diff options
author | Wolfgang Wiedmeyer <wolfgit@wiedmeyer.de> | 2017-05-02 19:21:00 +0200 |
---|---|---|
committer | Wolfgang Wiedmeyer <wolfgit@wiedmeyer.de> | 2017-05-02 19:21:00 +0200 |
commit | eca582052ef000897f69d6d0bdd96c7a8aa59cda (patch) | |
tree | 7472d8773c4bb9321fdd41d0aef057e30045e557 /media | |
parent | 26718276fd99ef60d9646d79467d2bb3f2db5549 (diff) | |
parent | dc7805b0c79d056385a076422894425984af2aa0 (diff) | |
download | frameworks_av-eca582052ef000897f69d6d0bdd96c7a8aa59cda.zip frameworks_av-eca582052ef000897f69d6d0bdd96c7a8aa59cda.tar.gz frameworks_av-eca582052ef000897f69d6d0bdd96c7a8aa59cda.tar.bz2 |
Merge branch 'cm-13.0' of https://github.com/LineageOS/android_frameworks_av into replicant-6.0HEADreplicant-6.0-0001replicant-6.0
Diffstat (limited to 'media')
-rw-r--r-- | media/libeffects/lvm/wrapper/Bundle/EffectBundle.cpp | 51 | ||||
-rw-r--r-- | media/libmedia/IEffect.cpp | 12 | ||||
-rw-r--r-- | media/libmedia/IHDCP.cpp | 18 | ||||
-rw-r--r-- | media/libstagefright/SampleTable.cpp | 21 | ||||
-rw-r--r-- | media/libstagefright/avc_utils.cpp | 5 | ||||
-rw-r--r-- | media/libstagefright/wifi-display/rtp/RTPSender.cpp | 14 |
6 files changed, 85 insertions, 36 deletions
diff --git a/media/libeffects/lvm/wrapper/Bundle/EffectBundle.cpp b/media/libeffects/lvm/wrapper/Bundle/EffectBundle.cpp index 5e975b0..9cddf6a 100644 --- a/media/libeffects/lvm/wrapper/Bundle/EffectBundle.cpp +++ b/media/libeffects/lvm/wrapper/Bundle/EffectBundle.cpp @@ -1465,17 +1465,25 @@ int VirtualizerForceVirtualizationMode(EffectContext *pContext, audio_devices_t // horizontal plane, +90 is directly above the user, -90 below // //---------------------------------------------------------------------------- -void VirtualizerGetSpeakerAngles(audio_channel_mask_t channelMask __unused, +void VirtualizerGetSpeakerAngles(audio_channel_mask_t channelMask, audio_devices_t deviceType __unused, int32_t *pSpeakerAngles) { // the channel count is guaranteed to be 1 or 2 // the device is guaranteed to be of type headphone - // this virtualizer is always 2in with speakers at -90 and 90deg of azimuth, 0deg of elevation - *pSpeakerAngles++ = (int32_t) AUDIO_CHANNEL_OUT_FRONT_LEFT; - *pSpeakerAngles++ = -90; // azimuth - *pSpeakerAngles++ = 0; // elevation - *pSpeakerAngles++ = (int32_t) AUDIO_CHANNEL_OUT_FRONT_RIGHT; - *pSpeakerAngles++ = 90; // azimuth - *pSpeakerAngles = 0; // elevation + // this virtualizer is always using 2 virtual speakers at -90 and 90deg of azimuth, 0deg of + // elevation but the return information is sized for nbChannels * 3, so we have to consider + // the (false here) case of a single channel, and return only 3 fields. + if (audio_channel_count_from_out_mask(channelMask) == 1) { + *pSpeakerAngles++ = (int32_t) AUDIO_CHANNEL_OUT_MONO; // same as FRONT_LEFT + *pSpeakerAngles++ = 0; // azimuth + *pSpeakerAngles = 0; // elevation + } else { + *pSpeakerAngles++ = (int32_t) AUDIO_CHANNEL_OUT_FRONT_LEFT; + *pSpeakerAngles++ = -90; // azimuth + *pSpeakerAngles++ = 0; // elevation + *pSpeakerAngles++ = (int32_t) AUDIO_CHANNEL_OUT_FRONT_RIGHT; + *pSpeakerAngles++ = 90; // azimuth + *pSpeakerAngles = 0; // elevation + } } //---------------------------------------------------------------------------- @@ -3124,10 +3132,6 @@ int Effect_command(effect_handle_t self, //ALOGV("\tEffect_command cmdCode Case: EFFECT_CMD_GET_PARAM start"); effect_param_t *p = (effect_param_t *)pCmdData; - if (SIZE_MAX - sizeof(effect_param_t) < (size_t)p->psize) { - android_errorWriteLog(0x534e4554, "26347509"); - return -EINVAL; - } if (pCmdData == NULL || cmdSize < sizeof(effect_param_t) || cmdSize < (sizeof(effect_param_t) + p->psize) || pReplyData == NULL || replySize == NULL || @@ -3135,13 +3139,32 @@ int Effect_command(effect_handle_t self, ALOGV("\tLVM_ERROR : EFFECT_CMD_GET_PARAM: ERROR"); return -EINVAL; } + if (EFFECT_PARAM_SIZE_MAX - sizeof(effect_param_t) < (size_t)p->psize) { + android_errorWriteLog(0x534e4554, "26347509"); + ALOGV("\tLVM_ERROR : EFFECT_CMD_GET_PARAM: psize too big"); + return -EINVAL; + } + uint32_t paddedParamSize = ((p->psize + sizeof(int32_t) - 1) / sizeof(int32_t)) * + sizeof(int32_t); + if ((EFFECT_PARAM_SIZE_MAX - sizeof(effect_param_t) < paddedParamSize) || + (EFFECT_PARAM_SIZE_MAX - sizeof(effect_param_t) - paddedParamSize < + p->vsize)) { + ALOGV("\tLVM_ERROR : EFFECT_CMD_GET_PARAM: padded_psize or vsize too big"); + return -EINVAL; + } + uint32_t expectedReplySize = sizeof(effect_param_t) + paddedParamSize + p->vsize; + if (*replySize < expectedReplySize) { + ALOGV("\tLVM_ERROR : EFFECT_CMD_GET_PARAM: min. replySize %u, got %u bytes", + expectedReplySize, *replySize); + android_errorWriteLog(0x534e4554, "32705438"); + return -EINVAL; + } memcpy(pReplyData, pCmdData, sizeof(effect_param_t) + p->psize); p = (effect_param_t *)pReplyData; - int voffset = ((p->psize - 1) / sizeof(int32_t) + 1) * sizeof(int32_t); - + uint32_t voffset = paddedParamSize; if(pContext->EffectType == LVM_BASS_BOOST){ p->status = android::BassBoost_getParameter(pContext, p->data, diff --git a/media/libmedia/IEffect.cpp b/media/libmedia/IEffect.cpp index faf5795..af6d8de 100644 --- a/media/libmedia/IEffect.cpp +++ b/media/libmedia/IEffect.cpp @@ -25,6 +25,9 @@ namespace android { +// Maximum command/reply size expected +#define EFFECT_PARAM_SIZE_MAX 65536 + enum { ENABLE = IBinder::FIRST_CALL_TRANSACTION, DISABLE, @@ -156,6 +159,10 @@ status_t BnEffect::onTransact( uint32_t cmdSize = data.readInt32(); char *cmd = NULL; if (cmdSize) { + if (cmdSize > EFFECT_PARAM_SIZE_MAX) { + reply->writeInt32(NO_MEMORY); + return NO_ERROR; + } cmd = (char *)calloc(cmdSize, 1); if (cmd == NULL) { reply->writeInt32(NO_MEMORY); @@ -167,6 +174,11 @@ status_t BnEffect::onTransact( uint32_t replySz = replySize; char *resp = NULL; if (replySize) { + if (replySize > EFFECT_PARAM_SIZE_MAX) { + free(cmd); + reply->writeInt32(NO_MEMORY); + return NO_ERROR; + } resp = (char *)calloc(replySize, 1); if (resp == NULL) { free(cmd); diff --git a/media/libmedia/IHDCP.cpp b/media/libmedia/IHDCP.cpp index f3a8902..e8c8a3d 100644 --- a/media/libmedia/IHDCP.cpp +++ b/media/libmedia/IHDCP.cpp @@ -241,14 +241,11 @@ status_t BnHDCP::onTransact( case HDCP_ENCRYPT: { size_t size = data.readInt32(); - size_t bufSize = 2 * size; - - // watch out for overflow void *inData = NULL; - if (bufSize > size) { - inData = malloc(bufSize); + // watch out for overflow + if (size <= SIZE_MAX / 2) { + inData = malloc(2 * size); } - if (inData == NULL) { reply->writeInt32(ERROR_OUT_OF_RANGE); return OK; @@ -256,11 +253,16 @@ status_t BnHDCP::onTransact( void *outData = (uint8_t *)inData + size; - data.read(inData, size); + status_t err = data.read(inData, size); + if (err != OK) { + free(inData); + reply->writeInt32(err); + return OK; + } uint32_t streamCTR = data.readInt32(); uint64_t inputCTR; - status_t err = encrypt(inData, size, streamCTR, &inputCTR, outData); + err = encrypt(inData, size, streamCTR, &inputCTR, outData); reply->writeInt32(err); diff --git a/media/libstagefright/SampleTable.cpp b/media/libstagefright/SampleTable.cpp index 8a38c24..2d7e613 100644 --- a/media/libstagefright/SampleTable.cpp +++ b/media/libstagefright/SampleTable.cpp @@ -512,8 +512,6 @@ status_t SampleTable::setSyncSampleParams(off64_t data_offset, size_t data_size) return ERROR_MALFORMED; } - mSyncSampleOffset = data_offset; - uint8_t header[8]; if (mDataSource->readAt( data_offset, header, sizeof(header)) < (ssize_t)sizeof(header)) { @@ -525,13 +523,13 @@ status_t SampleTable::setSyncSampleParams(off64_t data_offset, size_t data_size) return ERROR_MALFORMED; } - mNumSyncSamples = U32_AT(&header[4]); + uint32_t numSyncSamples = U32_AT(&header[4]); - if (mNumSyncSamples < 2) { + if (numSyncSamples < 2) { ALOGV("Table of sync samples is empty or has only a single entry!"); } - uint64_t allocSize = (uint64_t)mNumSyncSamples * sizeof(uint32_t); + uint64_t allocSize = (uint64_t)numSyncSamples * sizeof(uint32_t); if (allocSize > kMaxTotalSize) { ALOGE("Sync sample table size too large."); return ERROR_OUT_OF_RANGE; @@ -549,22 +547,27 @@ status_t SampleTable::setSyncSampleParams(off64_t data_offset, size_t data_size) return ERROR_OUT_OF_RANGE; } - mSyncSamples = new (std::nothrow) uint32_t[mNumSyncSamples]; + mSyncSamples = new (std::nothrow) uint32_t[numSyncSamples]; if (!mSyncSamples) { ALOGE("Cannot allocate sync sample table with %llu entries.", - (unsigned long long)mNumSyncSamples); + (unsigned long long)numSyncSamples); return ERROR_OUT_OF_RANGE; } - if (mDataSource->readAt(mSyncSampleOffset + 8, mSyncSamples, + if (mDataSource->readAt(data_offset + 8, mSyncSamples, (size_t)allocSize) != (ssize_t)allocSize) { + delete mSyncSamples; + mSyncSamples = NULL; return ERROR_IO; } - for (size_t i = 0; i < mNumSyncSamples; ++i) { + for (size_t i = 0; i < numSyncSamples; ++i) { mSyncSamples[i] = ntohl(mSyncSamples[i]) - 1; } + mSyncSampleOffset = data_offset; + mNumSyncSamples = numSyncSamples; + return OK; } diff --git a/media/libstagefright/avc_utils.cpp b/media/libstagefright/avc_utils.cpp index 98b5c0e..bf014ba 100644 --- a/media/libstagefright/avc_utils.cpp +++ b/media/libstagefright/avc_utils.cpp @@ -454,7 +454,10 @@ bool IsAVCReferenceFrame(const sp<ABuffer> &accessUnit) { size_t nalSize; bool bIsReferenceFrame = true; while (getNextNALUnit(&data, &size, &nalStart, &nalSize, true) == OK) { - CHECK_GT(nalSize, 0u); + if (nalSize == 0u) { + ALOGW("skipping empty nal unit from potentially malformed bitstream"); + continue; + } unsigned nalType = nalStart[0] & 0x1f; diff --git a/media/libstagefright/wifi-display/rtp/RTPSender.cpp b/media/libstagefright/wifi-display/rtp/RTPSender.cpp index c66a898..83af393 100644 --- a/media/libstagefright/wifi-display/rtp/RTPSender.cpp +++ b/media/libstagefright/wifi-display/rtp/RTPSender.cpp @@ -762,10 +762,16 @@ status_t RTPSender::parseTSFB(const uint8_t *data, size_t size) { return OK; } -status_t RTPSender::parseAPP(const uint8_t *data, size_t size __unused) { - if (!memcmp("late", &data[8], 4)) { - int64_t avgLatencyUs = (int64_t)U64_AT(&data[12]); - int64_t maxLatencyUs = (int64_t)U64_AT(&data[20]); +status_t RTPSender::parseAPP(const uint8_t *data, size_t size) { + static const size_t late_offset = 8; + static const char late_string[] = "late"; + static const size_t avgLatencyUs_offset = late_offset + sizeof(late_string) - 1; + static const size_t maxLatencyUs_offset = avgLatencyUs_offset + sizeof(int64_t); + + if ((size >= (maxLatencyUs_offset + sizeof(int64_t))) + && !memcmp(late_string, &data[late_offset], sizeof(late_string) - 1)) { + int64_t avgLatencyUs = (int64_t)U64_AT(&data[avgLatencyUs_offset]); + int64_t maxLatencyUs = (int64_t)U64_AT(&data[maxLatencyUs_offset]); sp<AMessage> notify = mNotify->dup(); notify->setInt32("what", kWhatInformSender); |