diff options
author | Lajos Molnar <lajos@google.com> | 2015-06-22 05:04:58 +0000 |
---|---|---|
committer | Android (Google) Code Review <android-gerrit@google.com> | 2015-06-22 05:04:59 +0000 |
commit | 4d622375dc6c9d6b6b817cce598692ae491b2496 (patch) | |
tree | ab7bd586a544b83eed1bdc679592366c97528274 /media | |
parent | 5cecaa9430ef1d721968f1cd621c1c45c52190ce (diff) | |
parent | ec4ed7d541f48d1d0af8f93cd26ec291ca82061b (diff) | |
download | frameworks_av-4d622375dc6c9d6b6b817cce598692ae491b2496.zip frameworks_av-4d622375dc6c9d6b6b817cce598692ae491b2496.tar.gz frameworks_av-4d622375dc6c9d6b6b817cce598692ae491b2496.tar.bz2 |
Merge "stagefright: relax check of OMX buffer header - again" into mnc-dev
Diffstat (limited to 'media')
-rw-r--r-- | media/libstagefright/omx/OMXNodeInstance.cpp | 31 |
1 files changed, 23 insertions, 8 deletions
diff --git a/media/libstagefright/omx/OMXNodeInstance.cpp b/media/libstagefright/omx/OMXNodeInstance.cpp index 6ee1a77..147aae7 100644 --- a/media/libstagefright/omx/OMXNodeInstance.cpp +++ b/media/libstagefright/omx/OMXNodeInstance.cpp @@ -121,9 +121,10 @@ struct BufferMeta { return; } - memcpy((OMX_U8 *)mMem->pointer() + header->nOffset, - header->pBuffer + header->nOffset, - header->nFilledLen); + // check component returns proper range + sp<ABuffer> codec = getBuffer(header, false /* backup */, true /* limit */); + + memcpy((OMX_U8 *)mMem->pointer() + header->nOffset, codec->data(), codec->size()); } void CopyToOMX(const OMX_BUFFERHEADERTYPE *header) { @@ -137,14 +138,21 @@ struct BufferMeta { } // return either the codec or the backup buffer - sp<ABuffer> getBuffer(const OMX_BUFFERHEADERTYPE *header, bool backup) { + sp<ABuffer> getBuffer(const OMX_BUFFERHEADERTYPE *header, bool backup, bool limit) { sp<ABuffer> buf; if (backup && mMem != NULL) { buf = new ABuffer(mMem->pointer(), mMem->size()); } else { buf = new ABuffer(header->pBuffer, header->nAllocLen); } - buf->setRange(header->nOffset, header->nFilledLen); + if (limit) { + if (header->nOffset + header->nFilledLen > header->nOffset + && header->nOffset + header->nFilledLen <= header->nAllocLen) { + buf->setRange(header->nOffset, header->nFilledLen); + } else { + buf->setRange(0, 0); + } + } return buf; } @@ -1089,10 +1097,11 @@ status_t OMXNodeInstance::emptyBuffer( OMX_BUFFERHEADERTYPE *header = findBufferHeader(buffer); BufferMeta *buffer_meta = static_cast<BufferMeta *>(header->pAppPrivate); - sp<ABuffer> backup = buffer_meta->getBuffer(header, true /* backup */); - sp<ABuffer> codec = buffer_meta->getBuffer(header, false /* backup */); + sp<ABuffer> backup = buffer_meta->getBuffer(header, true /* backup */, false /* limit */); + sp<ABuffer> codec = buffer_meta->getBuffer(header, false /* backup */, false /* limit */); // convert incoming ANW meta buffers if component is configured for gralloc metadata mode + // ignore rangeOffset in this case if (mMetadataType[kPortIndexInput] == kMetadataBufferTypeGrallocSource && backup->capacity() >= sizeof(VideoNativeMetadata) && codec->capacity() >= sizeof(VideoGrallocMetadata) @@ -1102,7 +1111,7 @@ status_t OMXNodeInstance::emptyBuffer( VideoGrallocMetadata &codecMeta = *(VideoGrallocMetadata *)codec->base(); CLOG_BUFFER(emptyBuffer, "converting ANWB %p to handle %p", backupMeta.pBuffer, backupMeta.pBuffer->handle); - codecMeta.pHandle = backupMeta.pBuffer->handle; + codecMeta.pHandle = backupMeta.pBuffer != NULL ? backupMeta.pBuffer->handle : NULL; codecMeta.eType = kMetadataBufferTypeGrallocSource; header->nFilledLen = rangeLength ? sizeof(codecMeta) : 0; header->nOffset = 0; @@ -1111,6 +1120,7 @@ status_t OMXNodeInstance::emptyBuffer( // corner case: we permit rangeOffset == end-of-buffer with rangeLength == 0. if (rangeOffset > header->nAllocLen || rangeLength > header->nAllocLen - rangeOffset) { + CLOG_ERROR(emptyBuffer, OMX_ErrorBadParameter, FULL_BUFFER(NULL, header, fenceFd)); if (fenceFd >= 0) { ::close(fenceFd); } @@ -1380,6 +1390,11 @@ bool OMXNodeInstance::handleMessage(omx_message &msg) { BufferMeta *buffer_meta = static_cast<BufferMeta *>(buffer->pAppPrivate); + if (buffer->nOffset + buffer->nFilledLen < buffer->nOffset + || buffer->nOffset + buffer->nFilledLen > buffer->nAllocLen) { + CLOG_ERROR(onFillBufferDone, OMX_ErrorBadParameter, + FULL_BUFFER(NULL, buffer, msg.fenceFd)); + } buffer_meta->CopyFromOMX(buffer); if (bufferSource != NULL) { |