From 295c883fe3105b19bcd0f9e07d54c6b589fc5bff Mon Sep 17 00:00:00 2001 From: Marco Nelissen Date: Mon, 29 Feb 2016 12:47:20 -0800 Subject: DO NOT MERGE Verify OMX buffer sizes prior to access Bug: 27207275 Change-Id: I4412825d1ee233d993af0a67708bea54304ff62d --- media/libstagefright/codecs/aacdec/SoftAAC2.cpp | 25 +++++ .../codecs/aacenc/SoftAACEncoder.cpp | 28 +++++ .../codecs/aacenc/SoftAACEncoder2.cpp | 28 +++++ media/libstagefright/codecs/amrnb/dec/SoftAMR.cpp | 20 ++++ .../codecs/amrnb/enc/SoftAMRNBEncoder.cpp | 28 +++++ .../codecs/amrwbenc/SoftAMRWBEncoder.cpp | 28 +++++ .../codecs/avc/enc/SoftAVCEncoder.cpp | 16 +++ media/libstagefright/codecs/avcenc/SoftAVCEnc.cpp | 30 ++++- .../codecs/flac/enc/SoftFlacEncoder.cpp | 26 +++++ media/libstagefright/codecs/g711/dec/SoftG711.cpp | 12 ++ media/libstagefright/codecs/gsm/dec/SoftGSM.cpp | 12 ++ .../codecs/m4v_h263/enc/SoftMPEG4Encoder.cpp | 24 ++++ media/libstagefright/codecs/mp3dec/SoftMP3.cpp | 16 +++ .../codecs/on2/enc/SoftVPXEncoder.cpp | 121 ++++++++++++++------- media/libstagefright/codecs/opus/dec/SoftOpus.cpp | 16 +++ media/libstagefright/codecs/raw/SoftRaw.cpp | 12 ++ .../codecs/vorbis/dec/SoftVorbis.cpp | 16 +++ media/libstagefright/include/SoftOMXComponent.h | 16 +++ .../libstagefright/omx/SimpleSoftOMXComponent.cpp | 8 ++ .../omx/SoftVideoDecoderOMXComponent.cpp | 30 +++++ 20 files changed, 470 insertions(+), 42 deletions(-) (limited to 'media/libstagefright') diff --git a/media/libstagefright/codecs/aacdec/SoftAAC2.cpp b/media/libstagefright/codecs/aacdec/SoftAAC2.cpp index 965c55e..520ecb4 100644 --- a/media/libstagefright/codecs/aacdec/SoftAAC2.cpp +++ b/media/libstagefright/codecs/aacdec/SoftAAC2.cpp @@ -209,6 +209,10 @@ OMX_ERRORTYPE SoftAAC2::internalGetParameter( OMX_AUDIO_PARAM_AACPROFILETYPE *aacParams = (OMX_AUDIO_PARAM_AACPROFILETYPE *)params; + if (!isValidOMXParam(aacParams)) { + return OMX_ErrorBadParameter; + } + if (aacParams->nPortIndex != 0) { return OMX_ErrorUndefined; } @@ -244,6 +248,10 @@ OMX_ERRORTYPE SoftAAC2::internalGetParameter( OMX_AUDIO_PARAM_PCMMODETYPE *pcmParams = (OMX_AUDIO_PARAM_PCMMODETYPE *)params; + if (!isValidOMXParam(pcmParams)) { + return OMX_ErrorBadParameter; + } + if (pcmParams->nPortIndex != 1) { return OMX_ErrorUndefined; } @@ -284,6 +292,10 @@ OMX_ERRORTYPE SoftAAC2::internalSetParameter( const OMX_PARAM_COMPONENTROLETYPE *roleParams = (const OMX_PARAM_COMPONENTROLETYPE *)params; + if (!isValidOMXParam(roleParams)) { + return OMX_ErrorBadParameter; + } + if (strncmp((const char *)roleParams->cRole, "audio_decoder.aac", OMX_MAX_STRINGNAME_SIZE - 1)) { @@ -298,6 +310,10 @@ OMX_ERRORTYPE SoftAAC2::internalSetParameter( const OMX_AUDIO_PARAM_AACPROFILETYPE *aacParams = (const OMX_AUDIO_PARAM_AACPROFILETYPE *)params; + if (!isValidOMXParam(aacParams)) { + return OMX_ErrorBadParameter; + } + if (aacParams->nPortIndex != 0) { return OMX_ErrorUndefined; } @@ -318,6 +334,11 @@ OMX_ERRORTYPE SoftAAC2::internalSetParameter( { const OMX_AUDIO_PARAM_ANDROID_AACPRESENTATIONTYPE *aacPresParams = (const OMX_AUDIO_PARAM_ANDROID_AACPRESENTATIONTYPE *)params; + + if (!isValidOMXParam(aacPresParams)) { + return OMX_ErrorBadParameter; + } + // for the following parameters of the OMX_AUDIO_PARAM_AACPROFILETYPE structure, // a value of -1 implies the parameter is not set by the application: // nMaxOutputChannels uses default platform properties, see configureDownmix() @@ -384,6 +405,10 @@ OMX_ERRORTYPE SoftAAC2::internalSetParameter( const OMX_AUDIO_PARAM_PCMMODETYPE *pcmParams = (OMX_AUDIO_PARAM_PCMMODETYPE *)params; + if (!isValidOMXParam(pcmParams)) { + return OMX_ErrorBadParameter; + } + if (pcmParams->nPortIndex != 1) { return OMX_ErrorUndefined; } diff --git a/media/libstagefright/codecs/aacenc/SoftAACEncoder.cpp b/media/libstagefright/codecs/aacenc/SoftAACEncoder.cpp index c6724c2..ab0a228 100644 --- a/media/libstagefright/codecs/aacenc/SoftAACEncoder.cpp +++ b/media/libstagefright/codecs/aacenc/SoftAACEncoder.cpp @@ -154,6 +154,10 @@ OMX_ERRORTYPE SoftAACEncoder::internalGetParameter( OMX_AUDIO_PARAM_PORTFORMATTYPE *formatParams = (OMX_AUDIO_PARAM_PORTFORMATTYPE *)params; + if (!isValidOMXParam(formatParams)) { + return OMX_ErrorBadParameter; + } + if (formatParams->nPortIndex > 1) { return OMX_ErrorUndefined; } @@ -174,6 +178,10 @@ OMX_ERRORTYPE SoftAACEncoder::internalGetParameter( OMX_AUDIO_PARAM_AACPROFILETYPE *aacParams = (OMX_AUDIO_PARAM_AACPROFILETYPE *)params; + if (!isValidOMXParam(aacParams)) { + return OMX_ErrorBadParameter; + } + if (aacParams->nPortIndex != 1) { return OMX_ErrorUndefined; } @@ -198,6 +206,10 @@ OMX_ERRORTYPE SoftAACEncoder::internalGetParameter( OMX_AUDIO_PARAM_PCMMODETYPE *pcmParams = (OMX_AUDIO_PARAM_PCMMODETYPE *)params; + if (!isValidOMXParam(pcmParams)) { + return OMX_ErrorBadParameter; + } + if (pcmParams->nPortIndex != 0) { return OMX_ErrorUndefined; } @@ -229,6 +241,10 @@ OMX_ERRORTYPE SoftAACEncoder::internalSetParameter( const OMX_PARAM_COMPONENTROLETYPE *roleParams = (const OMX_PARAM_COMPONENTROLETYPE *)params; + if (!isValidOMXParam(roleParams)) { + return OMX_ErrorBadParameter; + } + if (strncmp((const char *)roleParams->cRole, "audio_encoder.aac", OMX_MAX_STRINGNAME_SIZE - 1)) { @@ -243,6 +259,10 @@ OMX_ERRORTYPE SoftAACEncoder::internalSetParameter( const OMX_AUDIO_PARAM_PORTFORMATTYPE *formatParams = (const OMX_AUDIO_PARAM_PORTFORMATTYPE *)params; + if (!isValidOMXParam(formatParams)) { + return OMX_ErrorBadParameter; + } + if (formatParams->nPortIndex > 1) { return OMX_ErrorUndefined; } @@ -266,6 +286,10 @@ OMX_ERRORTYPE SoftAACEncoder::internalSetParameter( OMX_AUDIO_PARAM_AACPROFILETYPE *aacParams = (OMX_AUDIO_PARAM_AACPROFILETYPE *)params; + if (!isValidOMXParam(aacParams)) { + return OMX_ErrorBadParameter; + } + if (aacParams->nPortIndex != 1) { return OMX_ErrorUndefined; } @@ -286,6 +310,10 @@ OMX_ERRORTYPE SoftAACEncoder::internalSetParameter( OMX_AUDIO_PARAM_PCMMODETYPE *pcmParams = (OMX_AUDIO_PARAM_PCMMODETYPE *)params; + if (!isValidOMXParam(pcmParams)) { + return OMX_ErrorBadParameter; + } + if (pcmParams->nPortIndex != 0) { return OMX_ErrorUndefined; } diff --git a/media/libstagefright/codecs/aacenc/SoftAACEncoder2.cpp b/media/libstagefright/codecs/aacenc/SoftAACEncoder2.cpp index 35aa883..e8dabed 100644 --- a/media/libstagefright/codecs/aacenc/SoftAACEncoder2.cpp +++ b/media/libstagefright/codecs/aacenc/SoftAACEncoder2.cpp @@ -123,6 +123,10 @@ OMX_ERRORTYPE SoftAACEncoder2::internalGetParameter( OMX_AUDIO_PARAM_PORTFORMATTYPE *formatParams = (OMX_AUDIO_PARAM_PORTFORMATTYPE *)params; + if (!isValidOMXParam(formatParams)) { + return OMX_ErrorBadParameter; + } + if (formatParams->nPortIndex > 1) { return OMX_ErrorUndefined; } @@ -143,6 +147,10 @@ OMX_ERRORTYPE SoftAACEncoder2::internalGetParameter( OMX_AUDIO_PARAM_AACPROFILETYPE *aacParams = (OMX_AUDIO_PARAM_AACPROFILETYPE *)params; + if (!isValidOMXParam(aacParams)) { + return OMX_ErrorBadParameter; + } + if (aacParams->nPortIndex != 1) { return OMX_ErrorUndefined; } @@ -202,6 +210,10 @@ OMX_ERRORTYPE SoftAACEncoder2::internalGetParameter( OMX_AUDIO_PARAM_PCMMODETYPE *pcmParams = (OMX_AUDIO_PARAM_PCMMODETYPE *)params; + if (!isValidOMXParam(pcmParams)) { + return OMX_ErrorBadParameter; + } + if (pcmParams->nPortIndex != 0) { return OMX_ErrorUndefined; } @@ -233,6 +245,10 @@ OMX_ERRORTYPE SoftAACEncoder2::internalSetParameter( const OMX_PARAM_COMPONENTROLETYPE *roleParams = (const OMX_PARAM_COMPONENTROLETYPE *)params; + if (!isValidOMXParam(roleParams)) { + return OMX_ErrorBadParameter; + } + if (strncmp((const char *)roleParams->cRole, "audio_encoder.aac", OMX_MAX_STRINGNAME_SIZE - 1)) { @@ -247,6 +263,10 @@ OMX_ERRORTYPE SoftAACEncoder2::internalSetParameter( const OMX_AUDIO_PARAM_PORTFORMATTYPE *formatParams = (const OMX_AUDIO_PARAM_PORTFORMATTYPE *)params; + if (!isValidOMXParam(formatParams)) { + return OMX_ErrorBadParameter; + } + if (formatParams->nPortIndex > 1) { return OMX_ErrorUndefined; } @@ -270,6 +290,10 @@ OMX_ERRORTYPE SoftAACEncoder2::internalSetParameter( OMX_AUDIO_PARAM_AACPROFILETYPE *aacParams = (OMX_AUDIO_PARAM_AACPROFILETYPE *)params; + if (!isValidOMXParam(aacParams)) { + return OMX_ErrorBadParameter; + } + if (aacParams->nPortIndex != 1) { return OMX_ErrorUndefined; } @@ -310,6 +334,10 @@ OMX_ERRORTYPE SoftAACEncoder2::internalSetParameter( OMX_AUDIO_PARAM_PCMMODETYPE *pcmParams = (OMX_AUDIO_PARAM_PCMMODETYPE *)params; + if (!isValidOMXParam(pcmParams)) { + return OMX_ErrorBadParameter; + } + if (pcmParams->nPortIndex != 0) { return OMX_ErrorUndefined; } diff --git a/media/libstagefright/codecs/amrnb/dec/SoftAMR.cpp b/media/libstagefright/codecs/amrnb/dec/SoftAMR.cpp index 955309a..edf648d 100644 --- a/media/libstagefright/codecs/amrnb/dec/SoftAMR.cpp +++ b/media/libstagefright/codecs/amrnb/dec/SoftAMR.cpp @@ -148,6 +148,10 @@ OMX_ERRORTYPE SoftAMR::internalGetParameter( OMX_AUDIO_PARAM_AMRTYPE *amrParams = (OMX_AUDIO_PARAM_AMRTYPE *)params; + if (!isValidOMXParam(amrParams)) { + return OMX_ErrorBadParameter; + } + if (amrParams->nPortIndex != 0) { return OMX_ErrorUndefined; } @@ -174,6 +178,10 @@ OMX_ERRORTYPE SoftAMR::internalGetParameter( OMX_AUDIO_PARAM_PCMMODETYPE *pcmParams = (OMX_AUDIO_PARAM_PCMMODETYPE *)params; + if (!isValidOMXParam(pcmParams)) { + return OMX_ErrorBadParameter; + } + if (pcmParams->nPortIndex != 1) { return OMX_ErrorUndefined; } @@ -207,6 +215,10 @@ OMX_ERRORTYPE SoftAMR::internalSetParameter( const OMX_PARAM_COMPONENTROLETYPE *roleParams = (const OMX_PARAM_COMPONENTROLETYPE *)params; + if (!isValidOMXParam(roleParams)) { + return OMX_ErrorBadParameter; + } + if (mMode == MODE_NARROW) { if (strncmp((const char *)roleParams->cRole, "audio_decoder.amrnb", @@ -229,6 +241,10 @@ OMX_ERRORTYPE SoftAMR::internalSetParameter( const OMX_AUDIO_PARAM_AMRTYPE *aacParams = (const OMX_AUDIO_PARAM_AMRTYPE *)params; + if (!isValidOMXParam(aacParams)) { + return OMX_ErrorBadParameter; + } + if (aacParams->nPortIndex != 0) { return OMX_ErrorUndefined; } @@ -241,6 +257,10 @@ OMX_ERRORTYPE SoftAMR::internalSetParameter( const OMX_AUDIO_PARAM_PCMMODETYPE *pcmParams = (OMX_AUDIO_PARAM_PCMMODETYPE *)params; + if (!isValidOMXParam(pcmParams)) { + return OMX_ErrorBadParameter; + } + if (pcmParams->nPortIndex != 1) { return OMX_ErrorUndefined; } diff --git a/media/libstagefright/codecs/amrnb/enc/SoftAMRNBEncoder.cpp b/media/libstagefright/codecs/amrnb/enc/SoftAMRNBEncoder.cpp index 9489457..aaa6731 100644 --- a/media/libstagefright/codecs/amrnb/enc/SoftAMRNBEncoder.cpp +++ b/media/libstagefright/codecs/amrnb/enc/SoftAMRNBEncoder.cpp @@ -120,6 +120,10 @@ OMX_ERRORTYPE SoftAMRNBEncoder::internalGetParameter( OMX_AUDIO_PARAM_PORTFORMATTYPE *formatParams = (OMX_AUDIO_PARAM_PORTFORMATTYPE *)params; + if (!isValidOMXParam(formatParams)) { + return OMX_ErrorBadParameter; + } + if (formatParams->nPortIndex > 1) { return OMX_ErrorUndefined; } @@ -140,6 +144,10 @@ OMX_ERRORTYPE SoftAMRNBEncoder::internalGetParameter( OMX_AUDIO_PARAM_AMRTYPE *amrParams = (OMX_AUDIO_PARAM_AMRTYPE *)params; + if (!isValidOMXParam(amrParams)) { + return OMX_ErrorBadParameter; + } + if (amrParams->nPortIndex != 1) { return OMX_ErrorUndefined; } @@ -158,6 +166,10 @@ OMX_ERRORTYPE SoftAMRNBEncoder::internalGetParameter( OMX_AUDIO_PARAM_PCMMODETYPE *pcmParams = (OMX_AUDIO_PARAM_PCMMODETYPE *)params; + if (!isValidOMXParam(pcmParams)) { + return OMX_ErrorBadParameter; + } + if (pcmParams->nPortIndex != 0) { return OMX_ErrorUndefined; } @@ -188,6 +200,10 @@ OMX_ERRORTYPE SoftAMRNBEncoder::internalSetParameter( const OMX_PARAM_COMPONENTROLETYPE *roleParams = (const OMX_PARAM_COMPONENTROLETYPE *)params; + if (!isValidOMXParam(roleParams)) { + return OMX_ErrorBadParameter; + } + if (strncmp((const char *)roleParams->cRole, "audio_encoder.amrnb", OMX_MAX_STRINGNAME_SIZE - 1)) { @@ -202,6 +218,10 @@ OMX_ERRORTYPE SoftAMRNBEncoder::internalSetParameter( const OMX_AUDIO_PARAM_PORTFORMATTYPE *formatParams = (const OMX_AUDIO_PARAM_PORTFORMATTYPE *)params; + if (!isValidOMXParam(formatParams)) { + return OMX_ErrorBadParameter; + } + if (formatParams->nPortIndex > 1) { return OMX_ErrorUndefined; } @@ -225,6 +245,10 @@ OMX_ERRORTYPE SoftAMRNBEncoder::internalSetParameter( OMX_AUDIO_PARAM_AMRTYPE *amrParams = (OMX_AUDIO_PARAM_AMRTYPE *)params; + if (!isValidOMXParam(amrParams)) { + return OMX_ErrorBadParameter; + } + if (amrParams->nPortIndex != 1) { return OMX_ErrorUndefined; } @@ -252,6 +276,10 @@ OMX_ERRORTYPE SoftAMRNBEncoder::internalSetParameter( OMX_AUDIO_PARAM_PCMMODETYPE *pcmParams = (OMX_AUDIO_PARAM_PCMMODETYPE *)params; + if (!isValidOMXParam(pcmParams)) { + return OMX_ErrorBadParameter; + } + if (pcmParams->nPortIndex != 0) { return OMX_ErrorUndefined; } diff --git a/media/libstagefright/codecs/amrwbenc/SoftAMRWBEncoder.cpp b/media/libstagefright/codecs/amrwbenc/SoftAMRWBEncoder.cpp index 91a512d..9d50c4e 100644 --- a/media/libstagefright/codecs/amrwbenc/SoftAMRWBEncoder.cpp +++ b/media/libstagefright/codecs/amrwbenc/SoftAMRWBEncoder.cpp @@ -155,6 +155,10 @@ OMX_ERRORTYPE SoftAMRWBEncoder::internalGetParameter( OMX_AUDIO_PARAM_PORTFORMATTYPE *formatParams = (OMX_AUDIO_PARAM_PORTFORMATTYPE *)params; + if (!isValidOMXParam(formatParams)) { + return OMX_ErrorBadParameter; + } + if (formatParams->nPortIndex > 1) { return OMX_ErrorUndefined; } @@ -175,6 +179,10 @@ OMX_ERRORTYPE SoftAMRWBEncoder::internalGetParameter( OMX_AUDIO_PARAM_AMRTYPE *amrParams = (OMX_AUDIO_PARAM_AMRTYPE *)params; + if (!isValidOMXParam(amrParams)) { + return OMX_ErrorBadParameter; + } + if (amrParams->nPortIndex != 1) { return OMX_ErrorUndefined; } @@ -196,6 +204,10 @@ OMX_ERRORTYPE SoftAMRWBEncoder::internalGetParameter( OMX_AUDIO_PARAM_PCMMODETYPE *pcmParams = (OMX_AUDIO_PARAM_PCMMODETYPE *)params; + if (!isValidOMXParam(pcmParams)) { + return OMX_ErrorBadParameter; + } + if (pcmParams->nPortIndex != 0) { return OMX_ErrorUndefined; } @@ -226,6 +238,10 @@ OMX_ERRORTYPE SoftAMRWBEncoder::internalSetParameter( const OMX_PARAM_COMPONENTROLETYPE *roleParams = (const OMX_PARAM_COMPONENTROLETYPE *)params; + if (!isValidOMXParam(roleParams)) { + return OMX_ErrorBadParameter; + } + if (strncmp((const char *)roleParams->cRole, "audio_encoder.amrwb", OMX_MAX_STRINGNAME_SIZE - 1)) { @@ -240,6 +256,10 @@ OMX_ERRORTYPE SoftAMRWBEncoder::internalSetParameter( const OMX_AUDIO_PARAM_PORTFORMATTYPE *formatParams = (const OMX_AUDIO_PARAM_PORTFORMATTYPE *)params; + if (!isValidOMXParam(formatParams)) { + return OMX_ErrorBadParameter; + } + if (formatParams->nPortIndex > 1) { return OMX_ErrorUndefined; } @@ -263,6 +283,10 @@ OMX_ERRORTYPE SoftAMRWBEncoder::internalSetParameter( OMX_AUDIO_PARAM_AMRTYPE *amrParams = (OMX_AUDIO_PARAM_AMRTYPE *)params; + if (!isValidOMXParam(amrParams)) { + return OMX_ErrorBadParameter; + } + if (amrParams->nPortIndex != 1) { return OMX_ErrorUndefined; } @@ -299,6 +323,10 @@ OMX_ERRORTYPE SoftAMRWBEncoder::internalSetParameter( OMX_AUDIO_PARAM_PCMMODETYPE *pcmParams = (OMX_AUDIO_PARAM_PCMMODETYPE *)params; + if (!isValidOMXParam(pcmParams)) { + return OMX_ErrorBadParameter; + } + if (pcmParams->nPortIndex != 0) { return OMX_ErrorUndefined; } diff --git a/media/libstagefright/codecs/avc/enc/SoftAVCEncoder.cpp b/media/libstagefright/codecs/avc/enc/SoftAVCEncoder.cpp index fa6ec40..cce6d15 100644 --- a/media/libstagefright/codecs/avc/enc/SoftAVCEncoder.cpp +++ b/media/libstagefright/codecs/avc/enc/SoftAVCEncoder.cpp @@ -370,6 +370,10 @@ OMX_ERRORTYPE SoftAVCEncoder::internalGetParameter( OMX_VIDEO_PARAM_BITRATETYPE *bitRate = (OMX_VIDEO_PARAM_BITRATETYPE *) params; + if (!isValidOMXParam(bitRate)) { + return OMX_ErrorBadParameter; + } + if (bitRate->nPortIndex != 1) { return OMX_ErrorUndefined; } @@ -384,6 +388,10 @@ OMX_ERRORTYPE SoftAVCEncoder::internalGetParameter( OMX_VIDEO_PARAM_AVCTYPE *avcParams = (OMX_VIDEO_PARAM_AVCTYPE *)params; + if (!isValidOMXParam(avcParams)) { + return OMX_ErrorBadParameter; + } + if (avcParams->nPortIndex != 1) { return OMX_ErrorUndefined; } @@ -427,6 +435,10 @@ OMX_ERRORTYPE SoftAVCEncoder::internalSetParameter( OMX_VIDEO_PARAM_BITRATETYPE *bitRate = (OMX_VIDEO_PARAM_BITRATETYPE *) params; + if (!isValidOMXParam(bitRate)) { + return OMX_ErrorBadParameter; + } + if (bitRate->nPortIndex != 1 || bitRate->eControlRate != OMX_Video_ControlRateVariable) { return OMX_ErrorUndefined; @@ -441,6 +453,10 @@ OMX_ERRORTYPE SoftAVCEncoder::internalSetParameter( OMX_VIDEO_PARAM_AVCTYPE *avcType = (OMX_VIDEO_PARAM_AVCTYPE *)params; + if (!isValidOMXParam(avcType)) { + return OMX_ErrorBadParameter; + } + if (avcType->nPortIndex != 1) { return OMX_ErrorUndefined; } diff --git a/media/libstagefright/codecs/avcenc/SoftAVCEnc.cpp b/media/libstagefright/codecs/avcenc/SoftAVCEnc.cpp index 387d17d..e4e8fd7 100644 --- a/media/libstagefright/codecs/avcenc/SoftAVCEnc.cpp +++ b/media/libstagefright/codecs/avcenc/SoftAVCEnc.cpp @@ -926,6 +926,10 @@ OMX_ERRORTYPE SoftAVC::internalGetParameter(OMX_INDEXTYPE index, OMX_PTR params) OMX_VIDEO_PARAM_BITRATETYPE *bitRate = (OMX_VIDEO_PARAM_BITRATETYPE *)params; + if (!isValidOMXParam(bitRate)) { + return OMX_ErrorBadParameter; + } + if (bitRate->nPortIndex != 1) { return OMX_ErrorUndefined; } @@ -939,6 +943,10 @@ OMX_ERRORTYPE SoftAVC::internalGetParameter(OMX_INDEXTYPE index, OMX_PTR params) { OMX_VIDEO_PARAM_AVCTYPE *avcParams = (OMX_VIDEO_PARAM_AVCTYPE *)params; + if (!isValidOMXParam(avcParams)) { + return OMX_ErrorBadParameter; + } + if (avcParams->nPortIndex != 1) { return OMX_ErrorUndefined; } @@ -976,14 +984,24 @@ OMX_ERRORTYPE SoftAVC::internalSetParameter(OMX_INDEXTYPE index, const OMX_PTR p switch (indexFull) { case OMX_IndexParamVideoBitrate: { - return internalSetBitrateParams( - (const OMX_VIDEO_PARAM_BITRATETYPE *)params); + OMX_VIDEO_PARAM_BITRATETYPE *bitRate = + (OMX_VIDEO_PARAM_BITRATETYPE *)params; + + if (!isValidOMXParam(bitRate)) { + return OMX_ErrorBadParameter; + } + + return internalSetBitrateParams(bitRate); } case OMX_IndexParamVideoAvc: { OMX_VIDEO_PARAM_AVCTYPE *avcType = (OMX_VIDEO_PARAM_AVCTYPE *)params; + if (!isValidOMXParam(avcType)) { + return OMX_ErrorBadParameter; + } + if (avcType->nPortIndex != 1) { return OMX_ErrorUndefined; } @@ -1035,6 +1053,10 @@ OMX_ERRORTYPE SoftAVC::setConfig( OMX_CONFIG_INTRAREFRESHVOPTYPE *params = (OMX_CONFIG_INTRAREFRESHVOPTYPE *)_params; + if (!isValidOMXParam(params)) { + return OMX_ErrorBadParameter; + } + if (params->nPortIndex != kOutputPortIndex) { return OMX_ErrorBadPortIndex; } @@ -1048,6 +1070,10 @@ OMX_ERRORTYPE SoftAVC::setConfig( OMX_VIDEO_CONFIG_BITRATETYPE *params = (OMX_VIDEO_CONFIG_BITRATETYPE *)_params; + if (!isValidOMXParam(params)) { + return OMX_ErrorBadParameter; + } + if (params->nPortIndex != kOutputPortIndex) { return OMX_ErrorBadPortIndex; } diff --git a/media/libstagefright/codecs/flac/enc/SoftFlacEncoder.cpp b/media/libstagefright/codecs/flac/enc/SoftFlacEncoder.cpp index 9edffd2..caceda9 100644 --- a/media/libstagefright/codecs/flac/enc/SoftFlacEncoder.cpp +++ b/media/libstagefright/codecs/flac/enc/SoftFlacEncoder.cpp @@ -159,6 +159,10 @@ OMX_ERRORTYPE SoftFlacEncoder::internalGetParameter( OMX_AUDIO_PARAM_PCMMODETYPE *pcmParams = (OMX_AUDIO_PARAM_PCMMODETYPE *)params; + if (!isValidOMXParam(pcmParams)) { + return OMX_ErrorBadParameter; + } + if (pcmParams->nPortIndex > 1) { return OMX_ErrorUndefined; } @@ -180,6 +184,11 @@ OMX_ERRORTYPE SoftFlacEncoder::internalGetParameter( case OMX_IndexParamAudioFlac: { OMX_AUDIO_PARAM_FLACTYPE *flacParams = (OMX_AUDIO_PARAM_FLACTYPE *)params; + + if (!isValidOMXParam(flacParams)) { + return OMX_ErrorBadParameter; + } + flacParams->nCompressionLevel = mCompressionLevel; flacParams->nChannels = mNumChannels; flacParams->nSampleRate = mSampleRate; @@ -199,6 +208,10 @@ OMX_ERRORTYPE SoftFlacEncoder::internalSetParameter( ALOGV("SoftFlacEncoder::internalSetParameter(OMX_IndexParamAudioPcm)"); OMX_AUDIO_PARAM_PCMMODETYPE *pcmParams = (OMX_AUDIO_PARAM_PCMMODETYPE *)params; + if (!isValidOMXParam(pcmParams)) { + return OMX_ErrorBadParameter; + } + if (pcmParams->nPortIndex != 0 && pcmParams->nPortIndex != 1) { ALOGE("SoftFlacEncoder::internalSetParameter() Error #1"); return OMX_ErrorUndefined; @@ -221,6 +234,10 @@ OMX_ERRORTYPE SoftFlacEncoder::internalSetParameter( const OMX_PARAM_COMPONENTROLETYPE *roleParams = (const OMX_PARAM_COMPONENTROLETYPE *)params; + if (!isValidOMXParam(roleParams)) { + return OMX_ErrorBadParameter; + } + if (strncmp((const char *)roleParams->cRole, "audio_encoder.flac", OMX_MAX_STRINGNAME_SIZE - 1)) { @@ -236,6 +253,11 @@ OMX_ERRORTYPE SoftFlacEncoder::internalSetParameter( { // used only for setting the compression level OMX_AUDIO_PARAM_FLACTYPE *flacParams = (OMX_AUDIO_PARAM_FLACTYPE *)params; + + if (!isValidOMXParam(flacParams)) { + return OMX_ErrorBadParameter; + } + mCompressionLevel = flacParams->nCompressionLevel; // range clamping done inside encoder return OMX_ErrorNone; } @@ -245,6 +267,10 @@ OMX_ERRORTYPE SoftFlacEncoder::internalSetParameter( OMX_PARAM_PORTDEFINITIONTYPE *defParams = (OMX_PARAM_PORTDEFINITIONTYPE *)params; + if (!isValidOMXParam(defParams)) { + return OMX_ErrorBadParameter; + } + if (defParams->nPortIndex == 0) { if (defParams->nBufferSize > kMaxInputBufferSize) { ALOGE("Input buffer size must be at most %d bytes", diff --git a/media/libstagefright/codecs/g711/dec/SoftG711.cpp b/media/libstagefright/codecs/g711/dec/SoftG711.cpp index 015515e..3de95a5 100644 --- a/media/libstagefright/codecs/g711/dec/SoftG711.cpp +++ b/media/libstagefright/codecs/g711/dec/SoftG711.cpp @@ -110,6 +110,10 @@ OMX_ERRORTYPE SoftG711::internalGetParameter( OMX_AUDIO_PARAM_PCMMODETYPE *pcmParams = (OMX_AUDIO_PARAM_PCMMODETYPE *)params; + if (!isValidOMXParam(pcmParams)) { + return OMX_ErrorBadParameter; + } + if (pcmParams->nPortIndex > 1) { return OMX_ErrorUndefined; } @@ -148,6 +152,10 @@ OMX_ERRORTYPE SoftG711::internalSetParameter( OMX_AUDIO_PARAM_PCMMODETYPE *pcmParams = (OMX_AUDIO_PARAM_PCMMODETYPE *)params; + if (!isValidOMXParam(pcmParams)) { + return OMX_ErrorBadParameter; + } + if (pcmParams->nPortIndex != 0 && pcmParams->nPortIndex != 1) { return OMX_ErrorUndefined; } @@ -170,6 +178,10 @@ OMX_ERRORTYPE SoftG711::internalSetParameter( const OMX_PARAM_COMPONENTROLETYPE *roleParams = (const OMX_PARAM_COMPONENTROLETYPE *)params; + if (!isValidOMXParam(roleParams)) { + return OMX_ErrorBadParameter; + } + if (mIsMLaw) { if (strncmp((const char *)roleParams->cRole, "audio_decoder.g711mlaw", diff --git a/media/libstagefright/codecs/gsm/dec/SoftGSM.cpp b/media/libstagefright/codecs/gsm/dec/SoftGSM.cpp index bd01a1a..7916c45 100644 --- a/media/libstagefright/codecs/gsm/dec/SoftGSM.cpp +++ b/media/libstagefright/codecs/gsm/dec/SoftGSM.cpp @@ -110,6 +110,10 @@ OMX_ERRORTYPE SoftGSM::internalGetParameter( OMX_AUDIO_PARAM_PCMMODETYPE *pcmParams = (OMX_AUDIO_PARAM_PCMMODETYPE *)params; + if (!isValidOMXParam(pcmParams)) { + return OMX_ErrorBadParameter; + } + if (pcmParams->nPortIndex > 1) { return OMX_ErrorUndefined; } @@ -141,6 +145,10 @@ OMX_ERRORTYPE SoftGSM::internalSetParameter( OMX_AUDIO_PARAM_PCMMODETYPE *pcmParams = (OMX_AUDIO_PARAM_PCMMODETYPE *)params; + if (!isValidOMXParam(pcmParams)) { + return OMX_ErrorBadParameter; + } + if (pcmParams->nPortIndex != 0 && pcmParams->nPortIndex != 1) { return OMX_ErrorUndefined; } @@ -161,6 +169,10 @@ OMX_ERRORTYPE SoftGSM::internalSetParameter( const OMX_PARAM_COMPONENTROLETYPE *roleParams = (const OMX_PARAM_COMPONENTROLETYPE *)params; + if (!isValidOMXParam(roleParams)) { + return OMX_ErrorBadParameter; + } + if (strncmp((const char *)roleParams->cRole, "audio_decoder.gsm", OMX_MAX_STRINGNAME_SIZE - 1)) { diff --git a/media/libstagefright/codecs/m4v_h263/enc/SoftMPEG4Encoder.cpp b/media/libstagefright/codecs/m4v_h263/enc/SoftMPEG4Encoder.cpp index f2a4e65..7638bb7 100644 --- a/media/libstagefright/codecs/m4v_h263/enc/SoftMPEG4Encoder.cpp +++ b/media/libstagefright/codecs/m4v_h263/enc/SoftMPEG4Encoder.cpp @@ -232,6 +232,10 @@ OMX_ERRORTYPE SoftMPEG4Encoder::internalGetParameter( OMX_VIDEO_PARAM_BITRATETYPE *bitRate = (OMX_VIDEO_PARAM_BITRATETYPE *) params; + if (!isValidOMXParam(bitRate)) { + return OMX_ErrorBadParameter; + } + if (bitRate->nPortIndex != 1) { return OMX_ErrorUndefined; } @@ -246,6 +250,10 @@ OMX_ERRORTYPE SoftMPEG4Encoder::internalGetParameter( OMX_VIDEO_PARAM_H263TYPE *h263type = (OMX_VIDEO_PARAM_H263TYPE *)params; + if (!isValidOMXParam(h263type)) { + return OMX_ErrorBadParameter; + } + if (h263type->nPortIndex != 1) { return OMX_ErrorUndefined; } @@ -267,6 +275,10 @@ OMX_ERRORTYPE SoftMPEG4Encoder::internalGetParameter( OMX_VIDEO_PARAM_MPEG4TYPE *mpeg4type = (OMX_VIDEO_PARAM_MPEG4TYPE *)params; + if (!isValidOMXParam(mpeg4type)) { + return OMX_ErrorBadParameter; + } + if (mpeg4type->nPortIndex != 1) { return OMX_ErrorUndefined; } @@ -301,6 +313,10 @@ OMX_ERRORTYPE SoftMPEG4Encoder::internalSetParameter( OMX_VIDEO_PARAM_BITRATETYPE *bitRate = (OMX_VIDEO_PARAM_BITRATETYPE *) params; + if (!isValidOMXParam(bitRate)) { + return OMX_ErrorBadParameter; + } + if (bitRate->nPortIndex != 1 || bitRate->eControlRate != OMX_Video_ControlRateVariable) { return OMX_ErrorUndefined; @@ -315,6 +331,10 @@ OMX_ERRORTYPE SoftMPEG4Encoder::internalSetParameter( OMX_VIDEO_PARAM_H263TYPE *h263type = (OMX_VIDEO_PARAM_H263TYPE *)params; + if (!isValidOMXParam(h263type)) { + return OMX_ErrorBadParameter; + } + if (h263type->nPortIndex != 1) { return OMX_ErrorUndefined; } @@ -337,6 +357,10 @@ OMX_ERRORTYPE SoftMPEG4Encoder::internalSetParameter( OMX_VIDEO_PARAM_MPEG4TYPE *mpeg4type = (OMX_VIDEO_PARAM_MPEG4TYPE *)params; + if (!isValidOMXParam(mpeg4type)) { + return OMX_ErrorBadParameter; + } + if (mpeg4type->nPortIndex != 1) { return OMX_ErrorUndefined; } diff --git a/media/libstagefright/codecs/mp3dec/SoftMP3.cpp b/media/libstagefright/codecs/mp3dec/SoftMP3.cpp index f743b1c..9988015 100644 --- a/media/libstagefright/codecs/mp3dec/SoftMP3.cpp +++ b/media/libstagefright/codecs/mp3dec/SoftMP3.cpp @@ -128,6 +128,10 @@ OMX_ERRORTYPE SoftMP3::internalGetParameter( OMX_AUDIO_PARAM_PCMMODETYPE *pcmParams = (OMX_AUDIO_PARAM_PCMMODETYPE *)params; + if (!isValidOMXParam(pcmParams)) { + return OMX_ErrorBadParameter; + } + if (pcmParams->nPortIndex > 1) { return OMX_ErrorUndefined; } @@ -151,6 +155,10 @@ OMX_ERRORTYPE SoftMP3::internalGetParameter( OMX_AUDIO_PARAM_MP3TYPE *mp3Params = (OMX_AUDIO_PARAM_MP3TYPE *)params; + if (!isValidOMXParam(mp3Params)) { + return OMX_ErrorBadParameter; + } + if (mp3Params->nPortIndex > 1) { return OMX_ErrorUndefined; } @@ -176,6 +184,10 @@ OMX_ERRORTYPE SoftMP3::internalSetParameter( const OMX_PARAM_COMPONENTROLETYPE *roleParams = (const OMX_PARAM_COMPONENTROLETYPE *)params; + if (!isValidOMXParam(roleParams)) { + return OMX_ErrorBadParameter; + } + if (strncmp((const char *)roleParams->cRole, "audio_decoder.mp3", OMX_MAX_STRINGNAME_SIZE - 1)) { @@ -190,6 +202,10 @@ OMX_ERRORTYPE SoftMP3::internalSetParameter( const OMX_AUDIO_PARAM_PCMMODETYPE *pcmParams = (const OMX_AUDIO_PARAM_PCMMODETYPE *)params; + if (!isValidOMXParam(pcmParams)) { + return OMX_ErrorBadParameter; + } + if (pcmParams->nPortIndex != 1) { return OMX_ErrorUndefined; } diff --git a/media/libstagefright/codecs/on2/enc/SoftVPXEncoder.cpp b/media/libstagefright/codecs/on2/enc/SoftVPXEncoder.cpp index d9895f0..5c950c7 100644 --- a/media/libstagefright/codecs/on2/enc/SoftVPXEncoder.cpp +++ b/media/libstagefright/codecs/on2/enc/SoftVPXEncoder.cpp @@ -368,20 +368,24 @@ OMX_ERRORTYPE SoftVPXEncoder::internalGetParameter(OMX_INDEXTYPE index, OMX_VIDEO_PARAM_BITRATETYPE *bitrate = (OMX_VIDEO_PARAM_BITRATETYPE *)param; - if (bitrate->nPortIndex != kOutputPortIndex) { - return OMX_ErrorUnsupportedIndex; - } + if (!isValidOMXParam(bitrate)) { + return OMX_ErrorBadParameter; + } - bitrate->nTargetBitrate = mBitrate; + if (bitrate->nPortIndex != kOutputPortIndex) { + return OMX_ErrorUnsupportedIndex; + } - if (mBitrateControlMode == VPX_VBR) { - bitrate->eControlRate = OMX_Video_ControlRateVariable; - } else if (mBitrateControlMode == VPX_CBR) { - bitrate->eControlRate = OMX_Video_ControlRateConstant; - } else { - return OMX_ErrorUnsupportedSetting; - } - return OMX_ErrorNone; + bitrate->nTargetBitrate = mBitrate; + + if (mBitrateControlMode == VPX_VBR) { + bitrate->eControlRate = OMX_Video_ControlRateVariable; + } else if (mBitrateControlMode == VPX_CBR) { + bitrate->eControlRate = OMX_Video_ControlRateConstant; + } else { + return OMX_ErrorUnsupportedSetting; + } + return OMX_ErrorNone; } // VP8 specific parameters that use extension headers @@ -389,33 +393,41 @@ OMX_ERRORTYPE SoftVPXEncoder::internalGetParameter(OMX_INDEXTYPE index, OMX_VIDEO_PARAM_VP8TYPE *vp8Params = (OMX_VIDEO_PARAM_VP8TYPE *)param; - if (vp8Params->nPortIndex != kOutputPortIndex) { - return OMX_ErrorUnsupportedIndex; - } + if (!isValidOMXParam(vp8Params)) { + return OMX_ErrorBadParameter; + } - vp8Params->eProfile = OMX_VIDEO_VP8ProfileMain; - vp8Params->eLevel = mLevel; - vp8Params->nDCTPartitions = mDCTPartitions; - vp8Params->bErrorResilientMode = mErrorResilience; - return OMX_ErrorNone; + if (vp8Params->nPortIndex != kOutputPortIndex) { + return OMX_ErrorUnsupportedIndex; + } + + vp8Params->eProfile = OMX_VIDEO_VP8ProfileMain; + vp8Params->eLevel = mLevel; + vp8Params->nDCTPartitions = mDCTPartitions; + vp8Params->bErrorResilientMode = mErrorResilience; + return OMX_ErrorNone; } case OMX_IndexParamVideoAndroidVp8Encoder: { OMX_VIDEO_PARAM_ANDROID_VP8ENCODERTYPE *vp8AndroidParams = (OMX_VIDEO_PARAM_ANDROID_VP8ENCODERTYPE *)param; - if (vp8AndroidParams->nPortIndex != kOutputPortIndex) { - return OMX_ErrorUnsupportedIndex; - } + if (!isValidOMXParam(vp8AndroidParams)) { + return OMX_ErrorBadParameter; + } - vp8AndroidParams->nKeyFrameInterval = mKeyFrameInterval; - vp8AndroidParams->eTemporalPattern = mTemporalPatternType; - vp8AndroidParams->nTemporalLayerCount = mTemporalLayers; - vp8AndroidParams->nMinQuantizer = mMinQuantizer; - vp8AndroidParams->nMaxQuantizer = mMaxQuantizer; - memcpy(vp8AndroidParams->nTemporalLayerBitrateRatio, - mTemporalLayerBitrateRatio, sizeof(mTemporalLayerBitrateRatio)); - return OMX_ErrorNone; + if (vp8AndroidParams->nPortIndex != kOutputPortIndex) { + return OMX_ErrorUnsupportedIndex; + } + + vp8AndroidParams->nKeyFrameInterval = mKeyFrameInterval; + vp8AndroidParams->eTemporalPattern = mTemporalPatternType; + vp8AndroidParams->nTemporalLayerCount = mTemporalLayers; + vp8AndroidParams->nMinQuantizer = mMinQuantizer; + vp8AndroidParams->nMaxQuantizer = mMaxQuantizer; + memcpy(vp8AndroidParams->nTemporalLayerBitrateRatio, + mTemporalLayerBitrateRatio, sizeof(mTemporalLayerBitrateRatio)); + return OMX_ErrorNone; } default: @@ -430,17 +442,38 @@ OMX_ERRORTYPE SoftVPXEncoder::internalSetParameter(OMX_INDEXTYPE index, const int32_t indexFull = index; switch (indexFull) { - case OMX_IndexParamVideoBitrate: - return internalSetBitrateParams( - (const OMX_VIDEO_PARAM_BITRATETYPE *)param); + case OMX_IndexParamVideoBitrate: { + const OMX_VIDEO_PARAM_BITRATETYPE *bitRate = + (const OMX_VIDEO_PARAM_BITRATETYPE*) param; + + if (!isValidOMXParam(bitRate)) { + return OMX_ErrorBadParameter; + } + + return internalSetBitrateParams(bitRate); + } + + case OMX_IndexParamVideoVp8: { + const OMX_VIDEO_PARAM_VP8TYPE *vp8Params = + (const OMX_VIDEO_PARAM_VP8TYPE*) param; + + if (!isValidOMXParam(vp8Params)) { + return OMX_ErrorBadParameter; + } + + return internalSetVp8Params(vp8Params); + } - case OMX_IndexParamVideoVp8: - return internalSetVp8Params( - (const OMX_VIDEO_PARAM_VP8TYPE *)param); + case OMX_IndexParamVideoAndroidVp8Encoder: { + const OMX_VIDEO_PARAM_ANDROID_VP8ENCODERTYPE *vp8AndroidParams = + (const OMX_VIDEO_PARAM_ANDROID_VP8ENCODERTYPE*) param; + + if (!isValidOMXParam(vp8AndroidParams)) { + return OMX_ErrorBadParameter; + } - case OMX_IndexParamVideoAndroidVp8Encoder: - return internalSetAndroidVp8Params( - (const OMX_VIDEO_PARAM_ANDROID_VP8ENCODERTYPE *)param); + return internalSetAndroidVp8Params(vp8AndroidParams); + } default: return SoftVideoEncoderOMXComponent::internalSetParameter(index, param); @@ -455,6 +488,10 @@ OMX_ERRORTYPE SoftVPXEncoder::setConfig( OMX_CONFIG_INTRAREFRESHVOPTYPE *params = (OMX_CONFIG_INTRAREFRESHVOPTYPE *)_params; + if (!isValidOMXParam(params)) { + return OMX_ErrorBadParameter; + } + if (params->nPortIndex != kOutputPortIndex) { return OMX_ErrorBadPortIndex; } @@ -468,6 +505,10 @@ OMX_ERRORTYPE SoftVPXEncoder::setConfig( OMX_VIDEO_CONFIG_BITRATETYPE *params = (OMX_VIDEO_CONFIG_BITRATETYPE *)_params; + if (!isValidOMXParam(params)) { + return OMX_ErrorBadParameter; + } + if (params->nPortIndex != kOutputPortIndex) { return OMX_ErrorBadPortIndex; } diff --git a/media/libstagefright/codecs/opus/dec/SoftOpus.cpp b/media/libstagefright/codecs/opus/dec/SoftOpus.cpp index cb10bce..2afa0ed 100644 --- a/media/libstagefright/codecs/opus/dec/SoftOpus.cpp +++ b/media/libstagefright/codecs/opus/dec/SoftOpus.cpp @@ -134,6 +134,10 @@ OMX_ERRORTYPE SoftOpus::internalGetParameter( OMX_AUDIO_PARAM_ANDROID_OPUSTYPE *opusParams = (OMX_AUDIO_PARAM_ANDROID_OPUSTYPE *)params; + if (!isValidOMXParam(opusParams)) { + return OMX_ErrorBadParameter; + } + if (opusParams->nPortIndex != 0) { return OMX_ErrorUndefined; } @@ -156,6 +160,10 @@ OMX_ERRORTYPE SoftOpus::internalGetParameter( OMX_AUDIO_PARAM_PCMMODETYPE *pcmParams = (OMX_AUDIO_PARAM_PCMMODETYPE *)params; + if (!isValidOMXParam(pcmParams)) { + return OMX_ErrorBadParameter; + } + if (pcmParams->nPortIndex != 1) { return OMX_ErrorUndefined; } @@ -191,6 +199,10 @@ OMX_ERRORTYPE SoftOpus::internalSetParameter( const OMX_PARAM_COMPONENTROLETYPE *roleParams = (const OMX_PARAM_COMPONENTROLETYPE *)params; + if (!isValidOMXParam(roleParams)) { + return OMX_ErrorBadParameter; + } + if (strncmp((const char *)roleParams->cRole, "audio_decoder.opus", OMX_MAX_STRINGNAME_SIZE - 1)) { @@ -205,6 +217,10 @@ OMX_ERRORTYPE SoftOpus::internalSetParameter( const OMX_AUDIO_PARAM_ANDROID_OPUSTYPE *opusParams = (const OMX_AUDIO_PARAM_ANDROID_OPUSTYPE *)params; + if (!isValidOMXParam(opusParams)) { + return OMX_ErrorBadParameter; + } + if (opusParams->nPortIndex != 0) { return OMX_ErrorUndefined; } diff --git a/media/libstagefright/codecs/raw/SoftRaw.cpp b/media/libstagefright/codecs/raw/SoftRaw.cpp index 9d514a6..4f7ae95 100644 --- a/media/libstagefright/codecs/raw/SoftRaw.cpp +++ b/media/libstagefright/codecs/raw/SoftRaw.cpp @@ -103,6 +103,10 @@ OMX_ERRORTYPE SoftRaw::internalGetParameter( OMX_AUDIO_PARAM_PCMMODETYPE *pcmParams = (OMX_AUDIO_PARAM_PCMMODETYPE *)params; + if (!isValidOMXParam(pcmParams)) { + return OMX_ErrorBadParameter; + } + if (pcmParams->nPortIndex != 0 && pcmParams->nPortIndex != 1) { return OMX_ErrorUndefined; } @@ -134,6 +138,10 @@ OMX_ERRORTYPE SoftRaw::internalSetParameter( const OMX_PARAM_COMPONENTROLETYPE *roleParams = (const OMX_PARAM_COMPONENTROLETYPE *)params; + if (!isValidOMXParam(roleParams)) { + return OMX_ErrorBadParameter; + } + if (strncmp((const char *)roleParams->cRole, "audio_decoder.raw", OMX_MAX_STRINGNAME_SIZE - 1)) { @@ -148,6 +156,10 @@ OMX_ERRORTYPE SoftRaw::internalSetParameter( const OMX_AUDIO_PARAM_PCMMODETYPE *pcmParams = (OMX_AUDIO_PARAM_PCMMODETYPE *)params; + if (!isValidOMXParam(pcmParams)) { + return OMX_ErrorBadParameter; + } + if (pcmParams->nPortIndex != 0) { return OMX_ErrorUndefined; } diff --git a/media/libstagefright/codecs/vorbis/dec/SoftVorbis.cpp b/media/libstagefright/codecs/vorbis/dec/SoftVorbis.cpp index c559682..4e1e6a5 100644 --- a/media/libstagefright/codecs/vorbis/dec/SoftVorbis.cpp +++ b/media/libstagefright/codecs/vorbis/dec/SoftVorbis.cpp @@ -130,6 +130,10 @@ OMX_ERRORTYPE SoftVorbis::internalGetParameter( OMX_AUDIO_PARAM_VORBISTYPE *vorbisParams = (OMX_AUDIO_PARAM_VORBISTYPE *)params; + if (!isValidOMXParam(vorbisParams)) { + return OMX_ErrorBadParameter; + } + if (vorbisParams->nPortIndex != 0) { return OMX_ErrorUndefined; } @@ -161,6 +165,10 @@ OMX_ERRORTYPE SoftVorbis::internalGetParameter( OMX_AUDIO_PARAM_PCMMODETYPE *pcmParams = (OMX_AUDIO_PARAM_PCMMODETYPE *)params; + if (!isValidOMXParam(pcmParams)) { + return OMX_ErrorBadParameter; + } + if (pcmParams->nPortIndex != 1) { return OMX_ErrorUndefined; } @@ -197,6 +205,10 @@ OMX_ERRORTYPE SoftVorbis::internalSetParameter( const OMX_PARAM_COMPONENTROLETYPE *roleParams = (const OMX_PARAM_COMPONENTROLETYPE *)params; + if (!isValidOMXParam(roleParams)) { + return OMX_ErrorBadParameter; + } + if (strncmp((const char *)roleParams->cRole, "audio_decoder.vorbis", OMX_MAX_STRINGNAME_SIZE - 1)) { @@ -211,6 +223,10 @@ OMX_ERRORTYPE SoftVorbis::internalSetParameter( const OMX_AUDIO_PARAM_VORBISTYPE *vorbisParams = (const OMX_AUDIO_PARAM_VORBISTYPE *)params; + if (!isValidOMXParam(vorbisParams)) { + return OMX_ErrorBadParameter; + } + if (vorbisParams->nPortIndex != 0) { return OMX_ErrorUndefined; } diff --git a/media/libstagefright/include/SoftOMXComponent.h b/media/libstagefright/include/SoftOMXComponent.h index a808611..3ab6f88 100644 --- a/media/libstagefright/include/SoftOMXComponent.h +++ b/media/libstagefright/include/SoftOMXComponent.h @@ -168,6 +168,22 @@ private: DISALLOW_EVIL_CONSTRUCTORS(SoftOMXComponent); }; +template +bool isValidOMXParam(T *a) { + static_assert(offsetof(typeof(*a), nSize) == 0, "nSize not at offset 0"); + static_assert(std::is_same< decltype(a->nSize), OMX_U32>::value, "nSize has wrong type"); + static_assert(offsetof(typeof(*a), nVersion) == 4, "nVersion not at offset 4"); + static_assert(std::is_same< decltype(a->nVersion), OMX_VERSIONTYPE>::value, + "nVersion has wrong type"); + + if (a->nSize < sizeof(*a)) { + ALOGE("b/27207275: need %zu, got %u", sizeof(*a), a->nSize); + android_errorWriteLog(0x534e4554, "27207275"); + return false; + } + return true; +} + } // namespace android #endif // SOFT_OMX_COMPONENT_H_ diff --git a/media/libstagefright/omx/SimpleSoftOMXComponent.cpp b/media/libstagefright/omx/SimpleSoftOMXComponent.cpp index e6a0c49..60c1e2e 100644 --- a/media/libstagefright/omx/SimpleSoftOMXComponent.cpp +++ b/media/libstagefright/omx/SimpleSoftOMXComponent.cpp @@ -125,6 +125,10 @@ OMX_ERRORTYPE SimpleSoftOMXComponent::internalGetParameter( OMX_PARAM_PORTDEFINITIONTYPE *defParams = (OMX_PARAM_PORTDEFINITIONTYPE *)params; + if (!isValidOMXParam(defParams)) { + return OMX_ErrorBadParameter; + } + if (defParams->nPortIndex >= mPorts.size() || defParams->nSize != sizeof(OMX_PARAM_PORTDEFINITIONTYPE)) { @@ -152,6 +156,10 @@ OMX_ERRORTYPE SimpleSoftOMXComponent::internalSetParameter( OMX_PARAM_PORTDEFINITIONTYPE *defParams = (OMX_PARAM_PORTDEFINITIONTYPE *)params; + if (!isValidOMXParam(defParams)) { + return OMX_ErrorBadParameter; + } + if (defParams->nPortIndex >= mPorts.size()) { return OMX_ErrorBadPortIndex; } diff --git a/media/libstagefright/omx/SoftVideoDecoderOMXComponent.cpp b/media/libstagefright/omx/SoftVideoDecoderOMXComponent.cpp index 4ce165b..19dde83 100644 --- a/media/libstagefright/omx/SoftVideoDecoderOMXComponent.cpp +++ b/media/libstagefright/omx/SoftVideoDecoderOMXComponent.cpp @@ -264,6 +264,10 @@ OMX_ERRORTYPE SoftVideoDecoderOMXComponent::internalGetParameter( OMX_VIDEO_PARAM_PORTFORMATTYPE *formatParams = (OMX_VIDEO_PARAM_PORTFORMATTYPE *)params; + if (!isValidOMXParam(formatParams)) { + return OMX_ErrorBadParameter; + } + if (formatParams->nPortIndex > kMaxPortIndex) { return OMX_ErrorBadPortIndex; } @@ -292,6 +296,10 @@ OMX_ERRORTYPE SoftVideoDecoderOMXComponent::internalGetParameter( OMX_VIDEO_PARAM_PROFILELEVELTYPE *profileLevel = (OMX_VIDEO_PARAM_PROFILELEVELTYPE *) params; + if (!isValidOMXParam(profileLevel)) { + return OMX_ErrorBadParameter; + } + if (profileLevel->nPortIndex != kInputPortIndex) { ALOGE("Invalid port index: %" PRIu32, profileLevel->nPortIndex); return OMX_ErrorUnsupportedIndex; @@ -322,6 +330,10 @@ OMX_ERRORTYPE SoftVideoDecoderOMXComponent::internalSetParameter( const OMX_PARAM_COMPONENTROLETYPE *roleParams = (const OMX_PARAM_COMPONENTROLETYPE *)params; + if (!isValidOMXParam(roleParams)) { + return OMX_ErrorBadParameter; + } + if (strncmp((const char *)roleParams->cRole, mComponentRole, OMX_MAX_STRINGNAME_SIZE - 1)) { @@ -336,6 +348,10 @@ OMX_ERRORTYPE SoftVideoDecoderOMXComponent::internalSetParameter( OMX_VIDEO_PARAM_PORTFORMATTYPE *formatParams = (OMX_VIDEO_PARAM_PORTFORMATTYPE *)params; + if (!isValidOMXParam(formatParams)) { + return OMX_ErrorBadParameter; + } + if (formatParams->nPortIndex > kMaxPortIndex) { return OMX_ErrorBadPortIndex; } @@ -363,6 +379,11 @@ OMX_ERRORTYPE SoftVideoDecoderOMXComponent::internalSetParameter( { const PrepareForAdaptivePlaybackParams* adaptivePlaybackParams = (const PrepareForAdaptivePlaybackParams *)params; + + if (!isValidOMXParam(adaptivePlaybackParams)) { + return OMX_ErrorBadParameter; + } + mIsAdaptive = adaptivePlaybackParams->bEnable; if (mIsAdaptive) { mAdaptiveMaxWidth = adaptivePlaybackParams->nMaxFrameWidth; @@ -381,6 +402,11 @@ OMX_ERRORTYPE SoftVideoDecoderOMXComponent::internalSetParameter( { OMX_PARAM_PORTDEFINITIONTYPE *newParams = (OMX_PARAM_PORTDEFINITIONTYPE *)params; + + if (!isValidOMXParam(newParams)) { + return OMX_ErrorBadParameter; + } + OMX_VIDEO_PORTDEFINITIONTYPE *video_def = &newParams->format.video; OMX_PARAM_PORTDEFINITIONTYPE *def = &editPortInfo(newParams->nPortIndex)->mDef; @@ -421,6 +447,10 @@ OMX_ERRORTYPE SoftVideoDecoderOMXComponent::getConfig( { OMX_CONFIG_RECTTYPE *rectParams = (OMX_CONFIG_RECTTYPE *)params; + if (!isValidOMXParam(rectParams)) { + return OMX_ErrorBadParameter; + } + if (rectParams->nPortIndex != kOutputPortIndex) { return OMX_ErrorUndefined; } -- cgit v1.1 From 94d9e646454f6246bf823b6897bd6aea5f08eda3 Mon Sep 17 00:00:00 2001 From: Marco Nelissen Date: Thu, 10 Mar 2016 14:29:26 -0800 Subject: Fix initialization of AAC presentation struct Otherwise the new size checks trip on this. Bug: 27207275 Change-Id: I1f8f01097e3a88ff041b69279a6121be842f1766 --- media/libstagefright/ACodec.cpp | 1 + 1 file changed, 1 insertion(+) (limited to 'media/libstagefright') diff --git a/media/libstagefright/ACodec.cpp b/media/libstagefright/ACodec.cpp index 8d9bd21..6399b79 100644 --- a/media/libstagefright/ACodec.cpp +++ b/media/libstagefright/ACodec.cpp @@ -2418,6 +2418,7 @@ status_t ACodec::setupAACCodec( : OMX_AUDIO_AACStreamFormatMP4FF; OMX_AUDIO_PARAM_ANDROID_AACPRESENTATIONTYPE presentation; + InitOMXParams(&presentation); presentation.nMaxOutputChannels = maxOutputChannelCount; presentation.nDrcCut = drc.drcCut; presentation.nDrcBoost = drc.drcBoost; -- cgit v1.1 From 0bb5ced60304da7f61478ffd359e7ba65d72f181 Mon Sep 17 00:00:00 2001 From: Marco Nelissen Date: Thu, 10 Mar 2016 15:02:13 -0800 Subject: Fix size check for OMX_IndexParamConsumerUsageBits since it doesn't follow the OMX convention. And remove support for the kClientNeedsFrameBuffer flag. Bug: 27207275 Change-Id: Ia2c119e2456ebf9e2f4e1de5104ef9032a212255 --- media/libstagefright/OMXCodec.cpp | 44 --------------------------------------- 1 file changed, 44 deletions(-) (limited to 'media/libstagefright') diff --git a/media/libstagefright/OMXCodec.cpp b/media/libstagefright/OMXCodec.cpp index b1dde80..4618e21 100644 --- a/media/libstagefright/OMXCodec.cpp +++ b/media/libstagefright/OMXCodec.cpp @@ -349,21 +349,6 @@ sp OMXCodec::Create( ALOGV("Attempting to allocate OMX node '%s'", componentName); - if (!createEncoder - && (quirks & kOutputBuffersAreUnreadable) - && (flags & kClientNeedsFramebuffer)) { - if (strncmp(componentName, "OMX.SEC.", 8)) { - // For OMX.SEC.* decoders we can enable a special mode that - // gives the client access to the framebuffer contents. - - ALOGW("Component '%s' does not give the client access to " - "the framebuffer contents. Skipping.", - componentName); - - continue; - } - } - status_t err = omx->allocateNode(componentName, observer, &node); if (err == OK) { ALOGV("Successfully allocated OMX node '%s'", componentName); @@ -672,35 +657,6 @@ status_t OMXCodec::configureCodec(const sp &meta) { initOutputFormat(meta); - if ((mFlags & kClientNeedsFramebuffer) - && !strncmp(mComponentName, "OMX.SEC.", 8)) { - // This appears to no longer be needed??? - - OMX_INDEXTYPE index; - - status_t err = - mOMX->getExtensionIndex( - mNode, - "OMX.SEC.index.ThumbnailMode", - &index); - - if (err != OK) { - return err; - } - - OMX_BOOL enable = OMX_TRUE; - err = mOMX->setConfig(mNode, index, &enable, sizeof(enable)); - - if (err != OK) { - CODEC_LOGE("setConfig('OMX.SEC.index.ThumbnailMode') " - "returned error 0x%08x", err); - - return err; - } - - mQuirks &= ~kOutputBuffersAreUnreadable; - } - if (mNativeWindow != NULL && !mIsEncoder && !strncasecmp(mMIME, "video/", 6) -- cgit v1.1 From 4e32001e4196f39ddd0b86686ae0231c8f5ed944 Mon Sep 17 00:00:00 2001 From: Wonsik Kim Date: Wed, 30 Mar 2016 17:13:00 +0900 Subject: DO NOT MERGE codecs: check OMX buffer size before use in (vorbis|opus)dec Bug: 27833616 Change-Id: I1ccdd16a00741da072527a6d13e87fd7c7fe8c54 --- media/libstagefright/codecs/opus/dec/SoftOpus.cpp | 7 ++++++- media/libstagefright/codecs/vorbis/dec/SoftVorbis.cpp | 13 ++++++++++++- 2 files changed, 18 insertions(+), 2 deletions(-) (limited to 'media/libstagefright') diff --git a/media/libstagefright/codecs/opus/dec/SoftOpus.cpp b/media/libstagefright/codecs/opus/dec/SoftOpus.cpp index 2afa0ed..2e44ed7 100644 --- a/media/libstagefright/codecs/opus/dec/SoftOpus.cpp +++ b/media/libstagefright/codecs/opus/dec/SoftOpus.cpp @@ -458,12 +458,17 @@ void SoftOpus::onQueueFilled(OMX_U32 portIndex) { const uint8_t *data = inHeader->pBuffer + inHeader->nOffset; const uint32_t size = inHeader->nFilledLen; + size_t frameSize = kMaxOpusOutputPacketSizeSamples; + if (frameSize > outHeader->nAllocLen / sizeof(int16_t) / mHeader->channels) { + frameSize = outHeader->nAllocLen / sizeof(int16_t) / mHeader->channels; + android_errorWriteLog(0x534e4554, "27833616"); + } int numFrames = opus_multistream_decode(mDecoder, data, size, (int16_t *)outHeader->pBuffer, - kMaxOpusOutputPacketSizeSamples, + frameSize, 0); if (numFrames < 0) { ALOGE("opus_multistream_decode returned %d", numFrames); diff --git a/media/libstagefright/codecs/vorbis/dec/SoftVorbis.cpp b/media/libstagefright/codecs/vorbis/dec/SoftVorbis.cpp index 4e1e6a5..5f4e346 100644 --- a/media/libstagefright/codecs/vorbis/dec/SoftVorbis.cpp +++ b/media/libstagefright/codecs/vorbis/dec/SoftVorbis.cpp @@ -273,6 +273,12 @@ void SoftVorbis::onQueueFilled(OMX_U32 portIndex) { const uint8_t *data = header->pBuffer + header->nOffset; size_t size = header->nFilledLen; + if (size < 7) { + ALOGE("Too small input buffer: %zu bytes", size); + android_errorWriteLog(0x534e4554, "27833616"); + notify(OMX_EventError, OMX_ErrorUndefined, 0, NULL); + return; + } ogg_buffer buf; ogg_reference ref; @@ -378,9 +384,14 @@ void SoftVorbis::onQueueFilled(OMX_U32 portIndex) { ALOGW("vorbis_dsp_synthesis returned %d", err); #endif } else { + size_t numSamplesPerBuffer = kMaxNumSamplesPerBuffer; + if (numSamplesPerBuffer > outHeader->nAllocLen / sizeof(int16_t)) { + numSamplesPerBuffer = outHeader->nAllocLen / sizeof(int16_t); + android_errorWriteLog(0x534e4554, "27833616"); + } numFrames = vorbis_dsp_pcmout( mState, (int16_t *)outHeader->pBuffer, - (kMaxNumSamplesPerBuffer / mVi->channels)); + (numSamplesPerBuffer / mVi->channels)); if (numFrames < 0) { ALOGE("vorbis_dsp_pcmout returned %d", numFrames); -- cgit v1.1 From d2f47191538837e796e2b10c1ff7e1ee35f6e0ab Mon Sep 17 00:00:00 2001 From: Wonsik Kim Date: Sun, 20 Mar 2016 10:44:44 +0900 Subject: codecs: check OMX buffer size before use in (h263|h264)dec Bug: 27833616 Change-Id: I0fd599b3da431425d89236ffdd9df423c11947c0 --- .../codecs/m4v_h263/dec/SoftMPEG4.cpp | 10 ++++++++- .../libstagefright/codecs/on2/h264dec/SoftAVC.cpp | 26 +++++++++++++++++----- media/libstagefright/codecs/on2/h264dec/SoftAVC.h | 2 +- 3 files changed, 31 insertions(+), 7 deletions(-) (limited to 'media/libstagefright') diff --git a/media/libstagefright/codecs/m4v_h263/dec/SoftMPEG4.cpp b/media/libstagefright/codecs/m4v_h263/dec/SoftMPEG4.cpp index 0c1a149..bb59ae4 100644 --- a/media/libstagefright/codecs/m4v_h263/dec/SoftMPEG4.cpp +++ b/media/libstagefright/codecs/m4v_h263/dec/SoftMPEG4.cpp @@ -229,6 +229,14 @@ void SoftMPEG4::onQueueFilled(OMX_U32 /* portIndex */) { int32_t bufferSize = inHeader->nFilledLen; int32_t tmp = bufferSize; + OMX_U32 frameSize = (mWidth * mHeight * 3) / 2; + if (outHeader->nAllocLen < frameSize) { + android_errorWriteLog(0x534e4554, "27833616"); + ALOGE("Insufficient output buffer size"); + notify(OMX_EventError, OMX_ErrorUndefined, 0, NULL); + mSignalledError = true; + return; + } // The PV decoder is lying to us, sometimes it'll claim to only have // consumed a subset of the buffer when it clearly consumed all of it. // ignore whatever it says... @@ -272,7 +280,7 @@ void SoftMPEG4::onQueueFilled(OMX_U32 /* portIndex */) { ++mInputBufferCount; outHeader->nOffset = 0; - outHeader->nFilledLen = (mWidth * mHeight * 3) / 2; + outHeader->nFilledLen = frameSize; List::iterator it = outQueue.begin(); while ((*it)->mHeader != outHeader) { diff --git a/media/libstagefright/codecs/on2/h264dec/SoftAVC.cpp b/media/libstagefright/codecs/on2/h264dec/SoftAVC.cpp index 6b8b395..2f61d12 100644 --- a/media/libstagefright/codecs/on2/h264dec/SoftAVC.cpp +++ b/media/libstagefright/codecs/on2/h264dec/SoftAVC.cpp @@ -202,7 +202,12 @@ void SoftAVC::onQueueFilled(OMX_U32 /* portIndex */) { } if (mFirstPicture && !outQueue.empty()) { - drainOneOutputBuffer(mFirstPictureId, mFirstPicture); + if (!drainOneOutputBuffer(mFirstPictureId, mFirstPicture)) { + ALOGE("Drain failed"); + notify(OMX_EventError, OMX_ErrorUndefined, 0, NULL); + mSignalledError = true; + return; + } delete[] mFirstPicture; mFirstPicture = NULL; mFirstPictureId = -1; @@ -242,15 +247,20 @@ void SoftAVC::saveFirstOutputBuffer(int32_t picId, uint8_t *data) { memcpy(mFirstPicture, data, pictureSize); } -void SoftAVC::drainOneOutputBuffer(int32_t picId, uint8_t* data) { +bool SoftAVC::drainOneOutputBuffer(int32_t picId, uint8_t* data) { List &outQueue = getPortQueue(kOutputPortIndex); BufferInfo *outInfo = *outQueue.begin(); - outQueue.erase(outQueue.begin()); OMX_BUFFERHEADERTYPE *outHeader = outInfo->mHeader; + OMX_U32 frameSize = mWidth * mHeight * 3 / 2; + if (outHeader->nAllocLen - outHeader->nOffset < frameSize) { + android_errorWriteLog(0x534e4554, "27833616"); + return false; + } + outQueue.erase(outQueue.begin()); OMX_BUFFERHEADERTYPE *header = mPicToHeaderMap.valueFor(picId); outHeader->nTimeStamp = header->nTimeStamp; outHeader->nFlags = header->nFlags; - outHeader->nFilledLen = mWidth * mHeight * 3 / 2; + outHeader->nFilledLen = frameSize; uint8_t *dst = outHeader->pBuffer + outHeader->nOffset; const uint8_t *srcY = data; @@ -265,6 +275,7 @@ void SoftAVC::drainOneOutputBuffer(int32_t picId, uint8_t* data) { delete header; outInfo->mOwnedByUs = false; notifyFillBufferDone(outHeader); + return true; } void SoftAVC::drainAllOutputBuffers(bool eos) { @@ -277,7 +288,12 @@ void SoftAVC::drainAllOutputBuffers(bool eos) { mHandle, &decodedPicture, eos /* flush */)) { int32_t picId = decodedPicture.picId; uint8_t *data = (uint8_t *) decodedPicture.pOutputPicture; - drainOneOutputBuffer(picId, data); + if (!drainOneOutputBuffer(picId, data)) { + ALOGE("Drain failed"); + notify(OMX_EventError, OMX_ErrorUndefined, 0, NULL); + mSignalledError = true; + return; + } } } diff --git a/media/libstagefright/codecs/on2/h264dec/SoftAVC.h b/media/libstagefright/codecs/on2/h264dec/SoftAVC.h index 069107d..b8c1807 100644 --- a/media/libstagefright/codecs/on2/h264dec/SoftAVC.h +++ b/media/libstagefright/codecs/on2/h264dec/SoftAVC.h @@ -71,7 +71,7 @@ private: status_t initDecoder(); void drainAllOutputBuffers(bool eos); - void drainOneOutputBuffer(int32_t picId, uint8_t *data); + bool drainOneOutputBuffer(int32_t picId, uint8_t *data); void saveFirstOutputBuffer(int32_t pidId, uint8_t *data); CropSettingsMode handleCropParams(const H264SwDecInfo& decInfo); -- cgit v1.1 From ad40e57890f81a3cf436c5f06da66396010bd9e5 Mon Sep 17 00:00:00 2001 From: Marco Nelissen Date: Wed, 23 Mar 2016 15:36:36 -0700 Subject: Check mp3 output buffer size Bug: 27793371 Change-Id: I0fe40a4cfd0a5b488f93d3f3ba6f9495235926ac --- media/libstagefright/codecs/mp3dec/SoftMP3.cpp | 8 ++++++++ 1 file changed, 8 insertions(+) (limited to 'media/libstagefright') diff --git a/media/libstagefright/codecs/mp3dec/SoftMP3.cpp b/media/libstagefright/codecs/mp3dec/SoftMP3.cpp index 9988015..aa946e6 100644 --- a/media/libstagefright/codecs/mp3dec/SoftMP3.cpp +++ b/media/libstagefright/codecs/mp3dec/SoftMP3.cpp @@ -263,6 +263,14 @@ void SoftMP3::onQueueFilled(OMX_U32 /* portIndex */) { mConfig->inputBufferUsedLength = 0; mConfig->outputFrameSize = kOutputBufferSize / sizeof(int16_t); + if ((int32)outHeader->nAllocLen < mConfig->outputFrameSize) { + ALOGE("input buffer too small: got %lu, expected %u", + outHeader->nAllocLen, mConfig->outputFrameSize); + android_errorWriteLog(0x534e4554, "27793371"); + notify(OMX_EventError, OMX_ErrorUndefined, OUTPUT_BUFFER_TOO_SMALL, NULL); + mSignalledError = true; + return; + } mConfig->pOutputBuffer = reinterpret_cast(outHeader->pBuffer); -- cgit v1.1 From dd3546765710ce8dd49eb23901d90345dec8282f Mon Sep 17 00:00:00 2001 From: Marco Nelissen Date: Tue, 5 Apr 2016 14:20:11 -0700 Subject: AudioSource: initialize variables to prevent info leak Bug: 27855172 Change-Id: I3d33e0a9cc5cf8a758d7b0794590b09c43a24561 --- media/libstagefright/AudioSource.cpp | 4 ++++ 1 file changed, 4 insertions(+) (limited to 'media/libstagefright') diff --git a/media/libstagefright/AudioSource.cpp b/media/libstagefright/AudioSource.cpp index 6e4a1dd..55f4361 100644 --- a/media/libstagefright/AudioSource.cpp +++ b/media/libstagefright/AudioSource.cpp @@ -55,8 +55,12 @@ AudioSource::AudioSource( : mStarted(false), mSampleRate(sampleRate), mOutSampleRate(outSampleRate > 0 ? outSampleRate : sampleRate), + mTrackMaxAmplitude(false), + mStartTimeUs(0), + mMaxAmplitude(0), mPrevSampleTimeUs(0), mFirstSampleTimeUs(-1ll), + mInitialReadTimeUs(0), mNumFramesReceived(0), mNumClientOwnedBuffers(0) { ALOGV("sampleRate: %u, outSampleRate: %u, channelCount: %u", -- cgit v1.1 From 7cea5cb64b83d690fe02bc210bbdf08f5a87636f Mon Sep 17 00:00:00 2001 From: Wonsik Kim Date: Thu, 7 Apr 2016 17:45:02 +0900 Subject: codecs: check OMX buffer size before use in (gsm|g711)dec Bug: 27793163 Bug: 27793367 Change-Id: Iec3de8a237ee2379d87a8371c13e543878c6652c --- media/libstagefright/codecs/g711/dec/SoftG711.cpp | 9 +++++++++ media/libstagefright/codecs/gsm/dec/SoftGSM.cpp | 8 ++++++++ 2 files changed, 17 insertions(+) (limited to 'media/libstagefright') diff --git a/media/libstagefright/codecs/g711/dec/SoftG711.cpp b/media/libstagefright/codecs/g711/dec/SoftG711.cpp index 3de95a5..c8277de 100644 --- a/media/libstagefright/codecs/g711/dec/SoftG711.cpp +++ b/media/libstagefright/codecs/g711/dec/SoftG711.cpp @@ -240,6 +240,15 @@ void SoftG711::onQueueFilled(OMX_U32 /* portIndex */) { mSignalledError = true; } + if (inHeader->nFilledLen * sizeof(int16_t) > outHeader->nAllocLen) { + ALOGE("output buffer too small (%d).", outHeader->nAllocLen); + android_errorWriteLog(0x534e4554, "27793163"); + + notify(OMX_EventError, OMX_ErrorUndefined, 0, NULL); + mSignalledError = true; + return; + } + const uint8_t *inputptr = inHeader->pBuffer + inHeader->nOffset; if (mIsMLaw) { diff --git a/media/libstagefright/codecs/gsm/dec/SoftGSM.cpp b/media/libstagefright/codecs/gsm/dec/SoftGSM.cpp index 7916c45..04d5a33 100644 --- a/media/libstagefright/codecs/gsm/dec/SoftGSM.cpp +++ b/media/libstagefright/codecs/gsm/dec/SoftGSM.cpp @@ -228,6 +228,14 @@ void SoftGSM::onQueueFilled(OMX_U32 /* portIndex */) { mSignalledError = true; } + if (outHeader->nAllocLen < (inHeader->nFilledLen / kMSGSMFrameSize) * 320) { + ALOGE("output buffer is not large enough (%d).", outHeader->nAllocLen); + android_errorWriteLog(0x534e4554, "27793367"); + notify(OMX_EventError, OMX_ErrorUndefined, 0, NULL); + mSignalledError = true; + return; + } + uint8_t *inputptr = inHeader->pBuffer + inHeader->nOffset; int n = mSignalledError ? 0 : DecodeGSM(mGsm, -- cgit v1.1 From 918eeaa29d99d257282fafec931b4bda0e3bae12 Mon Sep 17 00:00:00 2001 From: Wonsik Kim Date: Sun, 20 Mar 2016 10:44:44 +0900 Subject: codecs: check OMX buffer size before use in (avc|hevc|mpeg2)dec Bug: 27833616 Change-Id: Ic4045a3f56f53b08d0b1264b2a91b8f43e91b738 (cherry picked from commit 87fdee0bc9e3ac4d2a88ef0a8e150cfdf08c161d) --- media/libstagefright/codecs/avcdec/SoftAVCDec.cpp | 28 ++++++++++++------ media/libstagefright/codecs/avcdec/SoftAVCDec.h | 2 +- media/libstagefright/codecs/hevcdec/SoftHEVC.cpp | 28 ++++++++++++------ media/libstagefright/codecs/hevcdec/SoftHEVC.h | 2 +- media/libstagefright/codecs/mpeg2dec/SoftMPEG2.cpp | 33 ++++++++++++++-------- media/libstagefright/codecs/mpeg2dec/SoftMPEG2.h | 2 +- 6 files changed, 62 insertions(+), 33 deletions(-) (limited to 'media/libstagefright') diff --git a/media/libstagefright/codecs/avcdec/SoftAVCDec.cpp b/media/libstagefright/codecs/avcdec/SoftAVCDec.cpp index afbe230..2130ccf 100644 --- a/media/libstagefright/codecs/avcdec/SoftAVCDec.cpp +++ b/media/libstagefright/codecs/avcdec/SoftAVCDec.cpp @@ -381,7 +381,7 @@ void SoftAVC::onReset() { resetPlugin(); } -void SoftAVC::setDecodeArgs( +bool SoftAVC::setDecodeArgs( ivd_video_decode_ip_t *ps_dec_ip, ivd_video_decode_op_t *ps_dec_op, OMX_BUFFERHEADERTYPE *inHeader, @@ -389,7 +389,6 @@ void SoftAVC::setDecodeArgs( size_t timeStampIx) { size_t sizeY = outputBufferWidth() * outputBufferHeight(); size_t sizeUV; - uint8_t *pBuf; ps_dec_ip->u4_size = sizeof(ivd_video_decode_ip_t); ps_dec_op->u4_size = sizeof(ivd_video_decode_op_t); @@ -409,22 +408,28 @@ void SoftAVC::setDecodeArgs( ps_dec_ip->u4_num_Bytes = 0; } + sizeUV = sizeY / 4; + ps_dec_ip->s_out_buffer.u4_min_out_buf_size[0] = sizeY; + ps_dec_ip->s_out_buffer.u4_min_out_buf_size[1] = sizeUV; + ps_dec_ip->s_out_buffer.u4_min_out_buf_size[2] = sizeUV; + + uint8_t *pBuf; if (outHeader) { + if (outHeader->nAllocLen < sizeY + (sizeUV * 2)) { + android_errorWriteLog(0x534e4554, "27569635"); + return false; + } pBuf = outHeader->pBuffer; } else { + // mFlushOutBuffer always has the right size. pBuf = mFlushOutBuffer; } - sizeUV = sizeY / 4; - ps_dec_ip->s_out_buffer.u4_min_out_buf_size[0] = sizeY; - ps_dec_ip->s_out_buffer.u4_min_out_buf_size[1] = sizeUV; - ps_dec_ip->s_out_buffer.u4_min_out_buf_size[2] = sizeUV; - ps_dec_ip->s_out_buffer.pu1_bufs[0] = pBuf; ps_dec_ip->s_out_buffer.pu1_bufs[1] = pBuf + sizeY; ps_dec_ip->s_out_buffer.pu1_bufs[2] = pBuf + sizeY + sizeUV; ps_dec_ip->s_out_buffer.u4_num_bufs = 3; - return; + return true; } void SoftAVC::onPortFlushCompleted(OMX_U32 portIndex) { /* Once the output buffers are flushed, ignore any buffers that are held in decoder */ @@ -573,7 +578,12 @@ void SoftAVC::onQueueFilled(OMX_U32 portIndex) { WORD32 timeDelay, timeTaken; size_t sizeY, sizeUV; - setDecodeArgs(&s_dec_ip, &s_dec_op, inHeader, outHeader, timeStampIx); + if (!setDecodeArgs(&s_dec_ip, &s_dec_op, inHeader, outHeader, timeStampIx)) { + ALOGE("Decoder arg setup failed"); + notify(OMX_EventError, OMX_ErrorUndefined, 0, NULL); + mSignalledError = true; + return; + } // If input dump is enabled, then write to file DUMP_TO_FILE(mInFile, s_dec_ip.pv_stream_buffer, s_dec_ip.u4_num_Bytes); diff --git a/media/libstagefright/codecs/avcdec/SoftAVCDec.h b/media/libstagefright/codecs/avcdec/SoftAVCDec.h index 9dcabb4..c710c76 100644 --- a/media/libstagefright/codecs/avcdec/SoftAVCDec.h +++ b/media/libstagefright/codecs/avcdec/SoftAVCDec.h @@ -109,7 +109,7 @@ private: status_t resetPlugin(); - void setDecodeArgs( + bool setDecodeArgs( ivd_video_decode_ip_t *ps_dec_ip, ivd_video_decode_op_t *ps_dec_op, OMX_BUFFERHEADERTYPE *inHeader, diff --git a/media/libstagefright/codecs/hevcdec/SoftHEVC.cpp b/media/libstagefright/codecs/hevcdec/SoftHEVC.cpp index e601125..a70755c 100644 --- a/media/libstagefright/codecs/hevcdec/SoftHEVC.cpp +++ b/media/libstagefright/codecs/hevcdec/SoftHEVC.cpp @@ -343,14 +343,13 @@ void SoftHEVC::onReset() { resetPlugin(); } -void SoftHEVC::setDecodeArgs(ivd_video_decode_ip_t *ps_dec_ip, +bool SoftHEVC::setDecodeArgs(ivd_video_decode_ip_t *ps_dec_ip, ivd_video_decode_op_t *ps_dec_op, OMX_BUFFERHEADERTYPE *inHeader, OMX_BUFFERHEADERTYPE *outHeader, size_t timeStampIx) { size_t sizeY = outputBufferWidth() * outputBufferHeight(); size_t sizeUV; - uint8_t *pBuf; ps_dec_ip->u4_size = sizeof(ivd_video_decode_ip_t); ps_dec_op->u4_size = sizeof(ivd_video_decode_op_t); @@ -370,22 +369,28 @@ void SoftHEVC::setDecodeArgs(ivd_video_decode_ip_t *ps_dec_ip, ps_dec_ip->u4_num_Bytes = 0; } + sizeUV = sizeY / 4; + ps_dec_ip->s_out_buffer.u4_min_out_buf_size[0] = sizeY; + ps_dec_ip->s_out_buffer.u4_min_out_buf_size[1] = sizeUV; + ps_dec_ip->s_out_buffer.u4_min_out_buf_size[2] = sizeUV; + + uint8_t *pBuf; if (outHeader) { + if (outHeader->nAllocLen < sizeY + (sizeUV * 2)) { + android_errorWriteLog(0x534e4554, "27569635"); + return false; + } pBuf = outHeader->pBuffer; } else { + // mFlushOutBuffer always has the right size. pBuf = mFlushOutBuffer; } - sizeUV = sizeY / 4; - ps_dec_ip->s_out_buffer.u4_min_out_buf_size[0] = sizeY; - ps_dec_ip->s_out_buffer.u4_min_out_buf_size[1] = sizeUV; - ps_dec_ip->s_out_buffer.u4_min_out_buf_size[2] = sizeUV; - ps_dec_ip->s_out_buffer.pu1_bufs[0] = pBuf; ps_dec_ip->s_out_buffer.pu1_bufs[1] = pBuf + sizeY; ps_dec_ip->s_out_buffer.pu1_bufs[2] = pBuf + sizeY + sizeUV; ps_dec_ip->s_out_buffer.u4_num_bufs = 3; - return; + return true; } void SoftHEVC::onPortFlushCompleted(OMX_U32 portIndex) { /* Once the output buffers are flushed, ignore any buffers that are held in decoder */ @@ -520,7 +525,12 @@ void SoftHEVC::onQueueFilled(OMX_U32 portIndex) { WORD32 timeDelay, timeTaken; size_t sizeY, sizeUV; - setDecodeArgs(&s_dec_ip, &s_dec_op, inHeader, outHeader, timeStampIx); + if (!setDecodeArgs(&s_dec_ip, &s_dec_op, inHeader, outHeader, timeStampIx)) { + ALOGE("Decoder arg setup failed"); + notify(OMX_EventError, OMX_ErrorUndefined, 0, NULL); + mSignalledError = true; + return; + } GETTIME(&mTimeStart, NULL); /* Compute time elapsed between end of previous decode() diff --git a/media/libstagefright/codecs/hevcdec/SoftHEVC.h b/media/libstagefright/codecs/hevcdec/SoftHEVC.h index 21bb99e..943edfd 100644 --- a/media/libstagefright/codecs/hevcdec/SoftHEVC.h +++ b/media/libstagefright/codecs/hevcdec/SoftHEVC.h @@ -106,7 +106,7 @@ private: status_t resetDecoder(); status_t resetPlugin(); - void setDecodeArgs(ivd_video_decode_ip_t *ps_dec_ip, + bool setDecodeArgs(ivd_video_decode_ip_t *ps_dec_ip, ivd_video_decode_op_t *ps_dec_op, OMX_BUFFERHEADERTYPE *inHeader, OMX_BUFFERHEADERTYPE *outHeader, diff --git a/media/libstagefright/codecs/mpeg2dec/SoftMPEG2.cpp b/media/libstagefright/codecs/mpeg2dec/SoftMPEG2.cpp index 4307c4e..e134d38 100644 --- a/media/libstagefright/codecs/mpeg2dec/SoftMPEG2.cpp +++ b/media/libstagefright/codecs/mpeg2dec/SoftMPEG2.cpp @@ -466,7 +466,7 @@ OMX_ERRORTYPE SoftMPEG2::internalSetParameter(OMX_INDEXTYPE index, const OMX_PTR return ret; } -void SoftMPEG2::setDecodeArgs( +bool SoftMPEG2::setDecodeArgs( ivd_video_decode_ip_t *ps_dec_ip, ivd_video_decode_op_t *ps_dec_op, OMX_BUFFERHEADERTYPE *inHeader, @@ -474,7 +474,6 @@ void SoftMPEG2::setDecodeArgs( size_t timeStampIx) { size_t sizeY = outputBufferWidth() * outputBufferHeight(); size_t sizeUV; - uint8_t *pBuf; ps_dec_ip->u4_size = sizeof(ivd_video_decode_ip_t); ps_dec_op->u4_size = sizeof(ivd_video_decode_op_t); @@ -494,22 +493,28 @@ void SoftMPEG2::setDecodeArgs( ps_dec_ip->u4_num_Bytes = 0; } + sizeUV = sizeY / 4; + ps_dec_ip->s_out_buffer.u4_min_out_buf_size[0] = sizeY; + ps_dec_ip->s_out_buffer.u4_min_out_buf_size[1] = sizeUV; + ps_dec_ip->s_out_buffer.u4_min_out_buf_size[2] = sizeUV; + + uint8_t *pBuf; if (outHeader) { + if (outHeader->nAllocLen < sizeY + (sizeUV * 2)) { + android_errorWriteLog(0x534e4554, "27569635"); + return false; + } pBuf = outHeader->pBuffer; } else { + // mFlushOutBuffer always has the right size. pBuf = mFlushOutBuffer; } - sizeUV = sizeY / 4; - ps_dec_ip->s_out_buffer.u4_min_out_buf_size[0] = sizeY; - ps_dec_ip->s_out_buffer.u4_min_out_buf_size[1] = sizeUV; - ps_dec_ip->s_out_buffer.u4_min_out_buf_size[2] = sizeUV; - ps_dec_ip->s_out_buffer.pu1_bufs[0] = pBuf; ps_dec_ip->s_out_buffer.pu1_bufs[1] = pBuf + sizeY; ps_dec_ip->s_out_buffer.pu1_bufs[2] = pBuf + sizeY + sizeUV; ps_dec_ip->s_out_buffer.u4_num_bufs = 3; - return; + return true; } void SoftMPEG2::onPortFlushCompleted(OMX_U32 portIndex) { /* Once the output buffers are flushed, ignore any buffers that are held in decoder */ @@ -622,7 +627,11 @@ void SoftMPEG2::onQueueFilled(OMX_U32 portIndex) { WORD32 timeDelay, timeTaken; size_t sizeY, sizeUV; - setDecodeArgs(&s_dec_ip, &s_dec_op, inHeader, outHeader, timeStampIx); + if (!setDecodeArgs(&s_dec_ip, &s_dec_op, inHeader, outHeader, timeStampIx)) { + ALOGE("Decoder arg setup failed"); + notify(OMX_EventError, OMX_ErrorUndefined, 0, NULL); + return; + } // If input dump is enabled, then write to file DUMP_TO_FILE(mInFile, s_dec_ip.pv_stream_buffer, s_dec_ip.u4_num_Bytes); @@ -665,9 +674,9 @@ void SoftMPEG2::onQueueFilled(OMX_U32 portIndex) { CHECK_EQ(reInitDecoder(), (status_t)OK); - setDecodeArgs(&s_dec_ip, &s_dec_op, inHeader, outHeader, timeStampIx); - - ivdec_api_function(mCodecCtx, (void *)&s_dec_ip, (void *)&s_dec_op); + if (setDecodeArgs(&s_dec_ip, &s_dec_op, inHeader, outHeader, timeStampIx)) { + ivdec_api_function(mCodecCtx, (void *)&s_dec_ip, (void *)&s_dec_op); + } return; } diff --git a/media/libstagefright/codecs/mpeg2dec/SoftMPEG2.h b/media/libstagefright/codecs/mpeg2dec/SoftMPEG2.h index a625e08..f48b70b 100644 --- a/media/libstagefright/codecs/mpeg2dec/SoftMPEG2.h +++ b/media/libstagefright/codecs/mpeg2dec/SoftMPEG2.h @@ -117,7 +117,7 @@ private: status_t resetPlugin(); status_t reInitDecoder(); - void setDecodeArgs( + bool setDecodeArgs( ivd_video_decode_ip_t *ps_dec_ip, ivd_video_decode_op_t *ps_dec_op, OMX_BUFFERHEADERTYPE *inHeader, -- cgit v1.1 From 2b6f22dc64d456471a1dc6df09d515771d1427c8 Mon Sep 17 00:00:00 2001 From: Marco Nelissen Date: Fri, 8 Apr 2016 10:04:48 -0700 Subject: h264dec: check for overflows when calculating allocation size. Bug: 27855419 Change-Id: Idabedca52913ec31ea5cb6a6109ab94e3fb2badd --- media/libstagefright/codecs/on2/h264dec/inc/H264SwDecApi.h | 2 +- .../libstagefright/codecs/on2/h264dec/source/DecTestBench.c | 9 ++++++--- .../codecs/on2/h264dec/source/EvaluationTestBench.c | 9 ++++++--- .../libstagefright/codecs/on2/h264dec/source/H264SwDecApi.c | 13 ++++++++++--- .../codecs/on2/h264dec/source/TestBenchMultipleInstance.c | 7 +++++-- .../codecs/on2/h264dec/source/h264bsd_decoder.c | 2 +- .../libstagefright/codecs/on2/h264dec/source/h264bsd_util.h | 2 +- 7 files changed, 30 insertions(+), 14 deletions(-) (limited to 'media/libstagefright') diff --git a/media/libstagefright/codecs/on2/h264dec/inc/H264SwDecApi.h b/media/libstagefright/codecs/on2/h264dec/inc/H264SwDecApi.h index fe112bc..9814e73 100644 --- a/media/libstagefright/codecs/on2/h264dec/inc/H264SwDecApi.h +++ b/media/libstagefright/codecs/on2/h264dec/inc/H264SwDecApi.h @@ -161,7 +161,7 @@ extern "C" void H264SwDecTrace(char *); /* function prototype for memory allocation */ - void* H264SwDecMalloc(u32 size); + void* H264SwDecMalloc(u32 size, u32 num); /* function prototype for memory free */ void H264SwDecFree(void *ptr); diff --git a/media/libstagefright/codecs/on2/h264dec/source/DecTestBench.c b/media/libstagefright/codecs/on2/h264dec/source/DecTestBench.c index dcf2ef6..55c0065 100644 --- a/media/libstagefright/codecs/on2/h264dec/source/DecTestBench.c +++ b/media/libstagefright/codecs/on2/h264dec/source/DecTestBench.c @@ -700,18 +700,21 @@ void H264SwDecTrace(char *string) library function malloc for allocation of memory. ------------------------------------------------------------------------------*/ -void* H264SwDecMalloc(u32 size) +void* H264SwDecMalloc(u32 size, u32 num) { + if (size > UINT32_MAX / num) { + return NULL; + } #if defined(CHECK_MEMORY_USAGE) /* Note that if the decoder has to free and reallocate some of the buffers * the total value will be invalid */ static u32 numBytes = 0; - numBytes += size; + numBytes += size * num; DEBUG(("Allocated %d bytes, total %d\n", size, numBytes)); #endif - return malloc(size); + return malloc(size * num); } /*------------------------------------------------------------------------------ diff --git a/media/libstagefright/codecs/on2/h264dec/source/EvaluationTestBench.c b/media/libstagefright/codecs/on2/h264dec/source/EvaluationTestBench.c index aadc75f..e756a1f 100644 --- a/media/libstagefright/codecs/on2/h264dec/source/EvaluationTestBench.c +++ b/media/libstagefright/codecs/on2/h264dec/source/EvaluationTestBench.c @@ -85,7 +85,7 @@ int main(int argc, char **argv) rewind(finput); /* allocate memory for stream buffer, exit if unsuccessful */ - byteStrm = byteStrmStart = (u8 *)H264SwDecMalloc(sizeof(u8)*strmLen); + byteStrm = byteStrmStart = (u8 *)H264SwDecMalloc(sizeof(u8), strmLen); if (byteStrm == NULL) { printf("UNABLE TO ALLOCATE MEMORY\n"); @@ -298,9 +298,12 @@ void H264SwDecTrace(char *string) library function malloc for allocation of memory. ------------------------------------------------------------------------------*/ -void* H264SwDecMalloc(u32 size) +void* H264SwDecMalloc(u32 size, u32 num) { - return malloc(size); + if (size > UINT32_MAX / num) { + return NULL; + } + return malloc(size * num); } /*------------------------------------------------------------------------------ diff --git a/media/libstagefright/codecs/on2/h264dec/source/H264SwDecApi.c b/media/libstagefright/codecs/on2/h264dec/source/H264SwDecApi.c index a073dcb..f820dfd 100644 --- a/media/libstagefright/codecs/on2/h264dec/source/H264SwDecApi.c +++ b/media/libstagefright/codecs/on2/h264dec/source/H264SwDecApi.c @@ -35,6 +35,8 @@ /*------------------------------------------------------------------------------ 1. Include headers ------------------------------------------------------------------------------*/ +#include + #include #include #include "basetype.h" @@ -79,8 +81,13 @@ void H264SwDecTrace(char *string) { UNUSED(string); } -void* H264SwDecMalloc(u32 size) { - return malloc(size); +void* H264SwDecMalloc(u32 size, u32 num) { + if (size > UINT32_MAX / num) { + ALOGE("can't allocate %u * %u bytes", size, num); + android_errorWriteLog(0x534e4554, "27855419"); + return NULL; + } + return malloc(size * num); } void H264SwDecFree(void *ptr) { @@ -144,7 +151,7 @@ H264SwDecRet H264SwDecInit(H264SwDecInst *decInst, u32 noOutputReordering) return(H264SWDEC_PARAM_ERR); } - pDecCont = (decContainer_t *)H264SwDecMalloc(sizeof(decContainer_t)); + pDecCont = (decContainer_t *)H264SwDecMalloc(sizeof(decContainer_t), 1); if (pDecCont == NULL) { diff --git a/media/libstagefright/codecs/on2/h264dec/source/TestBenchMultipleInstance.c b/media/libstagefright/codecs/on2/h264dec/source/TestBenchMultipleInstance.c index 42170d3..9a386bb 100644 --- a/media/libstagefright/codecs/on2/h264dec/source/TestBenchMultipleInstance.c +++ b/media/libstagefright/codecs/on2/h264dec/source/TestBenchMultipleInstance.c @@ -413,9 +413,12 @@ void H264SwDecTrace(char *string) Function name: H264SwDecmalloc ------------------------------------------------------------------------------*/ -void* H264SwDecMalloc(u32 size) +void* H264SwDecMalloc(u32 size, u32 num) { - return malloc(size); + if (size > UINT32_MAX / num) { + return NULL; + } + return malloc(size * num); } /*------------------------------------------------------------------------------ diff --git a/media/libstagefright/codecs/on2/h264dec/source/h264bsd_decoder.c b/media/libstagefright/codecs/on2/h264dec/source/h264bsd_decoder.c index a816871..0ac480f 100644 --- a/media/libstagefright/codecs/on2/h264dec/source/h264bsd_decoder.c +++ b/media/libstagefright/codecs/on2/h264dec/source/h264bsd_decoder.c @@ -101,7 +101,7 @@ u32 h264bsdInit(storage_t *pStorage, u32 noOutputReordering) * specific NEON optimized "memset" for clearing the structure */ size = (sizeof(macroblockLayer_t) + 63) & ~0x3F; - pStorage->mbLayer = (macroblockLayer_t*)H264SwDecMalloc(size); + pStorage->mbLayer = (macroblockLayer_t*)H264SwDecMalloc(size, 1); if (!pStorage->mbLayer) return HANTRO_NOK; diff --git a/media/libstagefright/codecs/on2/h264dec/source/h264bsd_util.h b/media/libstagefright/codecs/on2/h264dec/source/h264bsd_util.h index 216ad04..9f0eb7d 100644 --- a/media/libstagefright/codecs/on2/h264dec/source/h264bsd_util.h +++ b/media/libstagefright/codecs/on2/h264dec/source/h264bsd_util.h @@ -141,7 +141,7 @@ /* macro to allocate memory */ #define ALLOCATE(ptr, count, type) \ { \ - (ptr) = H264SwDecMalloc((count) * sizeof(type)); \ + (ptr) = H264SwDecMalloc(sizeof(type), (count)); \ } /* macro to free allocated memory */ -- cgit v1.1 From 45737cb776625f17384540523674761e6313e6d4 Mon Sep 17 00:00:00 2001 From: Zach Jang Date: Thu, 21 Apr 2016 16:10:50 -0700 Subject: Resolve merge conflict when cp'ing ag/931301 to mnc-mr1-release Change-Id: I079d1db2d30d126f8aed348bd62451acf741037d --- media/libstagefright/SampleTable.cpp | 37 ++++++++++++++++-------------- media/libstagefright/include/SampleTable.h | 3 ++- 2 files changed, 22 insertions(+), 18 deletions(-) (limited to 'media/libstagefright') diff --git a/media/libstagefright/SampleTable.cpp b/media/libstagefright/SampleTable.cpp index 97dff43..5344ae4 100644 --- a/media/libstagefright/SampleTable.cpp +++ b/media/libstagefright/SampleTable.cpp @@ -122,7 +122,7 @@ SampleTable::SampleTable(const sp &source) mDefaultSampleSize(0), mNumSampleSizes(0), mTimeToSampleCount(0), - mTimeToSample(NULL), + mTimeToSample(), mSampleTimeEntries(NULL), mCompositionTimeDeltaEntries(NULL), mNumCompositionTimeDeltaEntries(0), @@ -151,9 +151,6 @@ SampleTable::~SampleTable() { delete[] mSampleTimeEntries; mSampleTimeEntries = NULL; - delete[] mTimeToSample; - mTimeToSample = NULL; - delete mSampleIterator; mSampleIterator = NULL; } @@ -162,7 +159,7 @@ bool SampleTable::isValid() const { return mChunkOffsetOffset >= 0 && mSampleToChunkOffset >= 0 && mSampleSizeOffset >= 0 - && mTimeToSample != NULL; + && !mTimeToSample.empty(); } status_t SampleTable::setChunkOffsetParams( @@ -327,7 +324,7 @@ status_t SampleTable::setSampleSizeParams( status_t SampleTable::setTimeToSampleParams( off64_t data_offset, size_t data_size) { - if (mTimeToSample != NULL || data_size < 8) { + if (!mTimeToSample.empty() || data_size < 8) { return ERROR_MALFORMED; } @@ -343,24 +340,30 @@ status_t SampleTable::setTimeToSampleParams( } mTimeToSampleCount = U32_AT(&header[4]); - uint64_t allocSize = (uint64_t)mTimeToSampleCount * 2 * sizeof(uint32_t); - if (allocSize > UINT32_MAX) { + if ((uint64_t)mTimeToSampleCount > + (uint64_t)UINT32_MAX / (2 * sizeof(uint32_t))) { + // Choose this bound because + // 1) 2 * sizeof(uint32_t) is the amount of memory needed for one + // time-to-sample entry in the time-to-sample table. + // 2) mTimeToSampleCount is the number of entries of the time-to-sample + // table. + // 3) We hope that the table size does not exceed UINT32_MAX. + ALOGE(" Error: Time-to-sample table size too large."); + return ERROR_OUT_OF_RANGE; } - mTimeToSample = new (std::nothrow) uint32_t[mTimeToSampleCount * 2]; - if (!mTimeToSample) - return ERROR_OUT_OF_RANGE; - size_t size = sizeof(uint32_t) * mTimeToSampleCount * 2; - if (mDataSource->readAt( - data_offset + 8, mTimeToSample, size) < (ssize_t)size) { + // Note: At this point, we know that mTimeToSampleCount * 2 will not + // overflow because of the above condition. + if (!mDataSource->getVector(data_offset + 8, &mTimeToSample, + mTimeToSampleCount * 2)) { + ALOGE(" Error: Incomplete data read for time-to-sample table."); return ERROR_IO; } - for (uint32_t i = 0; i < mTimeToSampleCount * 2; ++i) { - mTimeToSample[i] = ntohl(mTimeToSample[i]); + for (size_t i = 0; i < mTimeToSample.size(); ++i) { + mTimeToSample.editItemAt(i) = ntohl(mTimeToSample[i]); } - return OK; } diff --git a/media/libstagefright/include/SampleTable.h b/media/libstagefright/include/SampleTable.h index 460492b..3764adb 100644 --- a/media/libstagefright/include/SampleTable.h +++ b/media/libstagefright/include/SampleTable.h @@ -24,6 +24,7 @@ #include #include #include +#include namespace android { @@ -111,7 +112,7 @@ private: uint32_t mNumSampleSizes; uint32_t mTimeToSampleCount; - uint32_t *mTimeToSample; + Vector mTimeToSample; struct SampleTimeEntry { uint32_t mSampleIndex; -- cgit v1.1 From b57b3967b1a42dd505dbe4fcf1e1d810e3ae3777 Mon Sep 17 00:00:00 2001 From: Pawin Vongmasa Date: Wed, 20 Apr 2016 15:51:48 -0700 Subject: SampleTable.cpp: Fixed a regression caused by a fix for bug 28076789. Detail: Before the original fix (Id207f369ab7b27787d83f5d8fc48dc53ed9fcdc9) for 28076789, the code allowed a time-to-sample table size to be 0. The change made in that fix disallowed such situation, which in fact should be allowed. This current patch allows it again while maintaining the security of the previous fix. Bug: 28288202 Bug: 28076789 Change-Id: I1c9a60c7f0cfcbd3d908f24998dde15d5136a295 --- media/libstagefright/SampleTable.cpp | 7 +++++-- media/libstagefright/include/SampleTable.h | 1 + 2 files changed, 6 insertions(+), 2 deletions(-) (limited to 'media/libstagefright') diff --git a/media/libstagefright/SampleTable.cpp b/media/libstagefright/SampleTable.cpp index 5344ae4..8df9cb8 100644 --- a/media/libstagefright/SampleTable.cpp +++ b/media/libstagefright/SampleTable.cpp @@ -121,6 +121,7 @@ SampleTable::SampleTable(const sp &source) mSampleSizeFieldSize(0), mDefaultSampleSize(0), mNumSampleSizes(0), + mHasTimeToSample(false), mTimeToSampleCount(0), mTimeToSample(), mSampleTimeEntries(NULL), @@ -159,7 +160,7 @@ bool SampleTable::isValid() const { return mChunkOffsetOffset >= 0 && mSampleToChunkOffset >= 0 && mSampleSizeOffset >= 0 - && !mTimeToSample.empty(); + && mHasTimeToSample; } status_t SampleTable::setChunkOffsetParams( @@ -324,7 +325,7 @@ status_t SampleTable::setSampleSizeParams( status_t SampleTable::setTimeToSampleParams( off64_t data_offset, size_t data_size) { - if (!mTimeToSample.empty() || data_size < 8) { + if (mHasTimeToSample || data_size < 8) { return ERROR_MALFORMED; } @@ -364,6 +365,8 @@ status_t SampleTable::setTimeToSampleParams( for (size_t i = 0; i < mTimeToSample.size(); ++i) { mTimeToSample.editItemAt(i) = ntohl(mTimeToSample[i]); } + + mHasTimeToSample = true; return OK; } diff --git a/media/libstagefright/include/SampleTable.h b/media/libstagefright/include/SampleTable.h index 3764adb..465f37c 100644 --- a/media/libstagefright/include/SampleTable.h +++ b/media/libstagefright/include/SampleTable.h @@ -111,6 +111,7 @@ private: uint32_t mDefaultSampleSize; uint32_t mNumSampleSizes; + bool mHasTimeToSample; uint32_t mTimeToSampleCount; Vector mTimeToSample; -- cgit v1.1