diff options
author | Andy Hung <hunga@google.com> | 2015-05-26 11:14:36 -0700 |
---|---|---|
committer | Andy Hung <hunga@google.com> | 2015-05-26 12:03:51 -0700 |
commit | d971df0eb300356b3c995d533289216f43aa60de (patch) | |
tree | 95cb14d9c9603454eaed86c0cf36e325546cd005 /media/libstagefright/omx/OMXNodeInstance.cpp | |
parent | 92d824426e4621c2e8dfdd4e0f00d19c35d3c481 (diff) | |
download | frameworks_av-d971df0eb300356b3c995d533289216f43aa60de.zip frameworks_av-d971df0eb300356b3c995d533289216f43aa60de.tar.gz frameworks_av-d971df0eb300356b3c995d533289216f43aa60de.tar.bz2 |
IOMX: Add buffer range check to emptyBuffer
Bug: 20634516
Change-Id: If351dbd573bb4aeb6968bfa33f6d407225bc752c
Diffstat (limited to 'media/libstagefright/omx/OMXNodeInstance.cpp')
-rw-r--r-- | media/libstagefright/omx/OMXNodeInstance.cpp | 6 |
1 files changed, 6 insertions, 0 deletions
diff --git a/media/libstagefright/omx/OMXNodeInstance.cpp b/media/libstagefright/omx/OMXNodeInstance.cpp index 0540a82..a7916c1 100644 --- a/media/libstagefright/omx/OMXNodeInstance.cpp +++ b/media/libstagefright/omx/OMXNodeInstance.cpp @@ -1029,6 +1029,12 @@ status_t OMXNodeInstance::emptyBuffer( Mutex::Autolock autoLock(mLock); OMX_BUFFERHEADERTYPE *header = findBufferHeader(buffer); + // rangeLength and rangeOffset must be a subset of the allocated data in the buffer. + // corner case: we permit rangeOffset == end-of-buffer with rangeLength == 0. + if (rangeOffset > header->nAllocLen + || rangeLength > header->nAllocLen - rangeOffset) { + return BAD_VALUE; + } header->nFilledLen = rangeLength; header->nOffset = rangeOffset; |