summaryrefslogtreecommitdiffstats
path: root/media
diff options
context:
space:
mode:
Diffstat (limited to 'media')
-rw-r--r--media/libmedia/AudioTrack.cpp2
-rw-r--r--media/libmedia/IEffect.cpp4
-rw-r--r--media/libmedia/IMediaPlayer.cpp2
-rw-r--r--media/libmediaplayerservice/nuplayer/NuPlayer.cpp4
-rw-r--r--media/libmediaplayerservice/nuplayer/NuPlayerRenderer.cpp5
-rw-r--r--media/libstagefright/CameraSource.cpp19
-rwxr-xr-xmedia/libstagefright/MPEG4Extractor.cpp20
-rw-r--r--media/libstagefright/OMXCodec.cpp3
-rw-r--r--media/libstagefright/SampleTable.cpp14
-rw-r--r--media/libstagefright/SkipCutBuffer.cpp7
-rw-r--r--media/libstagefright/codecs/avc/enc/SoftAVCEncoder.cpp8
-rw-r--r--media/libstagefright/codecs/avcenc/SoftAVCEnc.cpp2
-rw-r--r--media/libstagefright/codecs/m4v_h263/dec/src/pvdec_api.cpp12
-rw-r--r--media/libstagefright/codecs/m4v_h263/enc/src/mp4enc_api.cpp7
-rw-r--r--media/libstagefright/id3/ID3.cpp19
-rw-r--r--media/libstagefright/include/SampleTable.h5
-rw-r--r--media/libstagefright/rtsp/AMPEG4AudioAssembler.cpp5
17 files changed, 115 insertions, 23 deletions
diff --git a/media/libmedia/AudioTrack.cpp b/media/libmedia/AudioTrack.cpp
index 7befe5d..444f4d8 100644
--- a/media/libmedia/AudioTrack.cpp
+++ b/media/libmedia/AudioTrack.cpp
@@ -325,7 +325,7 @@ status_t AudioTrack::set(
mTransfer = transferType;
mDoNotReconnect = doNotReconnect;
- ALOGV_IF(sharedBuffer != 0, "sharedBuffer: %p, size: %d", sharedBuffer->pointer(),
+ ALOGV_IF(sharedBuffer != 0, "sharedBuffer: %p, size: %zu", sharedBuffer->pointer(),
sharedBuffer->size());
ALOGV("set() streamType %d frameCount %zu flags %04x", streamType, frameCount, flags);
diff --git a/media/libmedia/IEffect.cpp b/media/libmedia/IEffect.cpp
index eb4b098..761b243 100644
--- a/media/libmedia/IEffect.cpp
+++ b/media/libmedia/IEffect.cpp
@@ -154,14 +154,14 @@ status_t BnEffect::onTransact(
uint32_t cmdSize = data.readInt32();
char *cmd = NULL;
if (cmdSize) {
- cmd = (char *)malloc(cmdSize);
+ cmd = (char *)calloc(cmdSize, 1);
data.read(cmd, cmdSize);
}
uint32_t replySize = data.readInt32();
uint32_t replySz = replySize;
char *resp = NULL;
if (replySize) {
- resp = (char *)malloc(replySize);
+ resp = (char *)calloc(replySize, 1);
}
status_t status = command(cmdCode, cmdSize, cmd, &replySz, resp);
reply->writeInt32(status);
diff --git a/media/libmedia/IMediaPlayer.cpp b/media/libmedia/IMediaPlayer.cpp
index bde35f2..7387a79 100644
--- a/media/libmedia/IMediaPlayer.cpp
+++ b/media/libmedia/IMediaPlayer.cpp
@@ -653,6 +653,7 @@ status_t BnMediaPlayer::onTransact(
CHECK_INTERFACE(IMediaPlayer, data, reply);
struct sockaddr_in endpoint;
+ memset(&endpoint, 0, sizeof(endpoint));
int amt = data.readInt32();
if (amt == sizeof(endpoint)) {
data.read(&endpoint, sizeof(struct sockaddr_in));
@@ -667,6 +668,7 @@ status_t BnMediaPlayer::onTransact(
CHECK_INTERFACE(IMediaPlayer, data, reply);
struct sockaddr_in endpoint;
+ memset(&endpoint, 0, sizeof(endpoint));
status_t res = getRetransmitEndpoint(&endpoint);
reply->writeInt32(res);
diff --git a/media/libmediaplayerservice/nuplayer/NuPlayer.cpp b/media/libmediaplayerservice/nuplayer/NuPlayer.cpp
index 77b9799..c0146d5 100644
--- a/media/libmediaplayerservice/nuplayer/NuPlayer.cpp
+++ b/media/libmediaplayerservice/nuplayer/NuPlayer.cpp
@@ -1488,7 +1488,9 @@ void NuPlayer::determineAudioModeChange() {
}
status_t NuPlayer::instantiateDecoder(bool audio, sp<DecoderBase> *decoder) {
- if (*decoder != NULL) {
+ // The audio decoder could be cleared by tear down. If still in shut down
+ // process, no need to create a new audio decoder.
+ if (*decoder != NULL || (audio && mFlushingAudio == SHUT_DOWN)) {
return OK;
}
diff --git a/media/libmediaplayerservice/nuplayer/NuPlayerRenderer.cpp b/media/libmediaplayerservice/nuplayer/NuPlayerRenderer.cpp
index 2e0d0d3..04a46f4 100644
--- a/media/libmediaplayerservice/nuplayer/NuPlayerRenderer.cpp
+++ b/media/libmediaplayerservice/nuplayer/NuPlayerRenderer.cpp
@@ -1469,7 +1469,10 @@ void NuPlayer::Renderer::onResume() {
if (mHasAudio) {
cancelAudioOffloadPauseTimeout();
- mAudioSink->start();
+ status_t err = mAudioSink->start();
+ if (err != OK) {
+ notifyAudioTearDown();
+ }
}
{
diff --git a/media/libstagefright/CameraSource.cpp b/media/libstagefright/CameraSource.cpp
index bc34bcf..66280da 100644
--- a/media/libstagefright/CameraSource.cpp
+++ b/media/libstagefright/CameraSource.cpp
@@ -881,13 +881,6 @@ void CameraSource::dataCallbackTimestamp(int64_t timestampUs,
return;
}
- if (mNumFramesReceived > 0) {
- CHECK(timestampUs > mLastFrameTimestampUs);
- if (timestampUs - mLastFrameTimestampUs > mGlitchDurationThresholdUs) {
- ++mNumGlitches;
- }
- }
-
// May need to skip frame or modify timestamp. Currently implemented
// by the subclass CameraSourceTimeLapse.
if (skipCurrentFrame(timestampUs)) {
@@ -895,6 +888,18 @@ void CameraSource::dataCallbackTimestamp(int64_t timestampUs,
return;
}
+ if (mNumFramesReceived > 0) {
+ if (timestampUs <= mLastFrameTimestampUs) {
+ ALOGW("Dropping frame with backward timestamp %lld (last %lld)",
+ (long long)timestampUs, (long long)mLastFrameTimestampUs);
+ releaseOneRecordingFrame(data);
+ return;
+ }
+ if (timestampUs - mLastFrameTimestampUs > mGlitchDurationThresholdUs) {
+ ++mNumGlitches;
+ }
+ }
+
mLastFrameTimestampUs = timestampUs;
if (mNumFramesReceived == 0) {
mFirstFrameTimeUs = timestampUs;
diff --git a/media/libstagefright/MPEG4Extractor.cpp b/media/libstagefright/MPEG4Extractor.cpp
index a2e8323..a76334f 100755
--- a/media/libstagefright/MPEG4Extractor.cpp
+++ b/media/libstagefright/MPEG4Extractor.cpp
@@ -44,6 +44,10 @@
#include <byteswap.h>
#include "include/ID3.h"
+#ifndef UINT32_MAX
+#define UINT32_MAX (4294967295U)
+#endif
+
namespace android {
class MPEG4Source : public MediaSource {
@@ -3584,13 +3588,27 @@ status_t MPEG4Source::parseSampleAuxiliaryInformationOffsets(
return ERROR_IO;
}
offset += 4;
+ if (entrycount == 0) {
+ return OK;
+ }
+ if (entrycount > UINT32_MAX / 8) {
+ return ERROR_MALFORMED;
+ }
if (entrycount > mCurrentSampleInfoOffsetsAllocSize) {
- mCurrentSampleInfoOffsets = (uint64_t*) realloc(mCurrentSampleInfoOffsets, entrycount * 8);
+ uint64_t *newPtr = (uint64_t *)realloc(mCurrentSampleInfoOffsets, entrycount * 8);
+ if (newPtr == NULL) {
+ return NO_MEMORY;
+ }
+ mCurrentSampleInfoOffsets = newPtr;
mCurrentSampleInfoOffsetsAllocSize = entrycount;
}
mCurrentSampleInfoOffsetCount = entrycount;
+ if (mCurrentSampleInfoOffsets == NULL) {
+ return OK;
+ }
+
for (size_t i = 0; i < entrycount; i++) {
if (version == 0) {
uint32_t tmp;
diff --git a/media/libstagefright/OMXCodec.cpp b/media/libstagefright/OMXCodec.cpp
index 96aa808..b1dde80 100644
--- a/media/libstagefright/OMXCodec.cpp
+++ b/media/libstagefright/OMXCodec.cpp
@@ -1658,6 +1658,9 @@ status_t OMXCodec::allocateBuffersOnPort(OMX_U32 portIndex) {
def.nBufferCountActual, def.nBufferSize,
portIndex == kPortIndexInput ? "input" : "output");
+ if (def.nBufferSize != 0 && def.nBufferCountActual > SIZE_MAX / def.nBufferSize) {
+ return BAD_VALUE;
+ }
size_t totalSize = def.nBufferCountActual * def.nBufferSize;
mDealer[portIndex] = new MemoryDealer(totalSize, "OMXCodec");
diff --git a/media/libstagefright/SampleTable.cpp b/media/libstagefright/SampleTable.cpp
index aeef99f..97dff43 100644
--- a/media/libstagefright/SampleTable.cpp
+++ b/media/libstagefright/SampleTable.cpp
@@ -27,6 +27,11 @@
#include <media/stagefright/DataSource.h>
#include <media/stagefright/Utils.h>
+/* TODO: remove after being merged into other branches */
+#ifndef UINT32_MAX
+#define UINT32_MAX (4294967295U)
+#endif
+
namespace android {
// static
@@ -284,6 +289,9 @@ status_t SampleTable::setSampleSizeParams(
mDefaultSampleSize = U32_AT(&header[4]);
mNumSampleSizes = U32_AT(&header[8]);
+ if (mNumSampleSizes > (UINT32_MAX - 12) / 16) {
+ return ERROR_MALFORMED;
+ }
if (type == kSampleSizeType32) {
mSampleSizeFieldSize = 32;
@@ -507,7 +515,7 @@ int SampleTable::CompareIncreasingTime(const void *_a, const void *_b) {
void SampleTable::buildSampleEntriesTable() {
Mutex::Autolock autoLock(mLock);
- if (mSampleTimeEntries != NULL) {
+ if (mSampleTimeEntries != NULL || mNumSampleSizes == 0) {
return;
}
@@ -552,6 +560,10 @@ status_t SampleTable::findSampleAtTime(
uint32_t *sample_index, uint32_t flags) {
buildSampleEntriesTable();
+ if (mSampleTimeEntries == NULL) {
+ return ERROR_OUT_OF_RANGE;
+ }
+
uint32_t left = 0;
uint32_t right_plus_one = mNumSampleSizes;
while (left < right_plus_one) {
diff --git a/media/libstagefright/SkipCutBuffer.cpp b/media/libstagefright/SkipCutBuffer.cpp
index e2e6d79..1da1e5e 100644
--- a/media/libstagefright/SkipCutBuffer.cpp
+++ b/media/libstagefright/SkipCutBuffer.cpp
@@ -25,6 +25,13 @@
namespace android {
SkipCutBuffer::SkipCutBuffer(int32_t skip, int32_t cut) {
+
+ if (skip < 0 || cut < 0 || cut > 64 * 1024) {
+ ALOGW("out of range skip/cut: %d/%d, using passthrough instead", skip, cut);
+ skip = 0;
+ cut = 0;
+ }
+
mFrontPadding = mSkip = skip;
mBackPadding = cut;
mWriteHead = 0;
diff --git a/media/libstagefright/codecs/avc/enc/SoftAVCEncoder.cpp b/media/libstagefright/codecs/avc/enc/SoftAVCEncoder.cpp
index 928a74f..fa6ec40 100644
--- a/media/libstagefright/codecs/avc/enc/SoftAVCEncoder.cpp
+++ b/media/libstagefright/codecs/avc/enc/SoftAVCEncoder.cpp
@@ -244,6 +244,10 @@ OMX_ERRORTYPE SoftAVCEncoder::initEncParams() {
if (mColorFormat != OMX_COLOR_FormatYUV420Planar || mInputDataIsMeta) {
// Color conversion is needed.
free(mInputFrameData);
+ if (((uint64_t)mWidth * mHeight) > ((uint64_t)INT32_MAX / 3)) {
+ ALOGE("Buffer size is too big.");
+ return OMX_ErrorUndefined;
+ }
mInputFrameData =
(uint8_t *) malloc((mWidth * mHeight * 3 ) >> 1);
CHECK(mInputFrameData != NULL);
@@ -264,6 +268,10 @@ OMX_ERRORTYPE SoftAVCEncoder::initEncParams() {
int32_t nMacroBlocks = divUp(mWidth, 16) * divUp(mHeight, 16);
CHECK(mSliceGroup == NULL);
+ if ((size_t)nMacroBlocks > SIZE_MAX / sizeof(uint32_t)) {
+ ALOGE("requested memory size is too big.");
+ return OMX_ErrorUndefined;
+ }
mSliceGroup = (uint32_t *) malloc(sizeof(uint32_t) * nMacroBlocks);
CHECK(mSliceGroup != NULL);
for (int ii = 0, idx = 0; ii < nMacroBlocks; ++ii) {
diff --git a/media/libstagefright/codecs/avcenc/SoftAVCEnc.cpp b/media/libstagefright/codecs/avcenc/SoftAVCEnc.cpp
index 26568ab..6e55034 100644
--- a/media/libstagefright/codecs/avcenc/SoftAVCEnc.cpp
+++ b/media/libstagefright/codecs/avcenc/SoftAVCEnc.cpp
@@ -639,7 +639,7 @@ OMX_ERRORTYPE SoftAVC::initEncoder() {
free(mConversionBuffers[i]);
}
- if (((uint64_t)mStride * mHeight) > (((uint64_t)INT32_MAX / 3) * 2)) {
+ if (((uint64_t)mStride * mHeight) > ((uint64_t)INT32_MAX / 3)) {
ALOGE("Buffer size is too big.");
return OMX_ErrorUndefined;
}
diff --git a/media/libstagefright/codecs/m4v_h263/dec/src/pvdec_api.cpp b/media/libstagefright/codecs/m4v_h263/dec/src/pvdec_api.cpp
index af19bfe..c1720c6 100644
--- a/media/libstagefright/codecs/m4v_h263/dec/src/pvdec_api.cpp
+++ b/media/libstagefright/codecs/m4v_h263/dec/src/pvdec_api.cpp
@@ -19,6 +19,14 @@
#include "vlc_decode.h"
#include "bitstream.h"
+#ifndef INT32_MAX
+#define INT32_MAX 0x7fffffff
+#endif
+
+#ifndef SIZE_MAX
+#define SIZE_MAX ((size_t) -1)
+#endif
+
#define OSCL_DISABLE_WARNING_CONDITIONAL_IS_CONSTANT
#ifdef DEC_INTERNAL_MEMORY_OPT
@@ -335,7 +343,7 @@ Bool PVAllocVideoData(VideoDecControls *decCtrl, int width, int height, int nLay
video->prevVop->uChan = video->prevVop->yChan + size;
video->prevVop->vChan = video->prevVop->uChan + (size >> 2);
#else
- if (size > INT32_MAX / 3 * 2) {
+ if (size > INT32_MAX / 3) {
return PV_FALSE;
}
video->currVop->yChan = (PIXEL *) oscl_malloc(size * 3 / 2); /* Allocate memory for all VOP OKA 3/2/1*/
@@ -365,7 +373,7 @@ Bool PVAllocVideoData(VideoDecControls *decCtrl, int width, int height, int nLay
{
oscl_memset(video->prevEnhcVop, 0, sizeof(Vop));
#ifndef PV_MEMORY_POOL
- if (size > INT32_MAX / 3 * 2) {
+ if (size > INT32_MAX / 3) {
return PV_FALSE;
}
diff --git a/media/libstagefright/codecs/m4v_h263/enc/src/mp4enc_api.cpp b/media/libstagefright/codecs/m4v_h263/enc/src/mp4enc_api.cpp
index da27377..c2b7c8d 100644
--- a/media/libstagefright/codecs/m4v_h263/enc/src/mp4enc_api.cpp
+++ b/media/libstagefright/codecs/m4v_h263/enc/src/mp4enc_api.cpp
@@ -21,6 +21,13 @@
#include "rate_control.h"
#include "m4venc_oscl.h"
+#ifndef INT32_MAX
+#define INT32_MAX 0x7fffffff
+#endif
+
+#ifndef SIZE_MAX
+#define SIZE_MAX ((size_t) -1)
+#endif
/* Inverse normal zigzag */
const static Int zigzag_i[NCOEFF_BLOCK] =
diff --git a/media/libstagefright/id3/ID3.cpp b/media/libstagefright/id3/ID3.cpp
index 29bc9e0..00f87aa 100644
--- a/media/libstagefright/id3/ID3.cpp
+++ b/media/libstagefright/id3/ID3.cpp
@@ -349,7 +349,7 @@ bool ID3::removeUnsynchronizationV2_4(bool iTunesHack) {
if (flags & 1) {
// Strip data length indicator
- if (mSize < 14 || mSize - 14 < offset) {
+ if (mSize < 14 || mSize - 14 < offset || dataSize < 4) {
return false;
}
memmove(&mData[offset + 10], &mData[offset + 14], mSize - offset - 14);
@@ -641,6 +641,11 @@ void ID3::Iterator::findFrame() {
}
mFrameSize += 6; // add tag id and size field
+ // Prevent integer overflow in validation
+ if (SIZE_MAX - mOffset <= mFrameSize) {
+ return;
+ }
+
if (mOffset + mFrameSize > mParent.mSize) {
ALOGV("partial frame at offset %zu (size = %zu, bytes-remaining = %zu)",
mOffset, mFrameSize, mParent.mSize - mOffset - (size_t)6);
@@ -670,7 +675,7 @@ void ID3::Iterator::findFrame() {
return;
}
- size_t baseSize;
+ size_t baseSize = 0;
if (mParent.mVersion == ID3_V2_4) {
if (!ParseSyncsafeInteger(
&mParent.mData[mOffset + 4], &baseSize)) {
@@ -684,8 +689,18 @@ void ID3::Iterator::findFrame() {
return;
}
+ // Prevent integer overflow when adding
+ if (SIZE_MAX - 10 <= baseSize) {
+ return;
+ }
+
mFrameSize = 10 + baseSize; // add tag id, size field and flags
+ // Prevent integer overflow in validation
+ if (SIZE_MAX - mOffset <= mFrameSize) {
+ return;
+ }
+
if (mOffset + mFrameSize > mParent.mSize) {
ALOGV("partial frame at offset %zu (size = %zu, bytes-remaining = %zu)",
mOffset, mFrameSize, mParent.mSize - mOffset - (size_t)10);
diff --git a/media/libstagefright/include/SampleTable.h b/media/libstagefright/include/SampleTable.h
index d06df7b..460492b 100644
--- a/media/libstagefright/include/SampleTable.h
+++ b/media/libstagefright/include/SampleTable.h
@@ -142,8 +142,9 @@ private:
// normally we don't round
inline uint64_t getSampleTime(
size_t sample_index, uint64_t scale_num, uint64_t scale_den) const {
- return (mSampleTimeEntries[sample_index].mCompositionTime
- * scale_num) / scale_den;
+ return (sample_index < (size_t)mNumSampleSizes && mSampleTimeEntries != NULL
+ && scale_den != 0)
+ ? (mSampleTimeEntries[sample_index].mCompositionTime * scale_num) / scale_den : 0;
}
status_t getSampleSize_l(uint32_t sample_index, size_t *sample_size);
diff --git a/media/libstagefright/rtsp/AMPEG4AudioAssembler.cpp b/media/libstagefright/rtsp/AMPEG4AudioAssembler.cpp
index 1f76068..a1a6576 100644
--- a/media/libstagefright/rtsp/AMPEG4AudioAssembler.cpp
+++ b/media/libstagefright/rtsp/AMPEG4AudioAssembler.cpp
@@ -404,8 +404,9 @@ sp<ABuffer> AMPEG4AudioAssembler::removeLATMFraming(const sp<ABuffer> &buffer) {
break;
}
}
-
- CHECK_LE(offset + payloadLength, buffer->size());
+
+ CHECK_LT(offset, buffer->size());
+ CHECK_LE(payloadLength, buffer->size() - offset);
memcpy(out->data() + out->size(), &ptr[offset], payloadLength);
out->setRange(0, out->size() + payloadLength);
generated by cgit v1.1 at 2025-10-17 01:40:19 +0000