From 295c883fe3105b19bcd0f9e07d54c6b589fc5bff Mon Sep 17 00:00:00 2001 From: Marco Nelissen Date: Mon, 29 Feb 2016 12:47:20 -0800 Subject: DO NOT MERGE Verify OMX buffer sizes prior to access Bug: 27207275 Change-Id: I4412825d1ee233d993af0a67708bea54304ff62d --- media/libstagefright/codecs/aacdec/SoftAAC2.cpp | 25 +++++++++++++++++++++++++ 1 file changed, 25 insertions(+) (limited to 'media/libstagefright/codecs/aacdec/SoftAAC2.cpp') diff --git a/media/libstagefright/codecs/aacdec/SoftAAC2.cpp b/media/libstagefright/codecs/aacdec/SoftAAC2.cpp index 965c55e..520ecb4 100644 --- a/media/libstagefright/codecs/aacdec/SoftAAC2.cpp +++ b/media/libstagefright/codecs/aacdec/SoftAAC2.cpp @@ -209,6 +209,10 @@ OMX_ERRORTYPE SoftAAC2::internalGetParameter( OMX_AUDIO_PARAM_AACPROFILETYPE *aacParams = (OMX_AUDIO_PARAM_AACPROFILETYPE *)params; + if (!isValidOMXParam(aacParams)) { + return OMX_ErrorBadParameter; + } + if (aacParams->nPortIndex != 0) { return OMX_ErrorUndefined; } @@ -244,6 +248,10 @@ OMX_ERRORTYPE SoftAAC2::internalGetParameter( OMX_AUDIO_PARAM_PCMMODETYPE *pcmParams = (OMX_AUDIO_PARAM_PCMMODETYPE *)params; + if (!isValidOMXParam(pcmParams)) { + return OMX_ErrorBadParameter; + } + if (pcmParams->nPortIndex != 1) { return OMX_ErrorUndefined; } @@ -284,6 +292,10 @@ OMX_ERRORTYPE SoftAAC2::internalSetParameter( const OMX_PARAM_COMPONENTROLETYPE *roleParams = (const OMX_PARAM_COMPONENTROLETYPE *)params; + if (!isValidOMXParam(roleParams)) { + return OMX_ErrorBadParameter; + } + if (strncmp((const char *)roleParams->cRole, "audio_decoder.aac", OMX_MAX_STRINGNAME_SIZE - 1)) { @@ -298,6 +310,10 @@ OMX_ERRORTYPE SoftAAC2::internalSetParameter( const OMX_AUDIO_PARAM_AACPROFILETYPE *aacParams = (const OMX_AUDIO_PARAM_AACPROFILETYPE *)params; + if (!isValidOMXParam(aacParams)) { + return OMX_ErrorBadParameter; + } + if (aacParams->nPortIndex != 0) { return OMX_ErrorUndefined; } @@ -318,6 +334,11 @@ OMX_ERRORTYPE SoftAAC2::internalSetParameter( { const OMX_AUDIO_PARAM_ANDROID_AACPRESENTATIONTYPE *aacPresParams = (const OMX_AUDIO_PARAM_ANDROID_AACPRESENTATIONTYPE *)params; + + if (!isValidOMXParam(aacPresParams)) { + return OMX_ErrorBadParameter; + } + // for the following parameters of the OMX_AUDIO_PARAM_AACPROFILETYPE structure, // a value of -1 implies the parameter is not set by the application: // nMaxOutputChannels uses default platform properties, see configureDownmix() @@ -384,6 +405,10 @@ OMX_ERRORTYPE SoftAAC2::internalSetParameter( const OMX_AUDIO_PARAM_PCMMODETYPE *pcmParams = (OMX_AUDIO_PARAM_PCMMODETYPE *)params; + if (!isValidOMXParam(pcmParams)) { + return OMX_ErrorBadParameter; + } + if (pcmParams->nPortIndex != 1) { return OMX_ErrorUndefined; } -- cgit v1.1 From 8e438e153f661e9df8db0ac41d587e940352df06 Mon Sep 17 00:00:00 2001 From: Marco Nelissen Date: Wed, 8 Jun 2016 14:31:42 -0700 Subject: SoftAAC2: fix crash on all-zero adts buffer Bug: 29153599 Change-Id: I1cb81c054098b86cf24f024f8479909ca7bc85a6 --- media/libstagefright/codecs/aacdec/SoftAAC2.cpp | 15 +++++++++------ 1 file changed, 9 insertions(+), 6 deletions(-) (limited to 'media/libstagefright/codecs/aacdec/SoftAAC2.cpp') diff --git a/media/libstagefright/codecs/aacdec/SoftAAC2.cpp b/media/libstagefright/codecs/aacdec/SoftAAC2.cpp index 520ecb4..8ddff90 100644 --- a/media/libstagefright/codecs/aacdec/SoftAAC2.cpp +++ b/media/libstagefright/codecs/aacdec/SoftAAC2.cpp @@ -625,12 +625,15 @@ void SoftAAC2::onQueueFilled(OMX_U32 /* portIndex */) { signalError = true; } else { adtsHeaderSize = (protectionAbsent ? 7 : 9); - - inBuffer[0] = (UCHAR *)adtsHeader + adtsHeaderSize; - inBufferLength[0] = aac_frame_length - adtsHeaderSize; - - inHeader->nOffset += adtsHeaderSize; - inHeader->nFilledLen -= adtsHeaderSize; + if (aac_frame_length < adtsHeaderSize) { + signalError = true; + } else { + inBuffer[0] = (UCHAR *)adtsHeader + adtsHeaderSize; + inBufferLength[0] = aac_frame_length - adtsHeaderSize; + + inHeader->nOffset += adtsHeaderSize; + inHeader->nFilledLen -= adtsHeaderSize; + } } } -- cgit v1.1