From ec4ed7d541f48d1d0af8f93cd26ec291ca82061b Mon Sep 17 00:00:00 2001 From: Lajos Molnar Date: Fri, 12 Jun 2015 12:52:27 -0700 Subject: stagefright: relax check of OMX buffer header - again - move check to after FillBufferDone only. - add support for NULL graphicBuffer - just in case Bug: 21773260 Change-Id: Ibf03511f1d04425e29b63fe4e560e0d8ba6ea20e --- media/libstagefright/omx/OMXNodeInstance.cpp | 31 +++++++++++++++++++++------- 1 file changed, 23 insertions(+), 8 deletions(-) (limited to 'media/libstagefright/omx/OMXNodeInstance.cpp') diff --git a/media/libstagefright/omx/OMXNodeInstance.cpp b/media/libstagefright/omx/OMXNodeInstance.cpp index 6ee1a77..147aae7 100644 --- a/media/libstagefright/omx/OMXNodeInstance.cpp +++ b/media/libstagefright/omx/OMXNodeInstance.cpp @@ -121,9 +121,10 @@ struct BufferMeta { return; } - memcpy((OMX_U8 *)mMem->pointer() + header->nOffset, - header->pBuffer + header->nOffset, - header->nFilledLen); + // check component returns proper range + sp codec = getBuffer(header, false /* backup */, true /* limit */); + + memcpy((OMX_U8 *)mMem->pointer() + header->nOffset, codec->data(), codec->size()); } void CopyToOMX(const OMX_BUFFERHEADERTYPE *header) { @@ -137,14 +138,21 @@ struct BufferMeta { } // return either the codec or the backup buffer - sp getBuffer(const OMX_BUFFERHEADERTYPE *header, bool backup) { + sp getBuffer(const OMX_BUFFERHEADERTYPE *header, bool backup, bool limit) { sp buf; if (backup && mMem != NULL) { buf = new ABuffer(mMem->pointer(), mMem->size()); } else { buf = new ABuffer(header->pBuffer, header->nAllocLen); } - buf->setRange(header->nOffset, header->nFilledLen); + if (limit) { + if (header->nOffset + header->nFilledLen > header->nOffset + && header->nOffset + header->nFilledLen <= header->nAllocLen) { + buf->setRange(header->nOffset, header->nFilledLen); + } else { + buf->setRange(0, 0); + } + } return buf; } @@ -1089,10 +1097,11 @@ status_t OMXNodeInstance::emptyBuffer( OMX_BUFFERHEADERTYPE *header = findBufferHeader(buffer); BufferMeta *buffer_meta = static_cast(header->pAppPrivate); - sp backup = buffer_meta->getBuffer(header, true /* backup */); - sp codec = buffer_meta->getBuffer(header, false /* backup */); + sp backup = buffer_meta->getBuffer(header, true /* backup */, false /* limit */); + sp codec = buffer_meta->getBuffer(header, false /* backup */, false /* limit */); // convert incoming ANW meta buffers if component is configured for gralloc metadata mode + // ignore rangeOffset in this case if (mMetadataType[kPortIndexInput] == kMetadataBufferTypeGrallocSource && backup->capacity() >= sizeof(VideoNativeMetadata) && codec->capacity() >= sizeof(VideoGrallocMetadata) @@ -1102,7 +1111,7 @@ status_t OMXNodeInstance::emptyBuffer( VideoGrallocMetadata &codecMeta = *(VideoGrallocMetadata *)codec->base(); CLOG_BUFFER(emptyBuffer, "converting ANWB %p to handle %p", backupMeta.pBuffer, backupMeta.pBuffer->handle); - codecMeta.pHandle = backupMeta.pBuffer->handle; + codecMeta.pHandle = backupMeta.pBuffer != NULL ? backupMeta.pBuffer->handle : NULL; codecMeta.eType = kMetadataBufferTypeGrallocSource; header->nFilledLen = rangeLength ? sizeof(codecMeta) : 0; header->nOffset = 0; @@ -1111,6 +1120,7 @@ status_t OMXNodeInstance::emptyBuffer( // corner case: we permit rangeOffset == end-of-buffer with rangeLength == 0. if (rangeOffset > header->nAllocLen || rangeLength > header->nAllocLen - rangeOffset) { + CLOG_ERROR(emptyBuffer, OMX_ErrorBadParameter, FULL_BUFFER(NULL, header, fenceFd)); if (fenceFd >= 0) { ::close(fenceFd); } @@ -1380,6 +1390,11 @@ bool OMXNodeInstance::handleMessage(omx_message &msg) { BufferMeta *buffer_meta = static_cast(buffer->pAppPrivate); + if (buffer->nOffset + buffer->nFilledLen < buffer->nOffset + || buffer->nOffset + buffer->nFilledLen > buffer->nAllocLen) { + CLOG_ERROR(onFillBufferDone, OMX_ErrorBadParameter, + FULL_BUFFER(NULL, buffer, msg.fenceFd)); + } buffer_meta->CopyFromOMX(buffer); if (bufferSource != NULL) { -- cgit v1.1