From 590d1729883f700ab905cdc9ad850f3ddd7e1f56 Mon Sep 17 00:00:00 2001
From: Marco Nelissen <marcone@google.com>
Date: Tue, 7 Jun 2016 15:48:07 -0700
Subject: Fix potential overflow

Bug: 28533562
Change-Id: I798ab24caa4c81f3ba564cad7c9ee019284fb702
---
 media/libstagefright/codecs/on2/h264dec/source/h264bsd_dpb.c | 8 ++++++++
 1 file changed, 8 insertions(+)

(limited to 'media/libstagefright/codecs')

diff --git a/media/libstagefright/codecs/on2/h264dec/source/h264bsd_dpb.c b/media/libstagefright/codecs/on2/h264dec/source/h264bsd_dpb.c
index 9517d0a..799bd16 100644
--- a/media/libstagefright/codecs/on2/h264dec/source/h264bsd_dpb.c
+++ b/media/libstagefright/codecs/on2/h264dec/source/h264bsd_dpb.c
@@ -60,6 +60,7 @@
 #include "h264bsd_util.h"
 #include "basetype.h"
 
+#include <log/log.h>
 /*------------------------------------------------------------------------------
     2. External compiler flags
 --------------------------------------------------------------------------------
@@ -998,6 +999,13 @@ u32 h264bsdInitDpb(
     ASSERT(maxFrameNum);
     ASSERT(dpbSize);
 
+    // see comment in loop below about size calculation
+    if (picSizeInMbs > (UINT32_MAX - 32 - 15) / 384) {
+        ALOGE("b/28533562");
+        android_errorWriteLog(0x534e4554, "28533562");
+        return(MEMORY_ALLOCATION_ERROR);
+    }
+
     dpb->maxLongTermFrameIdx = NO_LONG_TERM_FRAME_INDICES;
     dpb->maxRefFrames        = MAX(maxRefFrames, 1);
     if (noReordering)
-- 
cgit v1.1


From 8e438e153f661e9df8db0ac41d587e940352df06 Mon Sep 17 00:00:00 2001
From: Marco Nelissen <marcone@google.com>
Date: Wed, 8 Jun 2016 14:31:42 -0700
Subject: SoftAAC2: fix crash on all-zero adts buffer

Bug: 29153599
Change-Id: I1cb81c054098b86cf24f024f8479909ca7bc85a6
---
 media/libstagefright/codecs/aacdec/SoftAAC2.cpp | 15 +++++++++------
 1 file changed, 9 insertions(+), 6 deletions(-)

(limited to 'media/libstagefright/codecs')

diff --git a/media/libstagefright/codecs/aacdec/SoftAAC2.cpp b/media/libstagefright/codecs/aacdec/SoftAAC2.cpp
index 520ecb4..8ddff90 100644
--- a/media/libstagefright/codecs/aacdec/SoftAAC2.cpp
+++ b/media/libstagefright/codecs/aacdec/SoftAAC2.cpp
@@ -625,12 +625,15 @@ void SoftAAC2::onQueueFilled(OMX_U32 /* portIndex */) {
                         signalError = true;
                     } else {
                         adtsHeaderSize = (protectionAbsent ? 7 : 9);
-
-                        inBuffer[0] = (UCHAR *)adtsHeader + adtsHeaderSize;
-                        inBufferLength[0] = aac_frame_length - adtsHeaderSize;
-
-                        inHeader->nOffset += adtsHeaderSize;
-                        inHeader->nFilledLen -= adtsHeaderSize;
+                        if (aac_frame_length < adtsHeaderSize) {
+                            signalError = true;
+                        } else {
+                            inBuffer[0] = (UCHAR *)adtsHeader + adtsHeaderSize;
+                            inBufferLength[0] = aac_frame_length - adtsHeaderSize;
+
+                            inHeader->nOffset += adtsHeaderSize;
+                            inHeader->nFilledLen -= adtsHeaderSize;
+                        }
                     }
                 }
 
-- 
cgit v1.1


From a4567c66f4764442c6cb7b5c1858810194480fb5 Mon Sep 17 00:00:00 2001
From: Harish Mahendrakar <harish.mahendrakar@ittiam.com>
Date: Mon, 12 Oct 2015 19:24:18 +0530
Subject: SoftHEVC: Exit gracefully in case of decoder errors

Exit for error in allocation and unsupported resolutions

Bug: 28816956

Change-Id: Ieb830bedeb3a7431d1d21a024927df630f7eda1e
---
 media/libstagefright/codecs/hevcdec/SoftHEVC.cpp | 22 ++++++++++++++++++++++
 1 file changed, 22 insertions(+)

(limited to 'media/libstagefright/codecs')

diff --git a/media/libstagefright/codecs/hevcdec/SoftHEVC.cpp b/media/libstagefright/codecs/hevcdec/SoftHEVC.cpp
index a70755c..1dac868 100644
--- a/media/libstagefright/codecs/hevcdec/SoftHEVC.cpp
+++ b/media/libstagefright/codecs/hevcdec/SoftHEVC.cpp
@@ -444,6 +444,9 @@ void SoftHEVC::onQueueFilled(OMX_U32 portIndex) {
 
     if (NULL == mCodecCtx) {
         if (OK != initDecoder()) {
+            ALOGE("Failed to initialize decoder");
+            notify(OMX_EventError, OMX_ErrorUnsupportedSetting, 0, NULL);
+            mSignalledError = true;
             return;
         }
     }
@@ -540,6 +543,25 @@ void SoftHEVC::onQueueFilled(OMX_U32 portIndex) {
             IV_API_CALL_STATUS_T status;
             status = ivdec_api_function(mCodecCtx, (void *)&s_dec_ip, (void *)&s_dec_op);
 
+            bool unsupportedResolution =
+                (IVD_STREAM_WIDTH_HEIGHT_NOT_SUPPORTED == (s_dec_op.u4_error_code & 0xFF));
+
+            /* Check for unsupported dimensions */
+            if (unsupportedResolution) {
+                ALOGE("Unsupported resolution : %dx%d", mWidth, mHeight);
+                notify(OMX_EventError, OMX_ErrorUnsupportedSetting, 0, NULL);
+                mSignalledError = true;
+                return;
+            }
+
+            bool allocationFailed = (IVD_MEM_ALLOC_FAILED == (s_dec_op.u4_error_code & 0xFF));
+            if (allocationFailed) {
+                ALOGE("Allocation failure in decoder");
+                notify(OMX_EventError, OMX_ErrorUnsupportedSetting, 0, NULL);
+                mSignalledError = true;
+                return;
+            }
+
             bool resChanged = (IVD_RES_CHANGED == (s_dec_op.u4_error_code & 0xFF));
 
             GETTIME(&mTimeEnd, NULL);
-- 
cgit v1.1