From 7cea5cb64b83d690fe02bc210bbdf08f5a87636f Mon Sep 17 00:00:00 2001 From: Wonsik Kim Date: Thu, 7 Apr 2016 17:45:02 +0900 Subject: codecs: check OMX buffer size before use in (gsm|g711)dec Bug: 27793163 Bug: 27793367 Change-Id: Iec3de8a237ee2379d87a8371c13e543878c6652c --- media/libstagefright/codecs/g711/dec/SoftG711.cpp | 9 +++++++++ media/libstagefright/codecs/gsm/dec/SoftGSM.cpp | 8 ++++++++ 2 files changed, 17 insertions(+) (limited to 'media/libstagefright') diff --git a/media/libstagefright/codecs/g711/dec/SoftG711.cpp b/media/libstagefright/codecs/g711/dec/SoftG711.cpp index 3de95a5..c8277de 100644 --- a/media/libstagefright/codecs/g711/dec/SoftG711.cpp +++ b/media/libstagefright/codecs/g711/dec/SoftG711.cpp @@ -240,6 +240,15 @@ void SoftG711::onQueueFilled(OMX_U32 /* portIndex */) { mSignalledError = true; } + if (inHeader->nFilledLen * sizeof(int16_t) > outHeader->nAllocLen) { + ALOGE("output buffer too small (%d).", outHeader->nAllocLen); + android_errorWriteLog(0x534e4554, "27793163"); + + notify(OMX_EventError, OMX_ErrorUndefined, 0, NULL); + mSignalledError = true; + return; + } + const uint8_t *inputptr = inHeader->pBuffer + inHeader->nOffset; if (mIsMLaw) { diff --git a/media/libstagefright/codecs/gsm/dec/SoftGSM.cpp b/media/libstagefright/codecs/gsm/dec/SoftGSM.cpp index 7916c45..04d5a33 100644 --- a/media/libstagefright/codecs/gsm/dec/SoftGSM.cpp +++ b/media/libstagefright/codecs/gsm/dec/SoftGSM.cpp @@ -228,6 +228,14 @@ void SoftGSM::onQueueFilled(OMX_U32 /* portIndex */) { mSignalledError = true; } + if (outHeader->nAllocLen < (inHeader->nFilledLen / kMSGSMFrameSize) * 320) { + ALOGE("output buffer is not large enough (%d).", outHeader->nAllocLen); + android_errorWriteLog(0x534e4554, "27793367"); + notify(OMX_EventError, OMX_ErrorUndefined, 0, NULL); + mSignalledError = true; + return; + } + uint8_t *inputptr = inHeader->pBuffer + inHeader->nOffset; int n = mSignalledError ? 0 : DecodeGSM(mGsm, -- cgit v1.1