From d7640491ba0cf2ef8424734a942f38f80535591b Mon Sep 17 00:00:00 2001 From: Marco Nelissen Date: Tue, 12 Jan 2016 12:37:36 -0800 Subject: Fix out-of-bounds write Bug: 26365349 Change-Id: Ia363d9f8c231cf255dea852e0bbf5ca466c7990b --- media/libstagefright/MPEG4Extractor.cpp | 10 +++++++++- 1 file changed, 9 insertions(+), 1 deletion(-) (limited to 'media/libstagefright') diff --git a/media/libstagefright/MPEG4Extractor.cpp b/media/libstagefright/MPEG4Extractor.cpp index bfdff38..e4f8384 100755 --- a/media/libstagefright/MPEG4Extractor.cpp +++ b/media/libstagefright/MPEG4Extractor.cpp @@ -4545,7 +4545,15 @@ status_t MPEG4Source::fragmentedRead( continue; } - CHECK(dstOffset + 4 <= mBuffer->size()); + if (dstOffset > SIZE_MAX - 4 || + dstOffset + 4 > SIZE_MAX - nalLength || + dstOffset + 4 + nalLength > mBuffer->size()) { + ALOGE("b/26365349 : %zu %zu", dstOffset, mBuffer->size()); + android_errorWriteLog(0x534e4554, "26365349"); + mBuffer->release(); + mBuffer = NULL; + return ERROR_MALFORMED; + } dstData[dstOffset++] = 0; dstData[dstOffset++] = 0; -- cgit v1.1 From 808632f7bf0a897fb55cc38170ad6c1b2fd86ba2 Mon Sep 17 00:00:00 2001 From: Steve Kondik Date: Mon, 29 Feb 2016 17:32:19 -0800 Subject: stagefright: Don't crash on invalid / null AVCC atoms in MKV * Seen in the wild. If a file contains an invalid track, skip it. * Also correct AVCC atom size check in Matroska extractor. REF: CYNGNOS-2168 Change-Id: I589aadbd689c9a00e1dca613e61fcec5b06ed69a --- media/libstagefright/MPEG4Extractor.cpp | 12 +++++++----- media/libstagefright/matroska/MatroskaExtractor.cpp | 13 +++++++------ 2 files changed, 14 insertions(+), 11 deletions(-) (limited to 'media/libstagefright') diff --git a/media/libstagefright/MPEG4Extractor.cpp b/media/libstagefright/MPEG4Extractor.cpp index c928495..3baf6b6 100755 --- a/media/libstagefright/MPEG4Extractor.cpp +++ b/media/libstagefright/MPEG4Extractor.cpp @@ -3325,11 +3325,13 @@ MPEG4Source::MPEG4Source( const uint8_t *ptr = (const uint8_t *)data; - CHECK(size >= 7); - CHECK_EQ((unsigned)ptr[0], 1u); // configurationVersion == 1 - - // The number of bytes used to encode the length of a NAL unit. - mNALLengthSize = 1 + (ptr[4] & 3); + if (size < 7 || ptr[0] != 1) { + ALOGE("Invalid AVCC atom, size %zu, configurationVersion: %d", + size, ptr[0]); + } else { + // The number of bytes used to encode the length of a NAL unit. + mNALLengthSize = 1 + (ptr[4] & 3); + } } else if (mIsHEVC) { uint32_t type; const void *data; diff --git a/media/libstagefright/matroska/MatroskaExtractor.cpp b/media/libstagefright/matroska/MatroskaExtractor.cpp index c1fa240..b2463e7 100644 --- a/media/libstagefright/matroska/MatroskaExtractor.cpp +++ b/media/libstagefright/matroska/MatroskaExtractor.cpp @@ -224,18 +224,19 @@ MatroskaSource::MatroskaSource( mIsAudio = !strncasecmp("audio/", mime, 6); if (!strcasecmp(mime, MEDIA_MIMETYPE_VIDEO_AVC)) { - mType = AVC; - uint32_t dummy; const uint8_t *avcc; size_t avccSize; CHECK(meta->findData( kKeyAVCC, &dummy, (const void **)&avcc, &avccSize)); - CHECK_GE(avccSize, 5u); - - mNALSizeLen = 1 + (avcc[4] & 3); - ALOGV("mNALSizeLen = %zu", mNALSizeLen); + if (avccSize < 7) { + ALOGW("Invalid AVCC atom in track, size %zu", avccSize); + } else { + mNALSizeLen = 1 + (avcc[4] & 3); + ALOGV("mNALSizeLen = %zu", mNALSizeLen); + mType = AVC; + } } else if (!strcasecmp(mime, MEDIA_MIMETYPE_VIDEO_HEVC)) { mType = HEVC; -- cgit v1.1 From 41d4ad503757189ad401fa82d7572502de0712fa Mon Sep 17 00:00:00 2001 From: Haynes Mathew George Date: Wed, 6 Jan 2016 17:03:22 -0800 Subject: SoftVorbis: memory access check Check for valid input buffer header before reading from it. This seems to be manifested only when memory map of an input buffer sent from a remote process fails in mediaserver context. CRs-Fixed: 916568 Change-Id: I4ee16e7104c2d8bf579f80201864009e51cd1b25 --- media/libstagefright/codecs/vorbis/dec/SoftVorbis.cpp | 14 +++++++++++++- media/libstagefright/codecs/vorbis/dec/SoftVorbis.h | 2 ++ 2 files changed, 15 insertions(+), 1 deletion(-) (limited to 'media/libstagefright') diff --git a/media/libstagefright/codecs/vorbis/dec/SoftVorbis.cpp b/media/libstagefright/codecs/vorbis/dec/SoftVorbis.cpp index 3dc549e..08200c1 100644 --- a/media/libstagefright/codecs/vorbis/dec/SoftVorbis.cpp +++ b/media/libstagefright/codecs/vorbis/dec/SoftVorbis.cpp @@ -56,7 +56,8 @@ SoftVorbis::SoftVorbis( mNumFramesLeftOnPage(-1), mSawInputEos(false), mSignalledOutputEos(false), - mOutputPortSettingsChange(NONE) { + mOutputPortSettingsChange(NONE), + mSignalledError(false) { initPorts(); CHECK_EQ(initDecoder(), (status_t)OK); } @@ -251,10 +252,21 @@ void SoftVorbis::onQueueFilled(OMX_U32 portIndex) { return; } + if (mSignalledError) { + return; + } + if (portIndex == 0 && mInputBufferCount < 2) { BufferInfo *info = *inQueue.begin(); OMX_BUFFERHEADERTYPE *header = info->mHeader; + if (!header || !header->pBuffer) { + ALOGE("b/25727575 has happened. report error"); + notify(OMX_EventError, OMX_ErrorUndefined, 0, NULL); + mSignalledError = true; + return; + } + const uint8_t *data = header->pBuffer + header->nOffset; size_t size = header->nFilledLen; diff --git a/media/libstagefright/codecs/vorbis/dec/SoftVorbis.h b/media/libstagefright/codecs/vorbis/dec/SoftVorbis.h index 1d00816..7decc5a 100644 --- a/media/libstagefright/codecs/vorbis/dec/SoftVorbis.h +++ b/media/libstagefright/codecs/vorbis/dec/SoftVorbis.h @@ -68,6 +68,8 @@ private: AWAITING_ENABLED } mOutputPortSettingsChange; + bool mSignalledError; + void initPorts(); status_t initDecoder(); bool isConfigured() const; -- cgit v1.1 From 97fc248733b43731e1e2d98de5dad47a490dbbc2 Mon Sep 17 00:00:00 2001 From: Santhosh Behara Date: Thu, 26 Nov 2015 15:27:50 +0530 Subject: ACodec: update the right size and crop in smooth streaming case In smooth streaming enabled case, the max width and max height sizes should be updated in native window. And the crop rectangle should also be updated. Change-Id: I4a15aa24a51b495141001dd43adec7005ab0c742 --- media/libstagefright/ACodec.cpp | 18 ++++++++++++++++-- 1 file changed, 16 insertions(+), 2 deletions(-) (limited to 'media/libstagefright') diff --git a/media/libstagefright/ACodec.cpp b/media/libstagefright/ACodec.cpp index 4807b65..7351d3e 100644 --- a/media/libstagefright/ACodec.cpp +++ b/media/libstagefright/ACodec.cpp @@ -925,10 +925,24 @@ status_t ACodec::setupNativeWindowSizeFormatAndUsage( #endif ALOGV("gralloc usage: %#x(OMX) => %#x(ACodec)", omxUsage, usage); + int32_t width = 0, height = 0; + int32_t isAdaptivePlayback = 0; + + if (mInputFormat->findInt32("adaptive-playback", &isAdaptivePlayback) + && isAdaptivePlayback + && mInputFormat->findInt32("max-width", &width) + && mInputFormat->findInt32("max-height", &height)) { + width = max(width, (int32_t)def.format.video.nFrameWidth); + height = max(height, (int32_t)def.format.video.nFrameHeight); + ALOGV("Adaptive playback width = %d, height = %d", width, height); + } else { + width = def.format.video.nFrameWidth; + height = def.format.video.nFrameHeight; + } err = setNativeWindowSizeFormatAndUsage( nativeWindow, - def.format.video.nFrameWidth, - def.format.video.nFrameHeight, + width, + height, #ifdef USE_SAMSUNG_COLORFORMAT eNativeColorFormat, #else -- cgit v1.1 From 69714d42dc65906f2a94a5e47bea6219ead6fe23 Mon Sep 17 00:00:00 2001 From: Surajit Podder Date: Wed, 13 Jan 2016 12:42:43 +0530 Subject: video: Add support to push blank buffers on surface switch Add support to push blank buffers only on surface switch. Setting "push-blank-buffers-on-switch" key with value 1 will enable this feature. Change-Id: I4a0fc48fe24c09a6b8d0e2e0fc4dc2e96d3178bf --- media/libstagefright/ACodec.cpp | 9 ++++++++- 1 file changed, 8 insertions(+), 1 deletion(-) (limited to 'media/libstagefright') diff --git a/media/libstagefright/ACodec.cpp b/media/libstagefright/ACodec.cpp index 7351d3e..8cf38ef 100644 --- a/media/libstagefright/ACodec.cpp +++ b/media/libstagefright/ACodec.cpp @@ -767,7 +767,8 @@ status_t ACodec::handleSetSurface(const sp &surface) { } // push blank buffers to previous window if requested - if (mFlags & kFlagPushBlankBuffersToNativeWindowOnShutdown) { + if (mFlags & kFlagPushBlankBuffersToNativeWindowOnShutdown || + mFlags & kFlagPushBlankBuffersToNativeWindowOnSwitch) { pushBlankBuffersToNativeWindow(mNativeWindow.get()); } @@ -1983,6 +1984,12 @@ status_t ACodec::configureCodec( && push != 0) { mFlags |= kFlagPushBlankBuffersToNativeWindowOnShutdown; } + + int32_t val; + if (msg->findInt32("push-blank-buffers-on-switch", &val) + && val != 0) { + mFlags |= kFlagPushBlankBuffersToNativeWindowOnSwitch; + } } int32_t rotationDegrees; -- cgit v1.1 From c3902bb77957a98082d03ec1cf8ff938495a674a Mon Sep 17 00:00:00 2001 From: Surajit Podder Date: Mon, 1 Feb 2016 13:51:18 +0530 Subject: video: Add metadata support for DataSource Add meta() API to query and update DataSource metadata. Change-Id: Ibc99fbb6b9bdd6ca6a9d0b25883ba5907946a81d --- media/libstagefright/DataSource.cpp | 1 - 1 file changed, 1 deletion(-) (limited to 'media/libstagefright') diff --git a/media/libstagefright/DataSource.cpp b/media/libstagefright/DataSource.cpp index b833f9e..34f0649 100644 --- a/media/libstagefright/DataSource.cpp +++ b/media/libstagefright/DataSource.cpp @@ -38,7 +38,6 @@ #include #include #include -#include #include #include #include -- cgit v1.1 From 2fd815ffc3cac5655d0809bf762400e452734114 Mon Sep 17 00:00:00 2001 From: Shalaj Jain Date: Mon, 25 Jan 2016 13:20:10 -0800 Subject: stagefright: Clear RenderQueue on port settings changed Clear the RenderTracker RenderQueue before allocating new set of buffers during port settings change. The graphicBuffers inside the RenderQueue hold the actual buffer references which prevents them from being freed until this queue is cleared. Do not wait till executing state to clear the queue as then overall memory consumption goes up for the brief period. CRs-Fixed: 972394 Change-Id: If50ffc2d517f793a59c88d3fb213bf4c23b8c9f7 --- media/libstagefright/ACodec.cpp | 5 +++++ 1 file changed, 5 insertions(+) (limited to 'media/libstagefright') diff --git a/media/libstagefright/ACodec.cpp b/media/libstagefright/ACodec.cpp index 8cf38ef..b83d6c6 100644 --- a/media/libstagefright/ACodec.cpp +++ b/media/libstagefright/ACodec.cpp @@ -6781,6 +6781,11 @@ bool ACodec::OutputPortSettingsChangedState::onOMXEvent( mCodec->mNode, OMX_CommandPortEnable, kPortIndexOutput); } + /* Clear the RenderQueue in which queued GraphicBuffers hold the + * actual buffer references in order to free them early. + */ + mCodec->mRenderTracker.clear(systemTime(CLOCK_MONOTONIC)); + if (err == OK) { err = mCodec->allocateBuffersOnPort(kPortIndexOutput); ALOGE_IF(err != OK, "Failed to allocate output port buffers after port " -- cgit v1.1