From f36321997a15edce6ac88414c22efd07da9eb8dc Mon Sep 17 00:00:00 2001 From: Taiju Tsuiki Date: Tue, 21 Apr 2015 17:36:22 +0900 Subject: Fix potential double close in IMediaMetadataRetriever::setDataSource IMediaMetadataRetriever::setDataSource(fd, offset, length) takes the ownership of |fd| on the direct invocation, and doesn't take the ownership on invocation from Binder. This is inconsintent to other similar methods like IMediaPlayer::setDataSource, and causes potential double close of |fd|. This CL changes the caller and implementations to leave the ownership to make them consistent. Also, fixes a double close in IMediaPlayerService::setDataSource in an error case. Change-Id: Id551a1e725c4392b0fe6b7293871212eb101c0a5 --- media/libstagefright/AwesomePlayer.cpp | 1 + 1 file changed, 1 insertion(+) (limited to 'media/libstagefright') diff --git a/media/libstagefright/AwesomePlayer.cpp b/media/libstagefright/AwesomePlayer.cpp index 5a43caf..933f241 100644 --- a/media/libstagefright/AwesomePlayer.cpp +++ b/media/libstagefright/AwesomePlayer.cpp @@ -344,6 +344,7 @@ status_t AwesomePlayer::setDataSource( reset_l(); + fd = dup(fd); sp dataSource = new FileSource(fd, offset, length); status_t err = dataSource->initCheck(); -- cgit v1.1 From b82353b46bcac8239132cfd624c62aa84caab8be Mon Sep 17 00:00:00 2001 From: Marco Nelissen Date: Fri, 16 Oct 2015 21:22:14 -0700 Subject: Move overflow checks into SkipCutBuffer Previously SkipCutBuffer would check its input parameters to ensure they were sane, however since bogus values might be the result of overflows, and overflow protection was recently turned on for libstagefright, the compiler's overflow checks were performed before SkipCutBuffer's, resulting in abort rather than just ignoring the bogus values. Moving the multiplication by framesize into SkipCutBuffer fixes this. Change-Id: I1ad6744bb045a5212701bbf6ee44eecb5f318210 --- media/libstagefright/ACodec.cpp | 5 +---- media/libstagefright/OMXCodec.cpp | 3 +-- media/libstagefright/SkipCutBuffer.cpp | 39 ++++++++++++++++++++++++++-------- 3 files changed, 32 insertions(+), 15 deletions(-) (limited to 'media/libstagefright') diff --git a/media/libstagefright/ACodec.cpp b/media/libstagefright/ACodec.cpp index 672e50a..c84601d 100644 --- a/media/libstagefright/ACodec.cpp +++ b/media/libstagefright/ACodec.cpp @@ -4566,16 +4566,13 @@ void ACodec::sendFormatChange(const sp &reply) { (mEncoderDelay || mEncoderPadding)) { int32_t channelCount; CHECK(notify->findInt32("channel-count", &channelCount)); - size_t frameSize = channelCount * sizeof(int16_t); if (mSkipCutBuffer != NULL) { size_t prevbufsize = mSkipCutBuffer->size(); if (prevbufsize != 0) { ALOGW("Replacing SkipCutBuffer holding %zu bytes", prevbufsize); } } - mSkipCutBuffer = new SkipCutBuffer( - mEncoderDelay * frameSize, - mEncoderPadding * frameSize); + mSkipCutBuffer = new SkipCutBuffer(mEncoderDelay, mEncoderPadding, channelCount); } getVQZIPInfo(notify); diff --git a/media/libstagefright/OMXCodec.cpp b/media/libstagefright/OMXCodec.cpp index 6bd54f1..abe19a0 100644 --- a/media/libstagefright/OMXCodec.cpp +++ b/media/libstagefright/OMXCodec.cpp @@ -1760,14 +1760,13 @@ status_t OMXCodec::allocateBuffersOnPort(OMX_U32 portIndex) { int32_t numchannels = 0; if (delay + padding) { if (mOutputFormat->findInt32(kKeyChannelCount, &numchannels)) { - size_t frameSize = numchannels * sizeof(int16_t); if (mSkipCutBuffer != NULL) { size_t prevbuffersize = mSkipCutBuffer->size(); if (prevbuffersize != 0) { ALOGW("Replacing SkipCutBuffer holding %zu bytes", prevbuffersize); } } - mSkipCutBuffer = new SkipCutBuffer(delay * frameSize, padding * frameSize); + mSkipCutBuffer = new SkipCutBuffer(delay, padding, numchannels); } } } diff --git a/media/libstagefright/SkipCutBuffer.cpp b/media/libstagefright/SkipCutBuffer.cpp index 1da1e5e..d30be88 100644 --- a/media/libstagefright/SkipCutBuffer.cpp +++ b/media/libstagefright/SkipCutBuffer.cpp @@ -24,21 +24,32 @@ namespace android { -SkipCutBuffer::SkipCutBuffer(int32_t skip, int32_t cut) { +SkipCutBuffer::SkipCutBuffer(size_t skip, size_t cut, size_t num16BitChannels) { - if (skip < 0 || cut < 0 || cut > 64 * 1024) { - ALOGW("out of range skip/cut: %d/%d, using passthrough instead", skip, cut); - skip = 0; - cut = 0; + mWriteHead = 0; + mReadHead = 0; + mCapacity = 0; + mCutBuffer = NULL; + + if (num16BitChannels == 0 || num16BitChannels > INT32_MAX / 2) { + ALOGW("# channels out of range: %zu, using passthrough instead", num16BitChannels); + return; } + size_t frameSize = num16BitChannels * 2; + if (skip > INT32_MAX / frameSize || cut > INT32_MAX / frameSize + || cut * frameSize > INT32_MAX - 4096) { + ALOGW("out of range skip/cut: %zu/%zu, using passthrough instead", + skip, cut); + return; + } + skip *= frameSize; + cut *= frameSize; mFrontPadding = mSkip = skip; mBackPadding = cut; - mWriteHead = 0; - mReadHead = 0; mCapacity = cut + 4096; - mCutBuffer = new char[mCapacity]; - ALOGV("skipcutbuffer %d %d %d", skip, cut, mCapacity); + mCutBuffer = new (std::nothrow) char[mCapacity]; + ALOGV("skipcutbuffer %zu %zu %d", skip, cut, mCapacity); } SkipCutBuffer::~SkipCutBuffer() { @@ -46,6 +57,11 @@ SkipCutBuffer::~SkipCutBuffer() { } void SkipCutBuffer::submit(MediaBuffer *buffer) { + if (mCutBuffer == NULL) { + // passthrough mode + return; + } + int32_t offset = buffer->range_offset(); int32_t buflen = buffer->range_length(); @@ -73,6 +89,11 @@ void SkipCutBuffer::submit(MediaBuffer *buffer) { } void SkipCutBuffer::submit(const sp& buffer) { + if (mCutBuffer == NULL) { + // passthrough mode + return; + } + int32_t offset = buffer->offset(); int32_t buflen = buffer->size(); -- cgit v1.1 From d5dee706a6f0a0b5a4a65e8e128131f06d572e6b Mon Sep 17 00:00:00 2001 From: Amit Shekhar Date: Tue, 8 Dec 2015 20:41:24 -0800 Subject: frameworks/av: fix channelmask and source format for pcm files -Update channel mask from channel count if parser reports channel mask to be 0 -Update source format for each buffer by extending call to setPcmFormat when aggregation is not done Change-Id: I1f4ce07e3e784d85e63be03a69ac1395bfa913e2 CRs-Fixed: 948222 --- media/libstagefright/Utils.cpp | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'media/libstagefright') diff --git a/media/libstagefright/Utils.cpp b/media/libstagefright/Utils.cpp index e9d585f..592510b 100644 --- a/media/libstagefright/Utils.cpp +++ b/media/libstagefright/Utils.cpp @@ -893,7 +893,7 @@ bool canOffloadStream(const sp& meta, bool hasVideo, info.sample_rate = srate; int32_t cmask = 0; - if (!meta->findInt32(kKeyChannelMask, &cmask)) { + if (!meta->findInt32(kKeyChannelMask, &cmask) || 0 == cmask) { ALOGV("track of type '%s' does not publish channel mask", mime); // Try a channel count instead -- cgit v1.1