Merge "stagefright: relax check of OMX buffer header - again" into mnc-dev

author: Lajos Molnar <lajos@google.com> 2015-06-22 05:04:58 +0000
committer: Android (Google) Code Review <android-gerrit@google.com> 2015-06-22 05:04:59 +0000
commit: 4d622375dc6c9d6b6b817cce598692ae491b2496 (patch)
tree: ab7bd586a544b83eed1bdc679592366c97528274 /media
parent: 5cecaa9430ef1d721968f1cd621c1c45c52190ce (diff)
parent: ec4ed7d541f48d1d0af8f93cd26ec291ca82061b (diff)
download: frameworks_av-4d622375dc6c9d6b6b817cce598692ae491b2496.zip
frameworks_av-4d622375dc6c9d6b6b817cce598692ae491b2496.tar.gz
frameworks_av-4d622375dc6c9d6b6b817cce598692ae491b2496.tar.bz2
1 files changed, 23 insertions, 8 deletions
diff --git a/media/libstagefright/omx/OMXNodeInstance.cpp b/media/libstagefright/omx/OMXNodeInstance.cpp
index 6ee1a77..147aae7 100644
--- a/media/libstagefright/omx/OMXNodeInstance.cpp
+++ b/media/libstagefright/omx/OMXNodeInstance.cpp
@@ -121,9 +121,10 @@ struct BufferMeta {
             return;
         }
 
-        memcpy((OMX_U8 *)mMem->pointer() + header->nOffset,
-                header->pBuffer + header->nOffset,
-                header->nFilledLen);
+        // check component returns proper range
+        sp<ABuffer> codec = getBuffer(header, false /* backup */, true /* limit */);
+
+        memcpy((OMX_U8 *)mMem->pointer() + header->nOffset, codec->data(), codec->size());
     }
 
     void CopyToOMX(const OMX_BUFFERHEADERTYPE *header) {
@@ -137,14 +138,21 @@ struct BufferMeta {
     }
 
     // return either the codec or the backup buffer
-    sp<ABuffer> getBuffer(const OMX_BUFFERHEADERTYPE *header, bool backup) {
+    sp<ABuffer> getBuffer(const OMX_BUFFERHEADERTYPE *header, bool backup, bool limit) {
         sp<ABuffer> buf;
         if (backup && mMem != NULL) {
             buf = new ABuffer(mMem->pointer(), mMem->size());
         } else {
             buf = new ABuffer(header->pBuffer, header->nAllocLen);
         }
-        buf->setRange(header->nOffset, header->nFilledLen);
+        if (limit) {
+            if (header->nOffset + header->nFilledLen > header->nOffset
+                    && header->nOffset + header->nFilledLen <= header->nAllocLen) {
+                buf->setRange(header->nOffset, header->nFilledLen);
+            } else {
+                buf->setRange(0, 0);
+            }
+        }
         return buf;
     }
 
@@ -1089,10 +1097,11 @@ status_t OMXNodeInstance::emptyBuffer(
     OMX_BUFFERHEADERTYPE *header = findBufferHeader(buffer);
     BufferMeta *buffer_meta =
         static_cast<BufferMeta *>(header->pAppPrivate);
-    sp<ABuffer> backup = buffer_meta->getBuffer(header, true /* backup */);
-    sp<ABuffer> codec = buffer_meta->getBuffer(header, false /* backup */);
+    sp<ABuffer> backup = buffer_meta->getBuffer(header, true /* backup */, false /* limit */);
+    sp<ABuffer> codec = buffer_meta->getBuffer(header, false /* backup */, false /* limit */);
 
     // convert incoming ANW meta buffers if component is configured for gralloc metadata mode
+    // ignore rangeOffset in this case
     if (mMetadataType[kPortIndexInput] == kMetadataBufferTypeGrallocSource
             && backup->capacity() >= sizeof(VideoNativeMetadata)
             && codec->capacity() >= sizeof(VideoGrallocMetadata)
@@ -1102,7 +1111,7 @@ status_t OMXNodeInstance::emptyBuffer(
         VideoGrallocMetadata &codecMeta = *(VideoGrallocMetadata *)codec->base();
         CLOG_BUFFER(emptyBuffer, "converting ANWB %p to handle %p",
                 backupMeta.pBuffer, backupMeta.pBuffer->handle);
-        codecMeta.pHandle = backupMeta.pBuffer->handle;
+        codecMeta.pHandle = backupMeta.pBuffer != NULL ? backupMeta.pBuffer->handle : NULL;
         codecMeta.eType = kMetadataBufferTypeGrallocSource;
         header->nFilledLen = rangeLength ? sizeof(codecMeta) : 0;
         header->nOffset = 0;
@@ -1111,6 +1120,7 @@ status_t OMXNodeInstance::emptyBuffer(
         // corner case: we permit rangeOffset == end-of-buffer with rangeLength == 0.
         if (rangeOffset > header->nAllocLen
                 || rangeLength > header->nAllocLen - rangeOffset) {
+            CLOG_ERROR(emptyBuffer, OMX_ErrorBadParameter, FULL_BUFFER(NULL, header, fenceFd));
             if (fenceFd >= 0) {
                 ::close(fenceFd);
             }
@@ -1380,6 +1390,11 @@ bool OMXNodeInstance::handleMessage(omx_message &msg) {
         BufferMeta *buffer_meta =
             static_cast<BufferMeta *>(buffer->pAppPrivate);
 
+        if (buffer->nOffset + buffer->nFilledLen < buffer->nOffset
+                || buffer->nOffset + buffer->nFilledLen > buffer->nAllocLen) {
+            CLOG_ERROR(onFillBufferDone, OMX_ErrorBadParameter,
+                    FULL_BUFFER(NULL, buffer, msg.fenceFd));
+        }
         buffer_meta->CopyFromOMX(buffer);
 
         if (bufferSource != NULL) {
author	Lajos Molnar <lajos@google.com>	2015-06-22 05:04:58 +0000
committer	Android (Google) Code Review <android-gerrit@google.com>	2015-06-22 05:04:59 +0000
commit	4d622375dc6c9d6b6b817cce598692ae491b2496 (patch)
tree	ab7bd586a544b83eed1bdc679592366c97528274 /media
parent	5cecaa9430ef1d721968f1cd621c1c45c52190ce (diff)
parent	ec4ed7d541f48d1d0af8f93cd26ec291ca82061b (diff)
download	frameworks_av-4d622375dc6c9d6b6b817cce598692ae491b2496.zip frameworks_av-4d622375dc6c9d6b6b817cce598692ae491b2496.tar.gz frameworks_av-4d622375dc6c9d6b6b817cce598692ae491b2496.tar.bz2