From 9871fae25b351268e359682e6c149acbf47620c1 Mon Sep 17 00:00:00 2001 From: Robert Shih Date: Mon, 27 Jun 2016 13:55:14 -0700 Subject: SoftMP3: memset safely Bug: 29422022 Change-Id: I70c9e33269d16bf8c163815706ac24e18e34fe97 --- media/libstagefright/codecs/mp3dec/SoftMP3.cpp | 22 ++++++++++++++++++---- media/libstagefright/codecs/mp3dec/SoftMP3.h | 1 + 2 files changed, 19 insertions(+), 4 deletions(-) (limited to 'media/libstagefright/codecs') diff --git a/media/libstagefright/codecs/mp3dec/SoftMP3.cpp b/media/libstagefright/codecs/mp3dec/SoftMP3.cpp index aa946e6..daef471 100644 --- a/media/libstagefright/codecs/mp3dec/SoftMP3.cpp +++ b/media/libstagefright/codecs/mp3dec/SoftMP3.cpp @@ -120,6 +120,17 @@ void SoftMP3::initDecoder() { mIsFirst = true; } +void *SoftMP3::memsetSafe(OMX_BUFFERHEADERTYPE *outHeader, int c, size_t len) { + if (len > outHeader->nAllocLen) { + ALOGE("memset buffer too small: got %lu, expected %zu", outHeader->nAllocLen, len); + android_errorWriteLog(0x534e4554, "29422022"); + notify(OMX_EventError, OMX_ErrorUndefined, OUTPUT_BUFFER_TOO_SMALL, NULL); + mSignalledError = true; + return NULL; + } + return memset(outHeader->pBuffer, c, len); +} + OMX_ERRORTYPE SoftMP3::internalGetParameter( OMX_INDEXTYPE index, OMX_PTR params) { switch (index) { @@ -300,7 +311,10 @@ void SoftMP3::onQueueFilled(OMX_U32 /* portIndex */) { outHeader->nOffset = 0; outHeader->nFilledLen = kPVMP3DecoderDelay * mNumChannels * sizeof(int16_t); - memset(outHeader->pBuffer, 0, outHeader->nFilledLen); + if (!memsetSafe(outHeader, 0, outHeader->nFilledLen)) { + return; + } + } outHeader->nFlags = OMX_BUFFERFLAG_EOS; mSignalledOutputEos = true; @@ -312,9 +326,9 @@ void SoftMP3::onQueueFilled(OMX_U32 /* portIndex */) { // if mIsFirst is true as we may not have a valid // mConfig->samplingRate and mConfig->num_channels? ALOGV_IF(mIsFirst, "insufficient data for first frame, sending silence"); - memset(outHeader->pBuffer, - 0, - mConfig->outputFrameSize * sizeof(int16_t)); + if (!memsetSafe(outHeader, 0, mConfig->outputFrameSize * sizeof(int16_t))) { + return; + } if (inHeader) { mConfig->inputBufferUsedLength = inHeader->nFilledLen; diff --git a/media/libstagefright/codecs/mp3dec/SoftMP3.h b/media/libstagefright/codecs/mp3dec/SoftMP3.h index f9e7b53..3bfa6c7 100644 --- a/media/libstagefright/codecs/mp3dec/SoftMP3.h +++ b/media/libstagefright/codecs/mp3dec/SoftMP3.h @@ -72,6 +72,7 @@ private: void initPorts(); void initDecoder(); + void *memsetSafe(OMX_BUFFERHEADERTYPE *outHeader, int c, size_t len); DISALLOW_EVIL_CONSTRUCTORS(SoftMP3); }; -- cgit v1.1 From ee44d7cdbdea9a8a67e967b3bc05f0cd409ae2b1 Mon Sep 17 00:00:00 2001 From: Robert Shih Date: Fri, 24 Jun 2016 12:37:45 -0700 Subject: SoftVPX: fix nFilledLen overflow Bug: 29421675 Change-Id: I25d4cf54a5df22c2130c37e95c7c7f75063111f3 --- media/libstagefright/codecs/on2/dec/SoftVPX.cpp | 22 +++++++++++++++++++--- media/libstagefright/codecs/on2/dec/SoftVPX.h | 1 + 2 files changed, 20 insertions(+), 3 deletions(-) (limited to 'media/libstagefright/codecs') diff --git a/media/libstagefright/codecs/on2/dec/SoftVPX.cpp b/media/libstagefright/codecs/on2/dec/SoftVPX.cpp index 02e85a1..58a2660 100644 --- a/media/libstagefright/codecs/on2/dec/SoftVPX.cpp +++ b/media/libstagefright/codecs/on2/dec/SoftVPX.cpp @@ -149,7 +149,7 @@ bool SoftVPX::outputBuffers(bool flushDecoder, bool display, bool eos, bool *por outHeader->nFlags = 0; outHeader->nFilledLen = (outputBufferWidth() * outputBufferHeight() * 3) / 2; outHeader->nTimeStamp = *(OMX_TICKS *)mImg->user_priv; - if (outHeader->nAllocLen >= outHeader->nFilledLen) { + if (outputBufferSafe(outHeader)) { uint8_t *dst = outHeader->pBuffer; const uint8_t *srcY = (const uint8_t *)mImg->planes[VPX_PLANE_Y]; const uint8_t *srcU = (const uint8_t *)mImg->planes[VPX_PLANE_U]; @@ -159,8 +159,6 @@ bool SoftVPX::outputBuffers(bool flushDecoder, bool display, bool eos, bool *por size_t srcVStride = mImg->stride[VPX_PLANE_V]; copyYV12FrameToOutputBuffer(dst, srcY, srcU, srcV, srcYStride, srcUStride, srcVStride); } else { - ALOGE("b/27597103, buffer too small"); - android_errorWriteLog(0x534e4554, "27597103"); outHeader->nFilledLen = 0; } @@ -190,6 +188,24 @@ bool SoftVPX::outputBuffers(bool flushDecoder, bool display, bool eos, bool *por return true; } +bool SoftVPX::outputBufferSafe(OMX_BUFFERHEADERTYPE *outHeader) { + uint32_t width = outputBufferWidth(); + uint32_t height = outputBufferHeight(); + uint64_t nFilledLen = width; + nFilledLen *= height; + if (nFilledLen > UINT32_MAX / 3) { + ALOGE("b/29421675, nFilledLen overflow %llu w %u h %u", nFilledLen, width, height); + android_errorWriteLog(0x534e4554, "29421675"); + return false; + } else if (outHeader->nAllocLen < outHeader->nFilledLen) { + ALOGE("b/27597103, buffer too small"); + android_errorWriteLog(0x534e4554, "27597103"); + return false; + } + + return true; +} + void SoftVPX::onQueueFilled(OMX_U32 /* portIndex */) { if (mOutputPortSettingsChange != NONE || mEOSStatus == OUTPUT_FRAMES_FLUSHED) { return; diff --git a/media/libstagefright/codecs/on2/dec/SoftVPX.h b/media/libstagefright/codecs/on2/dec/SoftVPX.h index 8ccbae2..84cf79c 100644 --- a/media/libstagefright/codecs/on2/dec/SoftVPX.h +++ b/media/libstagefright/codecs/on2/dec/SoftVPX.h @@ -66,6 +66,7 @@ private: status_t initDecoder(); status_t destroyDecoder(); bool outputBuffers(bool flushDecoder, bool display, bool eos, bool *portWillReset); + bool outputBufferSafe(OMX_BUFFERHEADERTYPE *outHeader); DISALLOW_EVIL_CONSTRUCTORS(SoftVPX); }; -- cgit v1.1 From 50643aadeb8dfe53da7848a5d5e995d5486678e1 Mon Sep 17 00:00:00 2001 From: Lajos Molnar Date: Wed, 13 Jul 2016 20:27:32 -0700 Subject: fix build Change-Id: I9bb8c659d3fc97a8e748451d82d0f3448faa242b --- media/libstagefright/codecs/on2/dec/SoftVPX.cpp | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) (limited to 'media/libstagefright/codecs') diff --git a/media/libstagefright/codecs/on2/dec/SoftVPX.cpp b/media/libstagefright/codecs/on2/dec/SoftVPX.cpp index 58a2660..912fac2 100644 --- a/media/libstagefright/codecs/on2/dec/SoftVPX.cpp +++ b/media/libstagefright/codecs/on2/dec/SoftVPX.cpp @@ -194,7 +194,8 @@ bool SoftVPX::outputBufferSafe(OMX_BUFFERHEADERTYPE *outHeader) { uint64_t nFilledLen = width; nFilledLen *= height; if (nFilledLen > UINT32_MAX / 3) { - ALOGE("b/29421675, nFilledLen overflow %llu w %u h %u", nFilledLen, width, height); + ALOGE("b/29421675, nFilledLen overflow %llu w %u h %u", + (unsigned long long)nFilledLen, width, height); android_errorWriteLog(0x534e4554, "29421675"); return false; } else if (outHeader->nAllocLen < outHeader->nFilledLen) { -- cgit v1.1 From ae1810fab90cd6ec19d4f0386b80aa0391882fba Mon Sep 17 00:00:00 2001 From: Robert Shih Date: Thu, 14 Jul 2016 12:37:52 -0700 Subject: Fix build Change-Id: I96a9c437eec53a285ac96794cc1ad0c8954b27e0 --- media/libstagefright/codecs/mp3dec/SoftMP3.cpp | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'media/libstagefright/codecs') diff --git a/media/libstagefright/codecs/mp3dec/SoftMP3.cpp b/media/libstagefright/codecs/mp3dec/SoftMP3.cpp index daef471..54fe622 100644 --- a/media/libstagefright/codecs/mp3dec/SoftMP3.cpp +++ b/media/libstagefright/codecs/mp3dec/SoftMP3.cpp @@ -122,7 +122,7 @@ void SoftMP3::initDecoder() { void *SoftMP3::memsetSafe(OMX_BUFFERHEADERTYPE *outHeader, int c, size_t len) { if (len > outHeader->nAllocLen) { - ALOGE("memset buffer too small: got %lu, expected %zu", outHeader->nAllocLen, len); + ALOGE("memset buffer too small: got %lu, expected %zu", (unsigned long)outHeader->nAllocLen, len); android_errorWriteLog(0x534e4554, "29422022"); notify(OMX_EventError, OMX_ErrorUndefined, OUTPUT_BUFFER_TOO_SMALL, NULL); mSignalledError = true; -- cgit v1.1 From d67bab69a322990aa386dad608ad2a823ef21578 Mon Sep 17 00:00:00 2001 From: Robert Shih Date: Thu, 14 Jul 2016 13:50:32 -0700 Subject: Fix build Change-Id: I48ba34b3df9c9a896d4b18c3f48e41744b7dab54 --- media/libstagefright/codecs/mp3dec/SoftMP3.cpp | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'media/libstagefright/codecs') diff --git a/media/libstagefright/codecs/mp3dec/SoftMP3.cpp b/media/libstagefright/codecs/mp3dec/SoftMP3.cpp index 54fe622..9f7dd59 100644 --- a/media/libstagefright/codecs/mp3dec/SoftMP3.cpp +++ b/media/libstagefright/codecs/mp3dec/SoftMP3.cpp @@ -122,7 +122,7 @@ void SoftMP3::initDecoder() { void *SoftMP3::memsetSafe(OMX_BUFFERHEADERTYPE *outHeader, int c, size_t len) { if (len > outHeader->nAllocLen) { - ALOGE("memset buffer too small: got %lu, expected %zu", (unsigned long)outHeader->nAllocLen, len); + ALOGE("memset buffer too small: got %u, expected %zu", outHeader->nAllocLen, len); android_errorWriteLog(0x534e4554, "29422022"); notify(OMX_EventError, OMX_ErrorUndefined, OUTPUT_BUFFER_TOO_SMALL, NULL); mSignalledError = true; -- cgit v1.1