diff options
author | Lajos Molnar <lajos@google.com> | 2015-06-12 12:52:27 -0700 |
---|---|---|
committer | Lajos Molnar <lajos@google.com> | 2015-06-19 19:08:16 -0700 |
commit | ec4ed7d541f48d1d0af8f93cd26ec291ca82061b (patch) | |
tree | d6fb018a87b467008eca472177179b755709a0b5 /media/libstagefright/omx/OMXNodeInstance.cpp | |
parent | 81e998b0d1a8f35c2eadce994ab930e83bfc9d0b (diff) | |
download | frameworks_av-ec4ed7d541f48d1d0af8f93cd26ec291ca82061b.zip frameworks_av-ec4ed7d541f48d1d0af8f93cd26ec291ca82061b.tar.gz frameworks_av-ec4ed7d541f48d1d0af8f93cd26ec291ca82061b.tar.bz2 |
stagefright: relax check of OMX buffer header - again
- move check to after FillBufferDone only.
- add support for NULL graphicBuffer - just in case
Bug: 21773260
Change-Id: Ibf03511f1d04425e29b63fe4e560e0d8ba6ea20e
Diffstat (limited to 'media/libstagefright/omx/OMXNodeInstance.cpp')
-rw-r--r-- | media/libstagefright/omx/OMXNodeInstance.cpp | 31 |
1 files changed, 23 insertions, 8 deletions
diff --git a/media/libstagefright/omx/OMXNodeInstance.cpp b/media/libstagefright/omx/OMXNodeInstance.cpp index 6ee1a77..147aae7 100644 --- a/media/libstagefright/omx/OMXNodeInstance.cpp +++ b/media/libstagefright/omx/OMXNodeInstance.cpp @@ -121,9 +121,10 @@ struct BufferMeta { return; } - memcpy((OMX_U8 *)mMem->pointer() + header->nOffset, - header->pBuffer + header->nOffset, - header->nFilledLen); + // check component returns proper range + sp<ABuffer> codec = getBuffer(header, false /* backup */, true /* limit */); + + memcpy((OMX_U8 *)mMem->pointer() + header->nOffset, codec->data(), codec->size()); } void CopyToOMX(const OMX_BUFFERHEADERTYPE *header) { @@ -137,14 +138,21 @@ struct BufferMeta { } // return either the codec or the backup buffer - sp<ABuffer> getBuffer(const OMX_BUFFERHEADERTYPE *header, bool backup) { + sp<ABuffer> getBuffer(const OMX_BUFFERHEADERTYPE *header, bool backup, bool limit) { sp<ABuffer> buf; if (backup && mMem != NULL) { buf = new ABuffer(mMem->pointer(), mMem->size()); } else { buf = new ABuffer(header->pBuffer, header->nAllocLen); } - buf->setRange(header->nOffset, header->nFilledLen); + if (limit) { + if (header->nOffset + header->nFilledLen > header->nOffset + && header->nOffset + header->nFilledLen <= header->nAllocLen) { + buf->setRange(header->nOffset, header->nFilledLen); + } else { + buf->setRange(0, 0); + } + } return buf; } @@ -1089,10 +1097,11 @@ status_t OMXNodeInstance::emptyBuffer( OMX_BUFFERHEADERTYPE *header = findBufferHeader(buffer); BufferMeta *buffer_meta = static_cast<BufferMeta *>(header->pAppPrivate); - sp<ABuffer> backup = buffer_meta->getBuffer(header, true /* backup */); - sp<ABuffer> codec = buffer_meta->getBuffer(header, false /* backup */); + sp<ABuffer> backup = buffer_meta->getBuffer(header, true /* backup */, false /* limit */); + sp<ABuffer> codec = buffer_meta->getBuffer(header, false /* backup */, false /* limit */); // convert incoming ANW meta buffers if component is configured for gralloc metadata mode + // ignore rangeOffset in this case if (mMetadataType[kPortIndexInput] == kMetadataBufferTypeGrallocSource && backup->capacity() >= sizeof(VideoNativeMetadata) && codec->capacity() >= sizeof(VideoGrallocMetadata) @@ -1102,7 +1111,7 @@ status_t OMXNodeInstance::emptyBuffer( VideoGrallocMetadata &codecMeta = *(VideoGrallocMetadata *)codec->base(); CLOG_BUFFER(emptyBuffer, "converting ANWB %p to handle %p", backupMeta.pBuffer, backupMeta.pBuffer->handle); - codecMeta.pHandle = backupMeta.pBuffer->handle; + codecMeta.pHandle = backupMeta.pBuffer != NULL ? backupMeta.pBuffer->handle : NULL; codecMeta.eType = kMetadataBufferTypeGrallocSource; header->nFilledLen = rangeLength ? sizeof(codecMeta) : 0; header->nOffset = 0; @@ -1111,6 +1120,7 @@ status_t OMXNodeInstance::emptyBuffer( // corner case: we permit rangeOffset == end-of-buffer with rangeLength == 0. if (rangeOffset > header->nAllocLen || rangeLength > header->nAllocLen - rangeOffset) { + CLOG_ERROR(emptyBuffer, OMX_ErrorBadParameter, FULL_BUFFER(NULL, header, fenceFd)); if (fenceFd >= 0) { ::close(fenceFd); } @@ -1380,6 +1390,11 @@ bool OMXNodeInstance::handleMessage(omx_message &msg) { BufferMeta *buffer_meta = static_cast<BufferMeta *>(buffer->pAppPrivate); + if (buffer->nOffset + buffer->nFilledLen < buffer->nOffset + || buffer->nOffset + buffer->nFilledLen > buffer->nAllocLen) { + CLOG_ERROR(onFillBufferDone, OMX_ErrorBadParameter, + FULL_BUFFER(NULL, buffer, msg.fenceFd)); + } buffer_meta->CopyFromOMX(buffer); if (bufferSource != NULL) { |