diff options
author | Wei Jia <wjia@google.com> | 2015-08-25 05:23:23 +0000 |
---|---|---|
committer | Android Git Automerger <android-git-automerger@android.com> | 2015-08-25 05:23:23 +0000 |
commit | 3a7ff4c754fcb99c29621ed94b08ed6fb65f6495 (patch) | |
tree | fdabcece239722f3fc1c55f41bbbf7e77c87b91b /media | |
parent | 0f3ab16c827a43534597cb38515951ff736f9740 (diff) | |
parent | a5f50e98d1408addcaaac27e4d13981163d12a15 (diff) | |
download | frameworks_av-3a7ff4c754fcb99c29621ed94b08ed6fb65f6495.zip frameworks_av-3a7ff4c754fcb99c29621ed94b08ed6fb65f6495.tar.gz frameworks_av-3a7ff4c754fcb99c29621ed94b08ed6fb65f6495.tar.bz2 |
am a5f50e98: DO NOT MERGE - SoftwareRenderer: sanity check buffer size before copying data.
* commit 'a5f50e98d1408addcaaac27e4d13981163d12a15':
DO NOT MERGE - SoftwareRenderer: sanity check buffer size before copying data.
Diffstat (limited to 'media')
-rw-r--r-- | media/libstagefright/colorconversion/SoftwareRenderer.cpp | 7 |
1 files changed, 7 insertions, 0 deletions
diff --git a/media/libstagefright/colorconversion/SoftwareRenderer.cpp b/media/libstagefright/colorconversion/SoftwareRenderer.cpp index 77f21b7..990d554 100644 --- a/media/libstagefright/colorconversion/SoftwareRenderer.cpp +++ b/media/libstagefright/colorconversion/SoftwareRenderer.cpp @@ -164,6 +164,9 @@ void SoftwareRenderer::render( buf->stride, buf->height, 0, 0, mCropWidth - 1, mCropHeight - 1); } else if (mColorFormat == OMX_COLOR_FormatYUV420Planar) { + if ((size_t)mWidth * mHeight * 3 / 2 > size) { + goto skip_copying; + } const uint8_t *src_y = (const uint8_t *)data; const uint8_t *src_u = (const uint8_t *)data + mWidth * mHeight; const uint8_t *src_v = src_u + (mWidth / 2 * mHeight / 2); @@ -193,6 +196,9 @@ void SoftwareRenderer::render( } } else { CHECK_EQ(mColorFormat, OMX_TI_COLOR_FormatYUV420PackedSemiPlanar); + if ((size_t)mWidth * mHeight * 3 / 2 > size) { + goto skip_copying; + } const uint8_t *src_y = (const uint8_t *)data; @@ -228,6 +234,7 @@ void SoftwareRenderer::render( } } +skip_copying: CHECK_EQ(0, mapper.unlock(buf->handle)); if ((err = mNativeWindow->queueBuffer(mNativeWindow.get(), buf, |