summaryrefslogtreecommitdiffstats
path: root/media
diff options
context:
space:
mode:
authorWolfgang Wiedmeyer <wolfgit@wiedmeyer.de>2017-05-02 19:21:00 +0200
committerWolfgang Wiedmeyer <wolfgit@wiedmeyer.de>2017-05-02 19:21:00 +0200
commiteca582052ef000897f69d6d0bdd96c7a8aa59cda (patch)
tree7472d8773c4bb9321fdd41d0aef057e30045e557 /media
parent26718276fd99ef60d9646d79467d2bb3f2db5549 (diff)
parentdc7805b0c79d056385a076422894425984af2aa0 (diff)
downloadframeworks_av-eca582052ef000897f69d6d0bdd96c7a8aa59cda.zip
frameworks_av-eca582052ef000897f69d6d0bdd96c7a8aa59cda.tar.gz
frameworks_av-eca582052ef000897f69d6d0bdd96c7a8aa59cda.tar.bz2
Merge branch 'cm-13.0' of https://github.com/LineageOS/android_frameworks_av into replicant-6.0HEADreplicant-6.0-0001replicant-6.0
Diffstat (limited to 'media')
-rw-r--r--media/libeffects/lvm/wrapper/Bundle/EffectBundle.cpp51
-rw-r--r--media/libmedia/IEffect.cpp12
-rw-r--r--media/libmedia/IHDCP.cpp18
-rw-r--r--media/libstagefright/SampleTable.cpp21
-rw-r--r--media/libstagefright/avc_utils.cpp5
-rw-r--r--media/libstagefright/wifi-display/rtp/RTPSender.cpp14
6 files changed, 85 insertions, 36 deletions
diff --git a/media/libeffects/lvm/wrapper/Bundle/EffectBundle.cpp b/media/libeffects/lvm/wrapper/Bundle/EffectBundle.cpp
index 5e975b0..9cddf6a 100644
--- a/media/libeffects/lvm/wrapper/Bundle/EffectBundle.cpp
+++ b/media/libeffects/lvm/wrapper/Bundle/EffectBundle.cpp
@@ -1465,17 +1465,25 @@ int VirtualizerForceVirtualizationMode(EffectContext *pContext, audio_devices_t
// horizontal plane, +90 is directly above the user, -90 below
//
//----------------------------------------------------------------------------
-void VirtualizerGetSpeakerAngles(audio_channel_mask_t channelMask __unused,
+void VirtualizerGetSpeakerAngles(audio_channel_mask_t channelMask,
audio_devices_t deviceType __unused, int32_t *pSpeakerAngles) {
// the channel count is guaranteed to be 1 or 2
// the device is guaranteed to be of type headphone
- // this virtualizer is always 2in with speakers at -90 and 90deg of azimuth, 0deg of elevation
- *pSpeakerAngles++ = (int32_t) AUDIO_CHANNEL_OUT_FRONT_LEFT;
- *pSpeakerAngles++ = -90; // azimuth
- *pSpeakerAngles++ = 0; // elevation
- *pSpeakerAngles++ = (int32_t) AUDIO_CHANNEL_OUT_FRONT_RIGHT;
- *pSpeakerAngles++ = 90; // azimuth
- *pSpeakerAngles = 0; // elevation
+ // this virtualizer is always using 2 virtual speakers at -90 and 90deg of azimuth, 0deg of
+ // elevation but the return information is sized for nbChannels * 3, so we have to consider
+ // the (false here) case of a single channel, and return only 3 fields.
+ if (audio_channel_count_from_out_mask(channelMask) == 1) {
+ *pSpeakerAngles++ = (int32_t) AUDIO_CHANNEL_OUT_MONO; // same as FRONT_LEFT
+ *pSpeakerAngles++ = 0; // azimuth
+ *pSpeakerAngles = 0; // elevation
+ } else {
+ *pSpeakerAngles++ = (int32_t) AUDIO_CHANNEL_OUT_FRONT_LEFT;
+ *pSpeakerAngles++ = -90; // azimuth
+ *pSpeakerAngles++ = 0; // elevation
+ *pSpeakerAngles++ = (int32_t) AUDIO_CHANNEL_OUT_FRONT_RIGHT;
+ *pSpeakerAngles++ = 90; // azimuth
+ *pSpeakerAngles = 0; // elevation
+ }
}
//----------------------------------------------------------------------------
@@ -3124,10 +3132,6 @@ int Effect_command(effect_handle_t self,
//ALOGV("\tEffect_command cmdCode Case: EFFECT_CMD_GET_PARAM start");
effect_param_t *p = (effect_param_t *)pCmdData;
- if (SIZE_MAX - sizeof(effect_param_t) < (size_t)p->psize) {
- android_errorWriteLog(0x534e4554, "26347509");
- return -EINVAL;
- }
if (pCmdData == NULL || cmdSize < sizeof(effect_param_t) ||
cmdSize < (sizeof(effect_param_t) + p->psize) ||
pReplyData == NULL || replySize == NULL ||
@@ -3135,13 +3139,32 @@ int Effect_command(effect_handle_t self,
ALOGV("\tLVM_ERROR : EFFECT_CMD_GET_PARAM: ERROR");
return -EINVAL;
}
+ if (EFFECT_PARAM_SIZE_MAX - sizeof(effect_param_t) < (size_t)p->psize) {
+ android_errorWriteLog(0x534e4554, "26347509");
+ ALOGV("\tLVM_ERROR : EFFECT_CMD_GET_PARAM: psize too big");
+ return -EINVAL;
+ }
+ uint32_t paddedParamSize = ((p->psize + sizeof(int32_t) - 1) / sizeof(int32_t)) *
+ sizeof(int32_t);
+ if ((EFFECT_PARAM_SIZE_MAX - sizeof(effect_param_t) < paddedParamSize) ||
+ (EFFECT_PARAM_SIZE_MAX - sizeof(effect_param_t) - paddedParamSize <
+ p->vsize)) {
+ ALOGV("\tLVM_ERROR : EFFECT_CMD_GET_PARAM: padded_psize or vsize too big");
+ return -EINVAL;
+ }
+ uint32_t expectedReplySize = sizeof(effect_param_t) + paddedParamSize + p->vsize;
+ if (*replySize < expectedReplySize) {
+ ALOGV("\tLVM_ERROR : EFFECT_CMD_GET_PARAM: min. replySize %u, got %u bytes",
+ expectedReplySize, *replySize);
+ android_errorWriteLog(0x534e4554, "32705438");
+ return -EINVAL;
+ }
memcpy(pReplyData, pCmdData, sizeof(effect_param_t) + p->psize);
p = (effect_param_t *)pReplyData;
- int voffset = ((p->psize - 1) / sizeof(int32_t) + 1) * sizeof(int32_t);
-
+ uint32_t voffset = paddedParamSize;
if(pContext->EffectType == LVM_BASS_BOOST){
p->status = android::BassBoost_getParameter(pContext,
p->data,
diff --git a/media/libmedia/IEffect.cpp b/media/libmedia/IEffect.cpp
index faf5795..af6d8de 100644
--- a/media/libmedia/IEffect.cpp
+++ b/media/libmedia/IEffect.cpp
@@ -25,6 +25,9 @@
namespace android {
+// Maximum command/reply size expected
+#define EFFECT_PARAM_SIZE_MAX 65536
+
enum {
ENABLE = IBinder::FIRST_CALL_TRANSACTION,
DISABLE,
@@ -156,6 +159,10 @@ status_t BnEffect::onTransact(
uint32_t cmdSize = data.readInt32();
char *cmd = NULL;
if (cmdSize) {
+ if (cmdSize > EFFECT_PARAM_SIZE_MAX) {
+ reply->writeInt32(NO_MEMORY);
+ return NO_ERROR;
+ }
cmd = (char *)calloc(cmdSize, 1);
if (cmd == NULL) {
reply->writeInt32(NO_MEMORY);
@@ -167,6 +174,11 @@ status_t BnEffect::onTransact(
uint32_t replySz = replySize;
char *resp = NULL;
if (replySize) {
+ if (replySize > EFFECT_PARAM_SIZE_MAX) {
+ free(cmd);
+ reply->writeInt32(NO_MEMORY);
+ return NO_ERROR;
+ }
resp = (char *)calloc(replySize, 1);
if (resp == NULL) {
free(cmd);
diff --git a/media/libmedia/IHDCP.cpp b/media/libmedia/IHDCP.cpp
index f3a8902..e8c8a3d 100644
--- a/media/libmedia/IHDCP.cpp
+++ b/media/libmedia/IHDCP.cpp
@@ -241,14 +241,11 @@ status_t BnHDCP::onTransact(
case HDCP_ENCRYPT:
{
size_t size = data.readInt32();
- size_t bufSize = 2 * size;
-
- // watch out for overflow
void *inData = NULL;
- if (bufSize > size) {
- inData = malloc(bufSize);
+ // watch out for overflow
+ if (size <= SIZE_MAX / 2) {
+ inData = malloc(2 * size);
}
-
if (inData == NULL) {
reply->writeInt32(ERROR_OUT_OF_RANGE);
return OK;
@@ -256,11 +253,16 @@ status_t BnHDCP::onTransact(
void *outData = (uint8_t *)inData + size;
- data.read(inData, size);
+ status_t err = data.read(inData, size);
+ if (err != OK) {
+ free(inData);
+ reply->writeInt32(err);
+ return OK;
+ }
uint32_t streamCTR = data.readInt32();
uint64_t inputCTR;
- status_t err = encrypt(inData, size, streamCTR, &inputCTR, outData);
+ err = encrypt(inData, size, streamCTR, &inputCTR, outData);
reply->writeInt32(err);
diff --git a/media/libstagefright/SampleTable.cpp b/media/libstagefright/SampleTable.cpp
index 8a38c24..2d7e613 100644
--- a/media/libstagefright/SampleTable.cpp
+++ b/media/libstagefright/SampleTable.cpp
@@ -512,8 +512,6 @@ status_t SampleTable::setSyncSampleParams(off64_t data_offset, size_t data_size)
return ERROR_MALFORMED;
}
- mSyncSampleOffset = data_offset;
-
uint8_t header[8];
if (mDataSource->readAt(
data_offset, header, sizeof(header)) < (ssize_t)sizeof(header)) {
@@ -525,13 +523,13 @@ status_t SampleTable::setSyncSampleParams(off64_t data_offset, size_t data_size)
return ERROR_MALFORMED;
}
- mNumSyncSamples = U32_AT(&header[4]);
+ uint32_t numSyncSamples = U32_AT(&header[4]);
- if (mNumSyncSamples < 2) {
+ if (numSyncSamples < 2) {
ALOGV("Table of sync samples is empty or has only a single entry!");
}
- uint64_t allocSize = (uint64_t)mNumSyncSamples * sizeof(uint32_t);
+ uint64_t allocSize = (uint64_t)numSyncSamples * sizeof(uint32_t);
if (allocSize > kMaxTotalSize) {
ALOGE("Sync sample table size too large.");
return ERROR_OUT_OF_RANGE;
@@ -549,22 +547,27 @@ status_t SampleTable::setSyncSampleParams(off64_t data_offset, size_t data_size)
return ERROR_OUT_OF_RANGE;
}
- mSyncSamples = new (std::nothrow) uint32_t[mNumSyncSamples];
+ mSyncSamples = new (std::nothrow) uint32_t[numSyncSamples];
if (!mSyncSamples) {
ALOGE("Cannot allocate sync sample table with %llu entries.",
- (unsigned long long)mNumSyncSamples);
+ (unsigned long long)numSyncSamples);
return ERROR_OUT_OF_RANGE;
}
- if (mDataSource->readAt(mSyncSampleOffset + 8, mSyncSamples,
+ if (mDataSource->readAt(data_offset + 8, mSyncSamples,
(size_t)allocSize) != (ssize_t)allocSize) {
+ delete mSyncSamples;
+ mSyncSamples = NULL;
return ERROR_IO;
}
- for (size_t i = 0; i < mNumSyncSamples; ++i) {
+ for (size_t i = 0; i < numSyncSamples; ++i) {
mSyncSamples[i] = ntohl(mSyncSamples[i]) - 1;
}
+ mSyncSampleOffset = data_offset;
+ mNumSyncSamples = numSyncSamples;
+
return OK;
}
diff --git a/media/libstagefright/avc_utils.cpp b/media/libstagefright/avc_utils.cpp
index 98b5c0e..bf014ba 100644
--- a/media/libstagefright/avc_utils.cpp
+++ b/media/libstagefright/avc_utils.cpp
@@ -454,7 +454,10 @@ bool IsAVCReferenceFrame(const sp<ABuffer> &accessUnit) {
size_t nalSize;
bool bIsReferenceFrame = true;
while (getNextNALUnit(&data, &size, &nalStart, &nalSize, true) == OK) {
- CHECK_GT(nalSize, 0u);
+ if (nalSize == 0u) {
+ ALOGW("skipping empty nal unit from potentially malformed bitstream");
+ continue;
+ }
unsigned nalType = nalStart[0] & 0x1f;
diff --git a/media/libstagefright/wifi-display/rtp/RTPSender.cpp b/media/libstagefright/wifi-display/rtp/RTPSender.cpp
index c66a898..83af393 100644
--- a/media/libstagefright/wifi-display/rtp/RTPSender.cpp
+++ b/media/libstagefright/wifi-display/rtp/RTPSender.cpp
@@ -762,10 +762,16 @@ status_t RTPSender::parseTSFB(const uint8_t *data, size_t size) {
return OK;
}
-status_t RTPSender::parseAPP(const uint8_t *data, size_t size __unused) {
- if (!memcmp("late", &data[8], 4)) {
- int64_t avgLatencyUs = (int64_t)U64_AT(&data[12]);
- int64_t maxLatencyUs = (int64_t)U64_AT(&data[20]);
+status_t RTPSender::parseAPP(const uint8_t *data, size_t size) {
+ static const size_t late_offset = 8;
+ static const char late_string[] = "late";
+ static const size_t avgLatencyUs_offset = late_offset + sizeof(late_string) - 1;
+ static const size_t maxLatencyUs_offset = avgLatencyUs_offset + sizeof(int64_t);
+
+ if ((size >= (maxLatencyUs_offset + sizeof(int64_t)))
+ && !memcmp(late_string, &data[late_offset], sizeof(late_string) - 1)) {
+ int64_t avgLatencyUs = (int64_t)U64_AT(&data[avgLatencyUs_offset]);
+ int64_t maxLatencyUs = (int64_t)U64_AT(&data[maxLatencyUs_offset]);
sp<AMessage> notify = mNotify->dup();
notify->setInt32("what", kWhatInformSender);