5eab5d4f524ee7a7ef59f93a0b405
Merged-In: Ia2e68ef616e249a6e8746b9068f22bd208a0ffc8
Change-Id: I1e9bbcd67a1510f70fad66e8ef77f529008e248a
(cherry picked from commit 86b46a20)

1b848072

m4v_h263: Return error for zero width and height · 8f5077f7

Harish Mahendrakar authored Apr 10, 2020

Test: poc in bug
Bug: 152496149
Bug: 152629190

Change-Id: I07293e97b664e03e29a1392b139132fc137361cd
(cherry picked from commit 5d8def9a)

8f5077f7

May 05, 2020

Merge tag 'android-9.0.0_r56' of... · f291728d

Kevin F. Haggerty authored May 05, 2020

Merge tag 'android-9.0.0_r56' of https://android.googlesource.com/platform/frameworks/av into staging/lineage-16.0_merge-android-9.0.0_r56

Android 9.0.0 release 56

* tag 'android-9.0.0_r56' of https://android.googlesource.com/platform/frameworks/av:
  RESTRICT AUTOMERGE: Camera: fix use after free in sensor timestamp
  BnCrypto: fix use-before-init in CREATE_PLUGIN

Change-Id: I9712d0a8156bf26fa6fb803e061ac58cc5904aae

f291728d

Apr 09, 2020

RESTRICT AUTOMERGE: Camera: fix use after free in sensor timestamp · 5c06c66e

Yin-Chia Yeh authored Mar 16, 2020

The metadata object might be overriden later and has it memory
re-allocated; hence snaping the sensor timestamp value before
we call into any method that might change the metadata.

Test: build
Bug: 150944913
Merged-In: I5b10b680e0cce96ca49e1772770adb4835545472
Change-Id: I5b10b680e0cce96ca49e1772770adb4835545472
(cherry picked from commit 1859a38c)

5c06c66e

Apr 07, 2020

Merge tag 'android-9.0.0_r55' of... · bac69e69

Kevin F. Haggerty authored Apr 06, 2020

Merge tag 'android-9.0.0_r55' of https://android.googlesource.com/platform/frameworks/av into staging/lineage-16.0_merge-android-9.0.0_r55

Android 9.0.0 Release 55 (6197209)

* tag 'android-9.0.0_r55' of https://android.googlesource.com/platform/frameworks/av:
  [DO NOT MERGE] Fix heap buffer overflow in clearkey CryptoPlugin::decrypt
  [DO NOT MERGE] Fix heap buffer overflow for releaseSecureStops.

Change-Id: I8bd1faa78e1ec46aa9e7e008066c3f60de5980b3

bac69e69

Mar 12, 2020

BnCrypto: fix use-before-init in CREATE_PLUGIN · 48aad4d8

Robert Shih authored Feb 04, 2020

Bug: 144767096
Test: poc_ICrypto_283
Merged-In: Id67dc9e793ee886e4cc49370d800c7f3580df313
Merged-In: I81ff7cde5e1693f05c90380e879f74d0c4bce5f1
Change-Id: If268553440b8a0cbbe011b5396974fd864a7d083
(cherry picked from commit 4bbfb6d8)

48aad4d8

Feb 06, 2020

[DO NOT MERGE] Fix heap buffer overflow in clearkey CryptoPlugin::decrypt · 7f071495

Edwin Wong authored Dec 17, 2019

Fix destPtr was not pointing to destination raw pointer.

bug: 144506242

Test: sts
  ANDROID_BUILD_TOP= ./android-sts/tools/sts-tradefed run sts-engbuild-no-spl-lock -m StsHostTestCases --test android.security.sts.Poc19_12#testPocBug_144506242

Change-Id: I9425baa21c82d5a5edf37c87989adbade0428b67
(cherry picked from commit dc4c427b)

7f071495

[DO NOT MERGE] Fix heap buffer overflow for releaseSecureStops. · f0364ba2

Edwin Wong authored Nov 26, 2019

If the input SecureStopRelease size is less than sizeof(uint32_t)
in releaseSecureStops(), an out of bound read will occur.

bug: 144766455
bug: 144746235
bug: 147281068

Test: sts
ANDROID_BUILD_TOP= ./android-sts/tools/sts-tradefed run sts-engbuild-no-spl-lock -m StsHostTestCases --test android.security.sts.Poc19_11#testPocBug_144766455

Change-Id: I050504c1ef4e5c41fb47ee97e98db41399288a91
(cherry picked from commit 2587ab6c)

f0364ba2

Dec 03, 2019

Merge tag 'android-9.0.0_r51' into staging/lineage-16.0_merge-android-9.0.0_r51 · 92595d03

Kevin F. Haggerty authored Dec 02, 2019

Android 9.0.0 Release 51 (5948683)

* tag 'android-9.0.0_r51':
  AudioFlinger: enforce OP_RECORD_AUDIO during recording

Change-Id: Ie009cb689c284ba93f53df10c0ea892a1401b722

92595d03