From 4e32001e4196f39ddd0b86686ae0231c8f5ed944 Mon Sep 17 00:00:00 2001
From: Wonsik Kim <wonsik@google.com>
Date: Wed, 30 Mar 2016 17:13:00 +0900
Subject: DO NOT MERGE codecs: check OMX buffer size before use in
 (vorbis|opus)dec

Bug: 27833616
Change-Id: I1ccdd16a00741da072527a6d13e87fd7c7fe8c54
---
 media/libstagefright/codecs/opus/dec/SoftOpus.cpp     |  7 ++++++-
 media/libstagefright/codecs/vorbis/dec/SoftVorbis.cpp | 13 ++++++++++++-
 2 files changed, 18 insertions(+), 2 deletions(-)

(limited to 'media/libstagefright')

diff --git a/media/libstagefright/codecs/opus/dec/SoftOpus.cpp b/media/libstagefright/codecs/opus/dec/SoftOpus.cpp
index 2afa0ed..2e44ed7 100644
--- a/media/libstagefright/codecs/opus/dec/SoftOpus.cpp
+++ b/media/libstagefright/codecs/opus/dec/SoftOpus.cpp
@@ -458,12 +458,17 @@ void SoftOpus::onQueueFilled(OMX_U32 portIndex) {
 
         const uint8_t *data = inHeader->pBuffer + inHeader->nOffset;
         const uint32_t size = inHeader->nFilledLen;
+        size_t frameSize = kMaxOpusOutputPacketSizeSamples;
+        if (frameSize > outHeader->nAllocLen / sizeof(int16_t) / mHeader->channels) {
+            frameSize = outHeader->nAllocLen / sizeof(int16_t) / mHeader->channels;
+            android_errorWriteLog(0x534e4554, "27833616");
+        }
 
         int numFrames = opus_multistream_decode(mDecoder,
                                                 data,
                                                 size,
                                                 (int16_t *)outHeader->pBuffer,
-                                                kMaxOpusOutputPacketSizeSamples,
+                                                frameSize,
                                                 0);
         if (numFrames < 0) {
             ALOGE("opus_multistream_decode returned %d", numFrames);
diff --git a/media/libstagefright/codecs/vorbis/dec/SoftVorbis.cpp b/media/libstagefright/codecs/vorbis/dec/SoftVorbis.cpp
index 4e1e6a5..5f4e346 100644
--- a/media/libstagefright/codecs/vorbis/dec/SoftVorbis.cpp
+++ b/media/libstagefright/codecs/vorbis/dec/SoftVorbis.cpp
@@ -273,6 +273,12 @@ void SoftVorbis::onQueueFilled(OMX_U32 portIndex) {
 
         const uint8_t *data = header->pBuffer + header->nOffset;
         size_t size = header->nFilledLen;
+        if (size < 7) {
+            ALOGE("Too small input buffer: %zu bytes", size);
+            android_errorWriteLog(0x534e4554, "27833616");
+            notify(OMX_EventError, OMX_ErrorUndefined, 0, NULL);
+            return;
+        }
 
         ogg_buffer buf;
         ogg_reference ref;
@@ -378,9 +384,14 @@ void SoftVorbis::onQueueFilled(OMX_U32 portIndex) {
             ALOGW("vorbis_dsp_synthesis returned %d", err);
 #endif
         } else {
+            size_t numSamplesPerBuffer = kMaxNumSamplesPerBuffer;
+            if (numSamplesPerBuffer > outHeader->nAllocLen / sizeof(int16_t)) {
+                numSamplesPerBuffer = outHeader->nAllocLen / sizeof(int16_t);
+                android_errorWriteLog(0x534e4554, "27833616");
+            }
             numFrames = vorbis_dsp_pcmout(
                     mState, (int16_t *)outHeader->pBuffer,
-                    (kMaxNumSamplesPerBuffer / mVi->channels));
+                    (numSamplesPerBuffer / mVi->channels));
 
             if (numFrames < 0) {
                 ALOGE("vorbis_dsp_pcmout returned %d", numFrames);
-- 
cgit v1.1