From 44749eb4f273f0eb681d0fa013e3beef754fa687 Mon Sep 17 00:00:00 2001 From: Wei Jia Date: Thu, 17 Mar 2016 11:15:02 -0700 Subject: SoftAMR: check output buffer size to avoid overflow. Bug: 27662364 Change-Id: I7b26892c41d6f2e690e77478ab855c2fed1ff6b0 --- media/libstagefright/codecs/amrnb/dec/SoftAMR.cpp | 18 ++++++++++++++++++ 1 file changed, 18 insertions(+) (limited to 'media/libstagefright/codecs/amrnb/dec/SoftAMR.cpp') diff --git a/media/libstagefright/codecs/amrnb/dec/SoftAMR.cpp b/media/libstagefright/codecs/amrnb/dec/SoftAMR.cpp index a9723ea..bcf6a62 100644 --- a/media/libstagefright/codecs/amrnb/dec/SoftAMR.cpp +++ b/media/libstagefright/codecs/amrnb/dec/SoftAMR.cpp @@ -312,6 +312,15 @@ void SoftAMR::onQueueFilled(OMX_U32 /* portIndex */) { int32_t numBytesRead; if (mMode == MODE_NARROW) { + if (outHeader->nAllocLen < kNumSamplesPerFrameNB * sizeof(int16_t)) { + ALOGE("b/27662364: NB expected output buffer %zu bytes vs %u", + kNumSamplesPerFrameNB * sizeof(int16_t), outHeader->nAllocLen); + android_errorWriteLog(0x534e4554, "27662364"); + notify(OMX_EventError, OMX_ErrorOverflow, 0, NULL); + mSignalledError = true; + return; + } + numBytesRead = AMRDecode(mState, (Frame_Type_3GPP)((inputPtr[0] >> 3) & 0x0f), @@ -339,6 +348,15 @@ void SoftAMR::onQueueFilled(OMX_U32 /* portIndex */) { return; } } else { + if (outHeader->nAllocLen < kNumSamplesPerFrameWB * sizeof(int16_t)) { + ALOGE("b/27662364: WB expected output buffer %zu bytes vs %u", + kNumSamplesPerFrameWB * sizeof(int16_t), outHeader->nAllocLen); + android_errorWriteLog(0x534e4554, "27662364"); + notify(OMX_EventError, OMX_ErrorOverflow, 0, NULL); + mSignalledError = true; + return; + } + int16 mode = ((inputPtr[0] >> 3) & 0x0f); if (mode >= 10 && mode <= 13) { -- cgit v1.1 From 65756b4082cd79a2d99b2ccb5b392291fd53703f Mon Sep 17 00:00:00 2001 From: Wei Jia Date: Fri, 18 Mar 2016 18:17:14 -0700 Subject: SoftAMR: check input buffer size to avoid overflow. Bug: 27662364 Change-Id: I47380545ea7d85845e141e722b0d84f498d27145 --- media/libstagefright/codecs/amrnb/dec/SoftAMR.cpp | 25 ++++++++++++++++++++++- 1 file changed, 24 insertions(+), 1 deletion(-) (limited to 'media/libstagefright/codecs/amrnb/dec/SoftAMR.cpp') diff --git a/media/libstagefright/codecs/amrnb/dec/SoftAMR.cpp b/media/libstagefright/codecs/amrnb/dec/SoftAMR.cpp index bcf6a62..77c3742 100644 --- a/media/libstagefright/codecs/amrnb/dec/SoftAMR.cpp +++ b/media/libstagefright/codecs/amrnb/dec/SoftAMR.cpp @@ -286,6 +286,13 @@ void SoftAMR::onQueueFilled(OMX_U32 /* portIndex */) { BufferInfo *inInfo = *inQueue.begin(); OMX_BUFFERHEADERTYPE *inHeader = inInfo->mHeader; + if (inHeader->nFilledLen == 0) { + inInfo->mOwnedByUs = false; + inQueue.erase(inQueue.begin()); + notifyEmptyBufferDone(inHeader); + continue; + } + BufferInfo *outInfo = *outQueue.begin(); OMX_BUFFERHEADERTYPE *outHeader = outInfo->mHeader; @@ -321,6 +328,17 @@ void SoftAMR::onQueueFilled(OMX_U32 /* portIndex */) { return; } + int16 mode = ((inputPtr[0] >> 3) & 0x0f); + // for WMF since MIME_IETF is used when calling AMRDecode. + size_t frameSize = WmfDecBytesPerFrame[mode] + 1; + + if (inHeader->nFilledLen < frameSize) { + ALOGE("b/27662364: expected %zu bytes vs %u", frameSize, inHeader->nFilledLen); + notify(OMX_EventError, OMX_ErrorStreamCorrupt, 0, NULL); + mSignalledError = true; + return; + } + numBytesRead = AMRDecode(mState, (Frame_Type_3GPP)((inputPtr[0] >> 3) & 0x0f), @@ -370,7 +388,12 @@ void SoftAMR::onQueueFilled(OMX_U32 /* portIndex */) { } size_t frameSize = getFrameSize(mode); - CHECK_GE(inHeader->nFilledLen, frameSize); + if (inHeader->nFilledLen < frameSize) { + ALOGE("b/27662364: expected %zu bytes vs %u", frameSize, inHeader->nFilledLen); + notify(OMX_EventError, OMX_ErrorStreamCorrupt, 0, NULL); + mSignalledError = true; + return; + } int16_t *outPtr = (int16_t *)outHeader->pBuffer; -- cgit v1.1 From daa85dac2055b22dabbb3b4e537597e6ab73a866 Mon Sep 17 00:00:00 2001 From: Marco Nelissen Date: Fri, 25 Mar 2016 08:26:18 -0700 Subject: Fix AMR decoder Previous change caused EOS to be ignored. Bug: 27843673 Related-to-bug: 27662364 Change-Id: Ia148a88abc861a9b393f42bc7cd63d8d3ae349bc --- media/libstagefright/codecs/amrnb/dec/SoftAMR.cpp | 14 +++++++------- 1 file changed, 7 insertions(+), 7 deletions(-) (limited to 'media/libstagefright/codecs/amrnb/dec/SoftAMR.cpp') diff --git a/media/libstagefright/codecs/amrnb/dec/SoftAMR.cpp b/media/libstagefright/codecs/amrnb/dec/SoftAMR.cpp index 77c3742..955309a 100644 --- a/media/libstagefright/codecs/amrnb/dec/SoftAMR.cpp +++ b/media/libstagefright/codecs/amrnb/dec/SoftAMR.cpp @@ -286,13 +286,6 @@ void SoftAMR::onQueueFilled(OMX_U32 /* portIndex */) { BufferInfo *inInfo = *inQueue.begin(); OMX_BUFFERHEADERTYPE *inHeader = inInfo->mHeader; - if (inHeader->nFilledLen == 0) { - inInfo->mOwnedByUs = false; - inQueue.erase(inQueue.begin()); - notifyEmptyBufferDone(inHeader); - continue; - } - BufferInfo *outInfo = *outQueue.begin(); OMX_BUFFERHEADERTYPE *outHeader = outInfo->mHeader; @@ -310,6 +303,13 @@ void SoftAMR::onQueueFilled(OMX_U32 /* portIndex */) { return; } + if (inHeader->nFilledLen == 0) { + inInfo->mOwnedByUs = false; + inQueue.erase(inQueue.begin()); + notifyEmptyBufferDone(inHeader); + continue; + } + if (inHeader->nOffset == 0) { mAnchorTimeUs = inHeader->nTimeStamp; mNumSamplesOutput = 0; -- cgit v1.1 From 295c883fe3105b19bcd0f9e07d54c6b589fc5bff Mon Sep 17 00:00:00 2001 From: Marco Nelissen Date: Mon, 29 Feb 2016 12:47:20 -0800 Subject: DO NOT MERGE Verify OMX buffer sizes prior to access Bug: 27207275 Change-Id: I4412825d1ee233d993af0a67708bea54304ff62d --- media/libstagefright/codecs/amrnb/dec/SoftAMR.cpp | 20 ++++++++++++++++++++ 1 file changed, 20 insertions(+) (limited to 'media/libstagefright/codecs/amrnb/dec/SoftAMR.cpp') diff --git a/media/libstagefright/codecs/amrnb/dec/SoftAMR.cpp b/media/libstagefright/codecs/amrnb/dec/SoftAMR.cpp index 955309a..edf648d 100644 --- a/media/libstagefright/codecs/amrnb/dec/SoftAMR.cpp +++ b/media/libstagefright/codecs/amrnb/dec/SoftAMR.cpp @@ -148,6 +148,10 @@ OMX_ERRORTYPE SoftAMR::internalGetParameter( OMX_AUDIO_PARAM_AMRTYPE *amrParams = (OMX_AUDIO_PARAM_AMRTYPE *)params; + if (!isValidOMXParam(amrParams)) { + return OMX_ErrorBadParameter; + } + if (amrParams->nPortIndex != 0) { return OMX_ErrorUndefined; } @@ -174,6 +178,10 @@ OMX_ERRORTYPE SoftAMR::internalGetParameter( OMX_AUDIO_PARAM_PCMMODETYPE *pcmParams = (OMX_AUDIO_PARAM_PCMMODETYPE *)params; + if (!isValidOMXParam(pcmParams)) { + return OMX_ErrorBadParameter; + } + if (pcmParams->nPortIndex != 1) { return OMX_ErrorUndefined; } @@ -207,6 +215,10 @@ OMX_ERRORTYPE SoftAMR::internalSetParameter( const OMX_PARAM_COMPONENTROLETYPE *roleParams = (const OMX_PARAM_COMPONENTROLETYPE *)params; + if (!isValidOMXParam(roleParams)) { + return OMX_ErrorBadParameter; + } + if (mMode == MODE_NARROW) { if (strncmp((const char *)roleParams->cRole, "audio_decoder.amrnb", @@ -229,6 +241,10 @@ OMX_ERRORTYPE SoftAMR::internalSetParameter( const OMX_AUDIO_PARAM_AMRTYPE *aacParams = (const OMX_AUDIO_PARAM_AMRTYPE *)params; + if (!isValidOMXParam(aacParams)) { + return OMX_ErrorBadParameter; + } + if (aacParams->nPortIndex != 0) { return OMX_ErrorUndefined; } @@ -241,6 +257,10 @@ OMX_ERRORTYPE SoftAMR::internalSetParameter( const OMX_AUDIO_PARAM_PCMMODETYPE *pcmParams = (OMX_AUDIO_PARAM_PCMMODETYPE *)params; + if (!isValidOMXParam(pcmParams)) { + return OMX_ErrorBadParameter; + } + if (pcmParams->nPortIndex != 1) { return OMX_ErrorUndefined; } -- cgit v1.1