From 295c883fe3105b19bcd0f9e07d54c6b589fc5bff Mon Sep 17 00:00:00 2001 From: Marco Nelissen Date: Mon, 29 Feb 2016 12:47:20 -0800 Subject: DO NOT MERGE Verify OMX buffer sizes prior to access Bug: 27207275 Change-Id: I4412825d1ee233d993af0a67708bea54304ff62d --- media/libstagefright/include/SoftOMXComponent.h | 16 ++++++++++++++++ 1 file changed, 16 insertions(+) (limited to 'media/libstagefright/include') diff --git a/media/libstagefright/include/SoftOMXComponent.h b/media/libstagefright/include/SoftOMXComponent.h index a808611..3ab6f88 100644 --- a/media/libstagefright/include/SoftOMXComponent.h +++ b/media/libstagefright/include/SoftOMXComponent.h @@ -168,6 +168,22 @@ private: DISALLOW_EVIL_CONSTRUCTORS(SoftOMXComponent); }; +template +bool isValidOMXParam(T *a) { + static_assert(offsetof(typeof(*a), nSize) == 0, "nSize not at offset 0"); + static_assert(std::is_same< decltype(a->nSize), OMX_U32>::value, "nSize has wrong type"); + static_assert(offsetof(typeof(*a), nVersion) == 4, "nVersion not at offset 4"); + static_assert(std::is_same< decltype(a->nVersion), OMX_VERSIONTYPE>::value, + "nVersion has wrong type"); + + if (a->nSize < sizeof(*a)) { + ALOGE("b/27207275: need %zu, got %u", sizeof(*a), a->nSize); + android_errorWriteLog(0x534e4554, "27207275"); + return false; + } + return true; +} + } // namespace android #endif // SOFT_OMX_COMPONENT_H_ -- cgit v1.1 From 45737cb776625f17384540523674761e6313e6d4 Mon Sep 17 00:00:00 2001 From: Zach Jang Date: Thu, 21 Apr 2016 16:10:50 -0700 Subject: Resolve merge conflict when cp'ing ag/931301 to mnc-mr1-release Change-Id: I079d1db2d30d126f8aed348bd62451acf741037d --- media/libstagefright/include/SampleTable.h | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) (limited to 'media/libstagefright/include') diff --git a/media/libstagefright/include/SampleTable.h b/media/libstagefright/include/SampleTable.h index 460492b..3764adb 100644 --- a/media/libstagefright/include/SampleTable.h +++ b/media/libstagefright/include/SampleTable.h @@ -24,6 +24,7 @@ #include #include #include +#include namespace android { @@ -111,7 +112,7 @@ private: uint32_t mNumSampleSizes; uint32_t mTimeToSampleCount; - uint32_t *mTimeToSample; + Vector mTimeToSample; struct SampleTimeEntry { uint32_t mSampleIndex; -- cgit v1.1 From b57b3967b1a42dd505dbe4fcf1e1d810e3ae3777 Mon Sep 17 00:00:00 2001 From: Pawin Vongmasa Date: Wed, 20 Apr 2016 15:51:48 -0700 Subject: SampleTable.cpp: Fixed a regression caused by a fix for bug 28076789. Detail: Before the original fix (Id207f369ab7b27787d83f5d8fc48dc53ed9fcdc9) for 28076789, the code allowed a time-to-sample table size to be 0. The change made in that fix disallowed such situation, which in fact should be allowed. This current patch allows it again while maintaining the security of the previous fix. Bug: 28288202 Bug: 28076789 Change-Id: I1c9a60c7f0cfcbd3d908f24998dde15d5136a295 --- media/libstagefright/include/SampleTable.h | 1 + 1 file changed, 1 insertion(+) (limited to 'media/libstagefright/include') diff --git a/media/libstagefright/include/SampleTable.h b/media/libstagefright/include/SampleTable.h index 3764adb..465f37c 100644 --- a/media/libstagefright/include/SampleTable.h +++ b/media/libstagefright/include/SampleTable.h @@ -111,6 +111,7 @@ private: uint32_t mDefaultSampleSize; uint32_t mNumSampleSizes; + bool mHasTimeToSample; uint32_t mTimeToSampleCount; Vector mTimeToSample; -- cgit v1.1