Merge branch 'cm-13.0' of https://github.com/LineageOS/android_frameworks_av into replicant-6.0

author: Wolfgang Wiedmeyer <wolfgit@wiedmeyer.de> 2017-02-11 22:43:10 +0100
committer: Wolfgang Wiedmeyer <wolfgit@wiedmeyer.de> 2017-02-11 22:43:10 +0100
commit: 26718276fd99ef60d9646d79467d2bb3f2db5549 (patch)
tree: fa47c708c4a931e0506f6ea5a212aa2a433c8b38 /media/libstagefright
parent: e9c0ba1859c0f5890fed280e03d0328311234cce (diff)
parent: ad990eb12c7aff3c4bcdd50cae90b2b7c20041e6 (diff)
download: frameworks_av-26718276fd99ef60d9646d79467d2bb3f2db5549.zip
frameworks_av-26718276fd99ef60d9646d79467d2bb3f2db5549.tar.gz
frameworks_av-26718276fd99ef60d9646d79467d2bb3f2db5549.tar.bz2
3 files changed, 60 insertions, 29 deletions
diff --git a/media/libstagefright/VBRISeeker.cpp b/media/libstagefright/VBRISeeker.cpp
index 8a0fcac..5067ddc 100644
--- a/media/libstagefright/VBRISeeker.cpp
+++ b/media/libstagefright/VBRISeeker.cpp
@@ -83,8 +83,23 @@ sp<VBRISeeker> VBRISeeker::CreateFromSource(
          scale,
          entrySize);
 
+    if (entrySize > 4) {
+        ALOGE("invalid VBRI entry size: %zu", entrySize);
+        return NULL;
+    }
+
+    sp<VBRISeeker> seeker = new (std::nothrow) VBRISeeker;
+    if (seeker == NULL) {
+        ALOGW("Couldn't allocate VBRISeeker");
+        return NULL;
+    }
+
     size_t totalEntrySize = numEntries * entrySize;
-    uint8_t *buffer = new uint8_t[totalEntrySize];
+    uint8_t *buffer = new (std::nothrow) uint8_t[totalEntrySize];
+    if (!buffer) {
+        ALOGW("Couldn't allocate %zu bytes", totalEntrySize);
+        return NULL;
+    }
 
     n = source->readAt(pos + sizeof(vbriHeader), buffer, totalEntrySize);
     if (n < (ssize_t)totalEntrySize) {
@@ -94,7 +109,6 @@ sp<VBRISeeker> VBRISeeker::CreateFromSource(
         return NULL;
     }
 
-    sp<VBRISeeker> seeker = new VBRISeeker;
     seeker->mBasePos = post_id3_pos + frameSize;
     // only update mDurationUs if the calculated duration is valid (non zero)
     // otherwise, leave duration at -1 so that getDuration() and getOffsetForTime()
diff --git a/media/libstagefright/id3/ID3.cpp b/media/libstagefright/id3/ID3.cpp
index d1fd0d9..8944d83 100644
--- a/media/libstagefright/id3/ID3.cpp
+++ b/media/libstagefright/id3/ID3.cpp
@@ -837,20 +837,21 @@ void ID3::Iterator::findFrame() {
     }
 }
 
-static size_t StringSize(const uint8_t *start, uint8_t encoding) {
+// return includes terminator;  if unterminated, returns > limit
+static size_t StringSize(const uint8_t *start, size_t limit, uint8_t encoding) {
+
     if (encoding == 0x00 || encoding == 0x03) {
         // ISO 8859-1 or UTF-8
-        return strlen((const char *)start) + 1;
+        return strnlen((const char *)start, limit) + 1;
     }
 
     // UCS-2
     size_t n = 0;
-    while (start[n] != '\0' || start[n + 1] != '\0') {
+    while ((n+1 < limit) && (start[n] != '\0' || start[n + 1] != '\0')) {
         n += 2;
     }
-
-    // Add size of null termination.
-    return n + 2;
+    n += 2;
+    return n;
 }
 
 const void *
@@ -871,11 +872,19 @@ ID3::getAlbumArt(size_t *length, String8 *mime) const {
 
         if (mVersion == ID3_V2_3 || mVersion == ID3_V2_4) {
             uint8_t encoding = data[0];
-            mime->setTo((const char *)&data[1]);
-            size_t mimeLen = strlen((const char *)&data[1]) + 1;
+            size_t consumed = 1;
+
+            // *always* in an 8-bit encoding
+            size_t mimeLen = StringSize(&data[consumed], size - consumed, 0x00);
+            if (mimeLen > size - consumed) {
+                ALOGW("bogus album art size: mime");
+                return NULL;
+            }
+            mime->setTo((const char *)&data[consumed]);
+            consumed += mimeLen;
 
 #if 0
-            uint8_t picType = data[1 + mimeLen];
+            uint8_t picType = data[consumed];
             if (picType != 0x03) {
                 // Front Cover Art
                 it.next();
@@ -883,20 +892,30 @@ ID3::getAlbumArt(size_t *length, String8 *mime) const {
             }
 #endif
 
-            size_t descLen = StringSize(&data[2 + mimeLen], encoding);
+            consumed++;
+            if (consumed >= size) {
+                ALOGW("bogus album art size: pic type");
+                return NULL;
+            }
+
+            size_t descLen = StringSize(&data[consumed], size - consumed, encoding);
+            consumed += descLen;
 
-            if (size < 2 ||
-                    size - 2 < mimeLen ||
-                    size - 2 - mimeLen < descLen) {
-                ALOGW("bogus album art sizes");
+            if (consumed >= size) {
+                ALOGW("bogus album art size: description");
                 return NULL;
             }
-            *length = size - 2 - mimeLen - descLen;
 
-            return &data[2 + mimeLen + descLen];
+            *length = size - consumed;
+
+            return &data[consumed];
         } else {
             uint8_t encoding = data[0];
 
+            if (size <= 5) {
+                return NULL;
+            }
+
             if (!memcmp(&data[1], "PNG", 3)) {
                 mime->setTo("image/png");
             } else if (!memcmp(&data[1], "JPG", 3)) {
@@ -916,7 +935,10 @@ ID3::getAlbumArt(size_t *length, String8 *mime) const {
             }
 #endif
 
-            size_t descLen = StringSize(&data[5], encoding);
+            size_t descLen = StringSize(&data[5], size - 5, encoding);
+            if (descLen > size - 5) {
+                return NULL;
+            }
 
             *length = size - 5 - descLen;
 
diff --git a/media/libstagefright/omx/OMXNodeInstance.cpp b/media/libstagefright/omx/OMXNodeInstance.cpp
index c09064f..0c30e44 100644
--- a/media/libstagefright/omx/OMXNodeInstance.cpp
+++ b/media/libstagefright/omx/OMXNodeInstance.cpp
@@ -170,8 +170,10 @@ struct BufferMeta {
         return buf;
     }
 
-    bool copyToOmx() const {
-        return mCopyToOmx;
+    bool copyingOrSharingToOmx(const OMX_BUFFERHEADERTYPE *header) const {
+        return mCopyToOmx
+                                    // sharing buffer with client
+                || (mMem != NULL && mMem->pointer() == header->pBuffer);
     }
 
     void setGraphicBuffer(const sp<GraphicBuffer> &graphicBuffer) {
@@ -784,13 +786,6 @@ status_t OMXNodeInstance::useBuffer(
         }
         memset(data, 0, allottedSize);
 
-        // if we are not connecting the buffers, the sizes must match
-        if (allottedSize != params->size()) {
-            CLOG_ERROR(useBuffer, BAD_VALUE, SIMPLE_BUFFER(portIndex, (size_t)allottedSize, data));
-            delete[] data;
-            return BAD_VALUE;
-        }
-
         buffer_meta = new BufferMeta(
                 params, portIndex, false /* copyToOmx */, false /* copyFromOmx */, data);
     } else {
@@ -1283,7 +1278,7 @@ status_t OMXNodeInstance::emptyBuffer(
 
     // convert incoming ANW meta buffers if component is configured for gralloc metadata mode
     // ignore rangeOffset in this case
-    if (buffer_meta->copyToOmx()
+    if (buffer_meta->copyingOrSharingToOmx(header)
             && mMetadataType[kPortIndexInput] == kMetadataBufferTypeGrallocSource
             && backup->capacity() >= sizeof(VideoNativeMetadata)
             && codec->capacity() >= sizeof(VideoGrallocMetadata)
author	Wolfgang Wiedmeyer <wolfgit@wiedmeyer.de>	2017-02-11 22:43:10 +0100
committer	Wolfgang Wiedmeyer <wolfgit@wiedmeyer.de>	2017-02-11 22:43:10 +0100
commit	26718276fd99ef60d9646d79467d2bb3f2db5549 (patch)
tree	fa47c708c4a931e0506f6ea5a212aa2a433c8b38 /media/libstagefright
parent	e9c0ba1859c0f5890fed280e03d0328311234cce (diff)
parent	ad990eb12c7aff3c4bcdd50cae90b2b7c20041e6 (diff)
download	frameworks_av-26718276fd99ef60d9646d79467d2bb3f2db5549.zip frameworks_av-26718276fd99ef60d9646d79467d2bb3f2db5549.tar.gz frameworks_av-26718276fd99ef60d9646d79467d2bb3f2db5549.tar.bz2