IOMX: Add buffer range check to emptyBuffer

Bug: 20634516 Change-Id: If351dbd573bb4aeb6968bfa33f6d407225bc752c
author: Andy Hung <hunga@google.com> 2015-05-26 11:14:36 -0700
committer: Andy Hung <hunga@google.com> 2015-05-26 12:03:51 -0700
commit: d971df0eb300356b3c995d533289216f43aa60de (patch)
tree: 95cb14d9c9603454eaed86c0cf36e325546cd005 /media/libstagefright/omx/OMXNodeInstance.cpp
parent: 92d824426e4621c2e8dfdd4e0f00d19c35d3c481 (diff)
download: frameworks_av-d971df0eb300356b3c995d533289216f43aa60de.zip
frameworks_av-d971df0eb300356b3c995d533289216f43aa60de.tar.gz
frameworks_av-d971df0eb300356b3c995d533289216f43aa60de.tar.bz2
1 files changed, 6 insertions, 0 deletions
diff --git a/media/libstagefright/omx/OMXNodeInstance.cpp b/media/libstagefright/omx/OMXNodeInstance.cpp
index 0540a82..a7916c1 100644
--- a/media/libstagefright/omx/OMXNodeInstance.cpp
+++ b/media/libstagefright/omx/OMXNodeInstance.cpp
@@ -1029,6 +1029,12 @@ status_t OMXNodeInstance::emptyBuffer(
     Mutex::Autolock autoLock(mLock);
 
     OMX_BUFFERHEADERTYPE *header = findBufferHeader(buffer);
+    // rangeLength and rangeOffset must be a subset of the allocated data in the buffer.
+    // corner case: we permit rangeOffset == end-of-buffer with rangeLength == 0.
+    if (rangeOffset > header->nAllocLen
+            || rangeLength > header->nAllocLen - rangeOffset) {
+        return BAD_VALUE;
+    }
     header->nFilledLen = rangeLength;
     header->nOffset = rangeOffset;
author	Andy Hung <hunga@google.com>	2015-05-26 11:14:36 -0700
committer	Andy Hung <hunga@google.com>	2015-05-26 12:03:51 -0700
commit	d971df0eb300356b3c995d533289216f43aa60de (patch)
tree	95cb14d9c9603454eaed86c0cf36e325546cd005 /media/libstagefright/omx/OMXNodeInstance.cpp
parent	92d824426e4621c2e8dfdd4e0f00d19c35d3c481 (diff)
download	frameworks_av-d971df0eb300356b3c995d533289216f43aa60de.zip frameworks_av-d971df0eb300356b3c995d533289216f43aa60de.tar.gz frameworks_av-d971df0eb300356b3c995d533289216f43aa60de.tar.bz2