From 1f76ce4e2c13d0347523e8c9a27077c820715f08 Mon Sep 17 00:00:00 2001 From: "mspector@google.com" Date: Fri, 19 Feb 2016 12:10:48 -0800 Subject: Fixing safteynet logging bug introduced in ag/862848 We moved the safteynet logging into storeMetaDataInBuffers_l Bug: 26324358 Change-Id: I2171742b53192ebb71d546bcb8970bb3c68f366f --- media/libstagefright/omx/OMXNodeInstance.cpp | 1 + 1 file changed, 1 insertion(+) (limited to 'media/libstagefright') diff --git a/media/libstagefright/omx/OMXNodeInstance.cpp b/media/libstagefright/omx/OMXNodeInstance.cpp index 94a213a..8735eff 100644 --- a/media/libstagefright/omx/OMXNodeInstance.cpp +++ b/media/libstagefright/omx/OMXNodeInstance.cpp @@ -519,6 +519,7 @@ status_t OMXNodeInstance::storeMetaDataInBuffers( status_t OMXNodeInstance::storeMetaDataInBuffers_l( OMX_U32 portIndex, OMX_BOOL enable, MetadataBufferType *type) { if (portIndex != kPortIndexInput && portIndex != kPortIndexOutput) { + android_errorWriteLog(0x534e4554, "26324358"); return BAD_VALUE; } -- cgit v1.1 From 582c02ea5c9c8db5f993d784a0a85b275b2e59fd Mon Sep 17 00:00:00 2001 From: Marco Nelissen Date: Tue, 23 Feb 2016 14:48:46 -0800 Subject: Also fix out of bounds access for normal read Previous fix accidentally only fixed the fragmented read case. Bug: 27208621 Change-Id: Ie16f1920b84c8aba613842659238fcd5925694ad --- media/libstagefright/MPEG4Extractor.cpp | 10 +++++++++- 1 file changed, 9 insertions(+), 1 deletion(-) (limited to 'media/libstagefright') diff --git a/media/libstagefright/MPEG4Extractor.cpp b/media/libstagefright/MPEG4Extractor.cpp index e4f8384..f8789da 100755 --- a/media/libstagefright/MPEG4Extractor.cpp +++ b/media/libstagefright/MPEG4Extractor.cpp @@ -4228,7 +4228,15 @@ status_t MPEG4Source::read( continue; } - CHECK(dstOffset + 4 <= mBuffer->size()); + if (dstOffset > SIZE_MAX - 4 || + dstOffset + 4 > SIZE_MAX - nalLength || + dstOffset + 4 + nalLength > mBuffer->size()) { + ALOGE("b/27208621 : %zu %zu", dstOffset, mBuffer->size()); + android_errorWriteLog(0x534e4554, "27208621"); + mBuffer->release(); + mBuffer = NULL; + return ERROR_MALFORMED; + } dstData[dstOffset++] = 0; dstData[dstOffset++] = 0; -- cgit v1.1 From a685aea781026471ad82f5729198c60bcb4f8fe9 Mon Sep 17 00:00:00 2001 From: "mspector@google.com" Date: Fri, 19 Feb 2016 12:10:48 -0800 Subject: Fixing safteynet logging bug introduced in ag/862848 We moved the safteynet logging into storeMetaDataInBuffers_l Bug: 26324358 Change-Id: I2171742b53192ebb71d546bcb8970bb3c68f366f --- media/libstagefright/omx/OMXNodeInstance.cpp | 1 + 1 file changed, 1 insertion(+) (limited to 'media/libstagefright') diff --git a/media/libstagefright/omx/OMXNodeInstance.cpp b/media/libstagefright/omx/OMXNodeInstance.cpp index 94a213a..8735eff 100644 --- a/media/libstagefright/omx/OMXNodeInstance.cpp +++ b/media/libstagefright/omx/OMXNodeInstance.cpp @@ -519,6 +519,7 @@ status_t OMXNodeInstance::storeMetaDataInBuffers( status_t OMXNodeInstance::storeMetaDataInBuffers_l( OMX_U32 portIndex, OMX_BOOL enable, MetadataBufferType *type) { if (portIndex != kPortIndexInput && portIndex != kPortIndexOutput) { + android_errorWriteLog(0x534e4554, "26324358"); return BAD_VALUE; } -- cgit v1.1 From b7c8681b7f3c093b1c0f667007c490d9c563655c Mon Sep 17 00:00:00 2001 From: Marco Nelissen Date: Tue, 23 Feb 2016 14:48:46 -0800 Subject: Also fix out of bounds access for normal read Previous fix accidentally only fixed the fragmented read case. Bug: 27208621 Change-Id: Ie16f1920b84c8aba613842659238fcd5925694ad --- media/libstagefright/MPEG4Extractor.cpp | 10 +++++++++- 1 file changed, 9 insertions(+), 1 deletion(-) (limited to 'media/libstagefright') diff --git a/media/libstagefright/MPEG4Extractor.cpp b/media/libstagefright/MPEG4Extractor.cpp index e4f8384..f8789da 100755 --- a/media/libstagefright/MPEG4Extractor.cpp +++ b/media/libstagefright/MPEG4Extractor.cpp @@ -4228,7 +4228,15 @@ status_t MPEG4Source::read( continue; } - CHECK(dstOffset + 4 <= mBuffer->size()); + if (dstOffset > SIZE_MAX - 4 || + dstOffset + 4 > SIZE_MAX - nalLength || + dstOffset + 4 + nalLength > mBuffer->size()) { + ALOGE("b/27208621 : %zu %zu", dstOffset, mBuffer->size()); + android_errorWriteLog(0x534e4554, "27208621"); + mBuffer->release(); + mBuffer = NULL; + return ERROR_MALFORMED; + } dstData[dstOffset++] = 0; dstData[dstOffset++] = 0; -- cgit v1.1 From 811391b5e9634116b88abfdcb262986e778aa436 Mon Sep 17 00:00:00 2001 From: Keith Mok Date: Tue, 22 Mar 2016 08:52:48 -0700 Subject: Revert "Fixed comparison on 64 bit system" AOSP has a different fix. This reverts commit 65890a73d53a25b0809b22e41cdee19e3f4aa68d. Change-Id: I88fc05c791b9d5cef181e94d1cd3c40f0076f827 --- media/libstagefright/SampleTable.cpp | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'media/libstagefright') diff --git a/media/libstagefright/SampleTable.cpp b/media/libstagefright/SampleTable.cpp index ee5def5..93cf055 100644 --- a/media/libstagefright/SampleTable.cpp +++ b/media/libstagefright/SampleTable.cpp @@ -246,7 +246,7 @@ status_t SampleTable::setSampleToChunkParams( for (uint32_t i = 0; i < mNumSampleToChunkOffsets; ++i) { uint8_t buffer[12]; - if ((off64_t)(INT64_MAX - 8 - (i * 12)) < mSampleToChunkOffset) { + if ((off64_t)(SIZE_MAX - 8 - (i * 12)) < mSampleToChunkOffset) { return ERROR_MALFORMED; } -- cgit v1.1 From f97015ad37e8386a4215e2d25a4196edef5f7c8d Mon Sep 17 00:00:00 2001 From: Marco Nelissen Date: Mon, 21 Mar 2016 09:29:06 -0700 Subject: Fix 64-bit comparison A 64-bit SIZE_MAX value cast to off64_t is always negative, causing valid files to be rejected in 64-bit mode. Change-Id: I8f61c19951f9c73292fa917081b8b2f3bfc405a0 --- media/libstagefright/SampleTable.cpp | 7 ++++++- 1 file changed, 6 insertions(+), 1 deletion(-) (limited to 'media/libstagefright') diff --git a/media/libstagefright/SampleTable.cpp b/media/libstagefright/SampleTable.cpp index 93cf055..2f69fd8 100644 --- a/media/libstagefright/SampleTable.cpp +++ b/media/libstagefright/SampleTable.cpp @@ -209,6 +209,11 @@ status_t SampleTable::setChunkOffsetParams( status_t SampleTable::setSampleToChunkParams( off64_t data_offset, size_t data_size) { if (mSampleToChunkOffset >= 0) { + // already set + return ERROR_MALFORMED; + } + + if (data_offset < 0) { return ERROR_MALFORMED; } @@ -246,7 +251,7 @@ status_t SampleTable::setSampleToChunkParams( for (uint32_t i = 0; i < mNumSampleToChunkOffsets; ++i) { uint8_t buffer[12]; - if ((off64_t)(SIZE_MAX - 8 - (i * 12)) < mSampleToChunkOffset) { + if ((SIZE_MAX - 8 - (i * 12)) < (size_t)mSampleToChunkOffset) { return ERROR_MALFORMED; } -- cgit v1.1 From c27fc358c91ed67965243294387dfb5ce7cd7fbf Mon Sep 17 00:00:00 2001 From: "Joshua J. Drake" Date: Thu, 9 Apr 2015 00:46:42 -0500 Subject: MPEG4Extractor: still more NULL dereference fixes When processing various FourCC values within MP4 media, mLastTrack is accessed without first ensuring that a track has been encoutered. Check for NULL and bail out instead of crashing. Bug: 20139950 Change-Id: Ie16687024d17348f576a0e13bd60bd4d6898de91 --- media/libstagefright/MPEG4Extractor.cpp | 3 +++ 1 file changed, 3 insertions(+) (limited to 'media/libstagefright') diff --git a/media/libstagefright/MPEG4Extractor.cpp b/media/libstagefright/MPEG4Extractor.cpp index c7c238e..2d2e8fb 100755 --- a/media/libstagefright/MPEG4Extractor.cpp +++ b/media/libstagefright/MPEG4Extractor.cpp @@ -1980,6 +1980,9 @@ status_t MPEG4Extractor::parseChunk(off64_t *offset, int depth) { return ERROR_IO; } + if (mLastTrack == NULL) + return ERROR_MALFORMED; + uint32_t type = ntohl(buffer); // For the 3GPP file format, the handler-type within the 'hdlr' box // shall be 'text'. We also want to support 'sbtl' handler type -- cgit v1.1 From c727e175576bcc74d47f5390c34542d5c2ebafc6 Mon Sep 17 00:00:00 2001 From: Ashok Bhat Date: Tue, 3 Jun 2014 12:48:51 +0100 Subject: h264dec: Use intptr_t when a pointer is treated as an integer Change-Id: I83057565a842da31ee137fac674af496c1fc18af Signed-off-by: Ashok Bhat --- .../libstagefright/codecs/on2/h264dec/omxdl/arm_neon/api/armCOMM.h | 6 +++--- .../libstagefright/codecs/on2/h264dec/omxdl/reference/api/armCOMM.h | 6 +++--- 2 files changed, 6 insertions(+), 6 deletions(-) (limited to 'media/libstagefright') diff --git a/media/libstagefright/codecs/on2/h264dec/omxdl/arm_neon/api/armCOMM.h b/media/libstagefright/codecs/on2/h264dec/omxdl/arm_neon/api/armCOMM.h index 91e38b8..1992885 100644 --- a/media/libstagefright/codecs/on2/h264dec/omxdl/arm_neon/api/armCOMM.h +++ b/media/libstagefright/codecs/on2/h264dec/omxdl/arm_neon/api/armCOMM.h @@ -86,7 +86,7 @@ typedef OMX_S16 ARM_BLOCK8x8[64]; /* Alignment operation */ -#define armAlignToBytes(Ptr,N) (Ptr + ( ((N-(int)Ptr)&(N-1)) / sizeof(*Ptr) )) +#define armAlignToBytes(Ptr,N) (Ptr + ( ((N-(intptr_t)Ptr)&(N-1)) / sizeof(*Ptr) )) #define armAlignTo2Bytes(Ptr) armAlignToBytes(Ptr,2) #define armAlignTo4Bytes(Ptr) armAlignToBytes(Ptr,4) #define armAlignTo8Bytes(Ptr) armAlignToBytes(Ptr,8) @@ -98,8 +98,8 @@ typedef OMX_S16 ARM_BLOCK8x8[64]; #define armRetDataErrIf(condition, code) if(condition) { return (code); } #ifndef ALIGNMENT_DOESNT_MATTER -#define armIsByteAligned(Ptr,N) ((((int)(Ptr)) % N)==0) -#define armNotByteAligned(Ptr,N) ((((int)(Ptr)) % N)!=0) +#define armIsByteAligned(Ptr,N) ((((intptr_t)(Ptr)) % N)==0) +#define armNotByteAligned(Ptr,N) ((((intptr_t)(Ptr)) % N)!=0) #else #define armIsByteAligned(Ptr,N) (1) #define armNotByteAligned(Ptr,N) (0) diff --git a/media/libstagefright/codecs/on2/h264dec/omxdl/reference/api/armCOMM.h b/media/libstagefright/codecs/on2/h264dec/omxdl/reference/api/armCOMM.h index fbb97e2..7304863 100644 --- a/media/libstagefright/codecs/on2/h264dec/omxdl/reference/api/armCOMM.h +++ b/media/libstagefright/codecs/on2/h264dec/omxdl/reference/api/armCOMM.h @@ -86,7 +86,7 @@ typedef OMX_S16 ARM_BLOCK8x8[64]; /* Alignment operation */ -#define armAlignToBytes(Ptr,N) (Ptr + ( ((N-(int)Ptr)&(N-1)) / sizeof(*Ptr) )) +#define armAlignToBytes(Ptr,N) (Ptr + ( ((N-(intptr_t)Ptr)&(N-1)) / sizeof(*Ptr) )) #define armAlignTo2Bytes(Ptr) armAlignToBytes(Ptr,2) #define armAlignTo4Bytes(Ptr) armAlignToBytes(Ptr,4) #define armAlignTo8Bytes(Ptr) armAlignToBytes(Ptr,8) @@ -98,8 +98,8 @@ typedef OMX_S16 ARM_BLOCK8x8[64]; #define armRetDataErrIf(condition, code) if(condition) { return (code); } #ifndef ALIGNMENT_DOESNT_MATTER -#define armIsByteAligned(Ptr,N) ((((int)(Ptr)) % N)==0) -#define armNotByteAligned(Ptr,N) ((((int)(Ptr)) % N)!=0) +#define armIsByteAligned(Ptr,N) ((((intptr_t)(Ptr)) % N)==0) +#define armNotByteAligned(Ptr,N) ((((intptr_t)(Ptr)) % N)!=0) #else #define armIsByteAligned(Ptr,N) (1) #define armNotByteAligned(Ptr,N) (0) -- cgit v1.1 From 429372d0c568768eb754e827cc63c2a486ced050 Mon Sep 17 00:00:00 2001 From: Andreas Gampe Date: Wed, 29 Jul 2015 16:46:25 -0700 Subject: Stagefright: Remove unused variables and files For build-system CFLAGS clean-up. Bug: 18632512 (cherry picked from commit 765b4172f1ffb2c4e2de89163bb888fa352de664) Change-Id: I765dc394f39f60801843851760fdf9838958d7a4 --- .../libstagefright/codecs/amrnb/common/Android.mk | 2 - .../codecs/amrnb/common/include/bytesused.h | 109 ----------- .../codecs/amrnb/common/src/bytesused.cpp | 208 --------------------- .../codecs/amrnb/common/src/overflow_tbl.cpp | 174 ----------------- .../codecs/avc/enc/src/findhalfpel.cpp | 13 -- media/libstagefright/codecs/on2/dec/SoftVPX.cpp | 4 - 6 files changed, 510 deletions(-) delete mode 100644 media/libstagefright/codecs/amrnb/common/include/bytesused.h delete mode 100644 media/libstagefright/codecs/amrnb/common/src/bytesused.cpp delete mode 100644 media/libstagefright/codecs/amrnb/common/src/overflow_tbl.cpp (limited to 'media/libstagefright') diff --git a/media/libstagefright/codecs/amrnb/common/Android.mk b/media/libstagefright/codecs/amrnb/common/Android.mk index 5e632a6..80b67bb 100644 --- a/media/libstagefright/codecs/amrnb/common/Android.mk +++ b/media/libstagefright/codecs/amrnb/common/Android.mk @@ -7,7 +7,6 @@ LOCAL_SRC_FILES := \ src/bitno_tab.cpp \ src/bitreorder_tab.cpp \ src/bits2prm.cpp \ - src/bytesused.cpp \ src/c2_9pf_tab.cpp \ src/copy.cpp \ src/div_32.cpp \ @@ -38,7 +37,6 @@ LOCAL_SRC_FILES := \ src/mult_r.cpp \ src/norm_l.cpp \ src/norm_s.cpp \ - src/overflow_tbl.cpp \ src/ph_disp_tab.cpp \ src/pow2.cpp \ src/pow2_tbl.cpp \ diff --git a/media/libstagefright/codecs/amrnb/common/include/bytesused.h b/media/libstagefright/codecs/amrnb/common/include/bytesused.h deleted file mode 100644 index 934efbe..0000000 --- a/media/libstagefright/codecs/amrnb/common/include/bytesused.h +++ /dev/null @@ -1,109 +0,0 @@ -/* ------------------------------------------------------------------ - * Copyright (C) 1998-2009 PacketVideo - * - * Licensed under the Apache License, Version 2.0 (the "License"); - * you may not use this file except in compliance with the License. - * You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either - * express or implied. - * See the License for the specific language governing permissions - * and limitations under the License. - * ------------------------------------------------------------------- - */ -/**************************************************************************************** -Portions of this file are derived from the following 3GPP standard: - - 3GPP TS 26.073 - ANSI-C code for the Adaptive Multi-Rate (AMR) speech codec - Available from http://www.3gpp.org - -(C) 2004, 3GPP Organizational Partners (ARIB, ATIS, CCSA, ETSI, TTA, TTC) -Permission to distribute, modify and use this file under the standard license -terms listed above has been obtained from the copyright holder. -****************************************************************************************/ -/* - - Pathname: .audio/gsm-amr/c/include/BytesUsed.h - ------------------------------------------------------------------------------- - REVISION HISTORY - - Description: Added #ifdef __cplusplus after Include section. - - Who: Date: - Description: - ------------------------------------------------------------------------------- - INCLUDE DESCRIPTION - - This file declares a table BytesUsed. - ------------------------------------------------------------------------------- -*/ - -/*---------------------------------------------------------------------------- -; CONTINUE ONLY IF NOT ALREADY DEFINED -----------------------------------------------------------------------------*/ -#ifndef BYTESUSED_H -#define BYTESUSED_H - -/*---------------------------------------------------------------------------- -; INCLUDES -----------------------------------------------------------------------------*/ - -/*--------------------------------------------------------------------------*/ -#ifdef __cplusplus -extern "C" -{ -#endif - - /*---------------------------------------------------------------------------- - ; MACROS - ; Define module specific macros here - ----------------------------------------------------------------------------*/ - - /*---------------------------------------------------------------------------- - ; DEFINES - ; Include all pre-processor statements here. - ----------------------------------------------------------------------------*/ - - /*---------------------------------------------------------------------------- - ; EXTERNAL VARIABLES REFERENCES - ; Declare variables used in this module but defined elsewhere - ----------------------------------------------------------------------------*/ - extern const short BytesUsed[]; - - /*---------------------------------------------------------------------------- - ; SIMPLE TYPEDEF'S - ----------------------------------------------------------------------------*/ - - /*---------------------------------------------------------------------------- - ; ENUMERATED TYPEDEF'S - ----------------------------------------------------------------------------*/ - - /*---------------------------------------------------------------------------- - ; STRUCTURES TYPEDEF'S - ----------------------------------------------------------------------------*/ - - - /*---------------------------------------------------------------------------- - ; GLOBAL FUNCTION DEFINITIONS - ; Function Prototype declaration - ----------------------------------------------------------------------------*/ - - - /*---------------------------------------------------------------------------- - ; END - ----------------------------------------------------------------------------*/ -#ifdef __cplusplus -} -#endif - -#endif - - diff --git a/media/libstagefright/codecs/amrnb/common/src/bytesused.cpp b/media/libstagefright/codecs/amrnb/common/src/bytesused.cpp deleted file mode 100644 index b61bac4..0000000 --- a/media/libstagefright/codecs/amrnb/common/src/bytesused.cpp +++ /dev/null @@ -1,208 +0,0 @@ -/* ------------------------------------------------------------------ - * Copyright (C) 1998-2009 PacketVideo - * - * Licensed under the Apache License, Version 2.0 (the "License"); - * you may not use this file except in compliance with the License. - * You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either - * express or implied. - * See the License for the specific language governing permissions - * and limitations under the License. - * ------------------------------------------------------------------- - */ -/**************************************************************************************** -Portions of this file are derived from the following 3GPP standard: - - 3GPP TS 26.073 - ANSI-C code for the Adaptive Multi-Rate (AMR) speech codec - Available from http://www.3gpp.org - -(C) 2004, 3GPP Organizational Partners (ARIB, ATIS, CCSA, ETSI, TTA, TTC) -Permission to distribute, modify and use this file under the standard license -terms listed above has been obtained from the copyright holder. -****************************************************************************************/ -/* - - Pathname: ./audio/gsm-amr/c/src/BytesUsed.c - ------------------------------------------------------------------------------- - REVISION HISTORY - - Description: Corrected entries for all SID frames and updated function - description. Updated copyright year. - - Description: Added #ifdef __cplusplus and removed "extern" from table - definition. Removed corresponding header file from Include - section. - - Description: Put "extern" back. - - Who: Date: - Description: - ------------------------------------------------------------------------------- - INPUT AND OUTPUT DEFINITIONS - - Inputs: - None - - Local Stores/Buffers/Pointers Needed: - None - - Global Stores/Buffers/Pointers Needed: - None - - Outputs: - None - - Pointers and Buffers Modified: - None - - Local Stores Modified: - None - - Global Stores Modified: - None - ------------------------------------------------------------------------------- - FUNCTION DESCRIPTION - - This function creates a table called BytesUsed that holds the value that - describes the number of bytes required to hold one frame worth of data in - the WMF (non-IF2) frame format. Each table entry is the sum of the frame - type byte and the number of bytes used up by the core speech data for each - 3GPP frame type. - ------------------------------------------------------------------------------- - REQUIREMENTS - - None - ------------------------------------------------------------------------------- - REFERENCES - - [1] "AMR Speech Codec Frame Structure", 3GPP TS 26.101 version 4.1.0 - Release 4, June 2001, page 13. - ------------------------------------------------------------------------------- - PSEUDO-CODE - - ------------------------------------------------------------------------------- - RESOURCES USED - When the code is written for a specific target processor the - the resources used should be documented below. - - STACK USAGE: [stack count for this module] + [variable to represent - stack usage for each subroutine called] - - where: [stack usage variable] = stack usage for [subroutine - name] (see [filename].ext) - - DATA MEMORY USED: x words - - PROGRAM MEMORY USED: x words - - CLOCK CYCLES: [cycle count equation for this module] + [variable - used to represent cycle count for each subroutine - called] - - where: [cycle count variable] = cycle count for [subroutine - name] (see [filename].ext) - ------------------------------------------------------------------------------- -*/ - - -/*---------------------------------------------------------------------------- -; INCLUDES -----------------------------------------------------------------------------*/ -#include "typedef.h" - -/*--------------------------------------------------------------------------*/ -#ifdef __cplusplus -extern "C" -{ -#endif - - /*---------------------------------------------------------------------------- - ; MACROS - ; Define module specific macros here - ----------------------------------------------------------------------------*/ - - - /*---------------------------------------------------------------------------- - ; DEFINES - ; Include all pre-processor statements here. Include conditional - ; compile variables also. - ----------------------------------------------------------------------------*/ - - /*---------------------------------------------------------------------------- - ; LOCAL FUNCTION DEFINITIONS - ; Function Prototype declaration - ----------------------------------------------------------------------------*/ - - - /*---------------------------------------------------------------------------- - ; LOCAL STORE/BUFFER/POINTER DEFINITIONS - ; Variable declaration - defined here and used outside this module - ----------------------------------------------------------------------------*/ - const short BytesUsed[16] = - { - 13, /* 4.75 */ - 14, /* 5.15 */ - 16, /* 5.90 */ - 18, /* 6.70 */ - 20, /* 7.40 */ - 21, /* 7.95 */ - 27, /* 10.2 */ - 32, /* 12.2 */ - 6, /* GsmAmr comfort noise */ - 7, /* Gsm-Efr comfort noise */ - 6, /* IS-641 comfort noise */ - 6, /* Pdc-Efr comfort noise */ - 0, /* future use */ - 0, /* future use */ - 0, /* future use */ - 1 /* No transmission */ - }; - /*---------------------------------------------------------------------------- - ; EXTERNAL FUNCTION REFERENCES - ; Declare functions defined elsewhere and referenced in this module - ----------------------------------------------------------------------------*/ - - - /*---------------------------------------------------------------------------- - ; EXTERNAL GLOBAL STORE/BUFFER/POINTER REFERENCES - ; Declare variables used in this module but defined elsewhere - ----------------------------------------------------------------------------*/ - - - /*--------------------------------------------------------------------------*/ -#ifdef __cplusplus -} -#endif - -/*---------------------------------------------------------------------------- -; FUNCTION CODE -----------------------------------------------------------------------------*/ - -/*---------------------------------------------------------------------------- -; Define all local variables -----------------------------------------------------------------------------*/ - - -/*---------------------------------------------------------------------------- -; Function body here -----------------------------------------------------------------------------*/ - - -/*---------------------------------------------------------------------------- -; Return nothing or data or data pointer -----------------------------------------------------------------------------*/ - diff --git a/media/libstagefright/codecs/amrnb/common/src/overflow_tbl.cpp b/media/libstagefright/codecs/amrnb/common/src/overflow_tbl.cpp deleted file mode 100644 index c4a016d..0000000 --- a/media/libstagefright/codecs/amrnb/common/src/overflow_tbl.cpp +++ /dev/null @@ -1,174 +0,0 @@ -/* ------------------------------------------------------------------ - * Copyright (C) 1998-2009 PacketVideo - * - * Licensed under the Apache License, Version 2.0 (the "License"); - * you may not use this file except in compliance with the License. - * You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either - * express or implied. - * See the License for the specific language governing permissions - * and limitations under the License. - * ------------------------------------------------------------------- - */ -/**************************************************************************************** -Portions of this file are derived from the following 3GPP standard: - - 3GPP TS 26.073 - ANSI-C code for the Adaptive Multi-Rate (AMR) speech codec - Available from http://www.3gpp.org - -(C) 2004, 3GPP Organizational Partners (ARIB, ATIS, CCSA, ETSI, TTA, TTC) -Permission to distribute, modify and use this file under the standard license -terms listed above has been obtained from the copyright holder. -****************************************************************************************/ -/* - - Filename: /audio/gsm_amr/c/src/overflow_tbl.c - ------------------------------------------------------------------------------- - REVISION HISTORY - - Description: Added #ifdef __cplusplus and removed "extern" from table - definition. - - Description: Put "extern" back. - - Who: Date: - Description: - ------------------------------------------------------------------------------- - MODULE DESCRIPTION - - This file contains the declaration for overflow_tbl[] used by the l_shl() - and l_shr() functions. - ------------------------------------------------------------------------------- -*/ - -/*---------------------------------------------------------------------------- -; INCLUDES -----------------------------------------------------------------------------*/ -#include "typedef.h" - -/*--------------------------------------------------------------------------*/ -#ifdef __cplusplus -extern "C" -{ -#endif - - /*---------------------------------------------------------------------------- - ; MACROS - ; [Define module specific macros here] - ----------------------------------------------------------------------------*/ - - /*---------------------------------------------------------------------------- - ; DEFINES - ; [Include all pre-processor statements here. Include conditional - ; compile variables also.] - ----------------------------------------------------------------------------*/ - - /*---------------------------------------------------------------------------- - ; LOCAL FUNCTION DEFINITIONS - ; [List function prototypes here] - ----------------------------------------------------------------------------*/ - - /*---------------------------------------------------------------------------- - ; LOCAL VARIABLE DEFINITIONS - ; [Variable declaration - defined here and used outside this module] - ----------------------------------------------------------------------------*/ - const Word32 overflow_tbl [32] = {0x7fffffffL, 0x3fffffffL, - 0x1fffffffL, 0x0fffffffL, - 0x07ffffffL, 0x03ffffffL, - 0x01ffffffL, 0x00ffffffL, - 0x007fffffL, 0x003fffffL, - 0x001fffffL, 0x000fffffL, - 0x0007ffffL, 0x0003ffffL, - 0x0001ffffL, 0x0000ffffL, - 0x00007fffL, 0x00003fffL, - 0x00001fffL, 0x00000fffL, - 0x000007ffL, 0x000003ffL, - 0x000001ffL, 0x000000ffL, - 0x0000007fL, 0x0000003fL, - 0x0000001fL, 0x0000000fL, - 0x00000007L, 0x00000003L, - 0x00000001L, 0x00000000L - }; - - /*--------------------------------------------------------------------------*/ -#ifdef __cplusplus -} -#endif - -/* ------------------------------------------------------------------------------- - FUNCTION NAME: ------------------------------------------------------------------------------- - INPUT AND OUTPUT DEFINITIONS - - Inputs: - None - - Outputs: - None - - Returns: - None - - Global Variables Used: - None - - Local Variables Needed: - None - ------------------------------------------------------------------------------- - FUNCTION DESCRIPTION - - None - ------------------------------------------------------------------------------- - REQUIREMENTS - - None - ------------------------------------------------------------------------------- - REFERENCES - - [1] l_shl() function in basic_op2.c, UMTS GSM AMR speech codec, R99 - - Version 3.2.0, March 2, 2001 - ------------------------------------------------------------------------------- - PSEUDO-CODE - - ------------------------------------------------------------------------------- - RESOURCES USED [optional] - - When the code is written for a specific target processor the - the resources used should be documented below. - - HEAP MEMORY USED: x bytes - - STACK MEMORY USED: x bytes - - CLOCK CYCLES: (cycle count equation for this function) + (variable - used to represent cycle count for each subroutine - called) - where: (cycle count variable) = cycle count for [subroutine - name] - ------------------------------------------------------------------------------- - CAUTION [optional] - [State any special notes, constraints or cautions for users of this function] - ------------------------------------------------------------------------------- -*/ - -/*---------------------------------------------------------------------------- -; FUNCTION CODE -----------------------------------------------------------------------------*/ - diff --git a/media/libstagefright/codecs/avc/enc/src/findhalfpel.cpp b/media/libstagefright/codecs/avc/enc/src/findhalfpel.cpp index 0b8d9e2..d0bbee2 100644 --- a/media/libstagefright/codecs/avc/enc/src/findhalfpel.cpp +++ b/media/libstagefright/codecs/avc/enc/src/findhalfpel.cpp @@ -23,19 +23,6 @@ #define PREF_16_VEC 129 /* 1MV bias versus 4MVs*/ -const static int distance_tab[9][9] = /* [hp_guess][k] */ -{ - {0, 1, 1, 1, 1, 1, 1, 1, 1}, - {1, 0, 1, 2, 3, 4, 3, 2, 1}, - {1, 0, 0, 0, 1, 2, 3, 2, 1}, - {1, 2, 1, 0, 1, 2, 3, 4, 3}, - {1, 2, 1, 0, 0, 0, 1, 2, 3}, - {1, 4, 3, 2, 1, 0, 1, 2, 3}, - {1, 2, 3, 2, 1, 0, 0, 0, 1}, - {1, 2, 3, 4, 3, 2, 1, 0, 1}, - {1, 0, 1, 2, 3, 2, 1, 0, 0} -}; - #define CLIP_RESULT(x) if((uint)x > 0xFF){ \ x = 0xFF & (~(x>>31));} diff --git a/media/libstagefright/codecs/on2/dec/SoftVPX.cpp b/media/libstagefright/codecs/on2/dec/SoftVPX.cpp index e161fb8..cd6c3b1 100644 --- a/media/libstagefright/codecs/on2/dec/SoftVPX.cpp +++ b/media/libstagefright/codecs/on2/dec/SoftVPX.cpp @@ -102,7 +102,6 @@ status_t SoftVPX::destroyDecoder() { } bool SoftVPX::outputBuffers(bool flushDecoder, bool display, bool eos, bool *portWillReset) { - List &inQueue = getPortQueue(0); List &outQueue = getPortQueue(1); BufferInfo *outInfo = NULL; OMX_BUFFERHEADERTYPE *outHeader = NULL; @@ -193,7 +192,6 @@ void SoftVPX::onQueueFilled(OMX_U32 /* portIndex */) { List &inQueue = getPortQueue(0); List &outQueue = getPortQueue(1); bool EOSseen = false; - vpx_codec_err_t err; bool portWillReset = false; while ((mEOSStatus == INPUT_EOS_SEEN || !inQueue.empty()) @@ -217,8 +215,6 @@ void SoftVPX::onQueueFilled(OMX_U32 /* portIndex */) { OMX_BUFFERHEADERTYPE *inHeader = inInfo->mHeader; mTimeStamps[mTimeStampIdx] = inHeader->nTimeStamp; - BufferInfo *outInfo = *outQueue.begin(); - OMX_BUFFERHEADERTYPE *outHeader = outInfo->mHeader; if (inHeader->nFlags & OMX_BUFFERFLAG_EOS) { mEOSStatus = INPUT_EOS_SEEN; EOSseen = true; -- cgit v1.1 From 985e33c71917a8c7f3cc5bbb2bd0d1feb188c258 Mon Sep 17 00:00:00 2001 From: "Joshua J. Drake" Date: Sat, 15 Aug 2015 08:31:32 -0500 Subject: Prevent integer underflows in ID3::Iterator If mFrameSize is less than or equal to getHeaderLength(), an integer underflow will occur. This typically leads to a crash reading out of bounds in the following code. Prevent this from happening by validating mFrameSize. Also add NULL checks after references to ID3::Iterator::getData. Bug: 23285887 Change-Id: I35eeda3c5349ebbd9ffb3ea49b79af6a940d1395 --- media/libstagefright/httplive/PlaylistFetcher.cpp | 3 +++ media/libstagefright/id3/ID3.cpp | 8 ++++++++ 2 files changed, 11 insertions(+) (limited to 'media/libstagefright') diff --git a/media/libstagefright/httplive/PlaylistFetcher.cpp b/media/libstagefright/httplive/PlaylistFetcher.cpp index 52be368..b030e90 100644 --- a/media/libstagefright/httplive/PlaylistFetcher.cpp +++ b/media/libstagefright/httplive/PlaylistFetcher.cpp @@ -1911,6 +1911,9 @@ status_t PlaylistFetcher::extractAndQueueAccessUnits( while (!it.done()) { size_t length; const uint8_t *data = it.getData(&length); + if (!data) { + return ERROR_MALFORMED; + } static const char *kMatchName = "com.apple.streaming.transportStreamTimestamp"; diff --git a/media/libstagefright/id3/ID3.cpp b/media/libstagefright/id3/ID3.cpp index 76d65f0..4f4248c 100644 --- a/media/libstagefright/id3/ID3.cpp +++ b/media/libstagefright/id3/ID3.cpp @@ -619,6 +619,11 @@ const uint8_t *ID3::Iterator::getData(size_t *length) const { return NULL; } + // Prevent integer underflow + if (mFrameSize < getHeaderLength()) { + return NULL; + } + *length = mFrameSize - getHeaderLength(); return mFrameData; @@ -833,6 +838,9 @@ ID3::getAlbumArt(size_t *length, String8 *mime) const { while (!it.done()) { size_t size; const uint8_t *data = it.getData(&size); + if (!data) { + return NULL; + } if (mVersion == ID3_V2_3 || mVersion == ID3_V2_4) { uint8_t encoding = data[0]; -- cgit v1.1 From 92742eb7af414d5818fd09fafddb6d6f79c0d9a9 Mon Sep 17 00:00:00 2001 From: Robert Shih Date: Thu, 20 Aug 2015 15:29:05 -0700 Subject: OMXCodec: fix potential OOB read in parseHEVCCodecSpecificData Bug: 23279597 Change-Id: Ibaa3d52e586e65230ec6df3680d9456ce873390c --- media/libstagefright/OMXCodec.cpp | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) (limited to 'media/libstagefright') diff --git a/media/libstagefright/OMXCodec.cpp b/media/libstagefright/OMXCodec.cpp index abe19a0..7f97039 100644 --- a/media/libstagefright/OMXCodec.cpp +++ b/media/libstagefright/OMXCodec.cpp @@ -399,7 +399,7 @@ status_t OMXCodec::parseHEVCCodecSpecificData( const uint8_t *ptr = (const uint8_t *)data; // verify minimum size and configurationVersion == 1. - if (size < 7 || ptr[0] != 1) { + if (size < 23 || ptr[0] != 1) { return ERROR_MALFORMED; } @@ -414,6 +414,9 @@ status_t OMXCodec::parseHEVCCodecSpecificData( size -= 1; size_t j = 0, i = 0; for (i = 0; i < numofArrays; i++) { + if (size < 3) { + return ERROR_MALFORMED; + } ptr += 1; size -= 1; -- cgit v1.1 From 4e35e8fa2a6c3d06a1de0add38ee8e994fcf2d42 Mon Sep 17 00:00:00 2001 From: "Joshua J. Drake" Date: Sat, 15 Aug 2015 07:43:39 -0500 Subject: Prevent divide by zero in WAVExtractor In the case that mNumChannels, bytesPerSample, or mSampleRate are zero, a divide by zero occurs. None of these parameters of a WAV file should ever be zero. Check that they aren't and return an error otherwise. Bug: 23285883 Change-Id: Id67b8620944405ca59572221f6f1c2b19c363e69 --- media/libstagefright/WAVExtractor.cpp | 12 ++++++++++-- 1 file changed, 10 insertions(+), 2 deletions(-) (limited to 'media/libstagefright') diff --git a/media/libstagefright/WAVExtractor.cpp b/media/libstagefright/WAVExtractor.cpp index cc1d7ce..62bb416 100644 --- a/media/libstagefright/WAVExtractor.cpp +++ b/media/libstagefright/WAVExtractor.cpp @@ -315,9 +315,17 @@ status_t WAVExtractor::init() { 1000000LL * (mDataSize / 65 * 320) / 8000; } else { size_t bytesPerSample = mBitsPerSample >> 3; + + if (!bytesPerSample || !mNumChannels) + return ERROR_MALFORMED; + + size_t num_samples = mDataSize / (mNumChannels * bytesPerSample); + + if (!mSampleRate) + return ERROR_MALFORMED; + durationUs = - 1000000LL * (mDataSize / (mNumChannels * bytesPerSample)) - / mSampleRate; + 1000000LL * num_samples / mSampleRate; } mTrackMeta->setInt64(kKeyDuration, durationUs); -- cgit v1.1 From b821ad110a85fa27f84e732ecbf7322319ec4db9 Mon Sep 17 00:00:00 2001 From: Marco Nelissen Date: Thu, 17 Sep 2015 15:48:37 -0700 Subject: Fix integer overflow in time conversion Converting unix epoch time to mpeg4 time requires adding over 2B seconds, which caused an overflow in a calculation involving time_t, which is signed. Bug: 23574783 Change-Id: I21bacc9f5a422091f3c903fb8cf1c760fc078953 --- media/libstagefright/MPEG4Writer.cpp | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) (limited to 'media/libstagefright') diff --git a/media/libstagefright/MPEG4Writer.cpp b/media/libstagefright/MPEG4Writer.cpp index 2f1b6ac..f5e0fbf 100644 --- a/media/libstagefright/MPEG4Writer.cpp +++ b/media/libstagefright/MPEG4Writer.cpp @@ -1023,7 +1023,11 @@ uint32_t MPEG4Writer::getMpeg4Time() { // MP4 file uses time counting seconds since midnight, Jan. 1, 1904 // while time function returns Unix epoch values which starts // at 1970-01-01. Lets add the number of seconds between them - uint32_t mpeg4Time = now + (66 * 365 + 17) * (24 * 60 * 60); + static const uint32_t delta = (66 * 365 + 17) * (24 * 60 * 60); + if (now < 0 || uint32_t(now) > UINT32_MAX - delta) { + return 0; + } + uint32_t mpeg4Time = uint32_t(now) + delta; return mpeg4Time; } -- cgit v1.1 From 37c5d30af6797192de58586ab4ef64b2fcdc7ae9 Mon Sep 17 00:00:00 2001 From: Chad Brubaker Date: Fri, 31 Jul 2015 16:03:44 -0700 Subject: Fix harmless unsigned overflow in recoverPTS Change-Id: I89e3a827cf566421e8dd9b6a3c842e73a19c140f --- media/libstagefright/mpeg2ts/ATSParser.cpp | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'media/libstagefright') diff --git a/media/libstagefright/mpeg2ts/ATSParser.cpp b/media/libstagefright/mpeg2ts/ATSParser.cpp index e3c3e80..f9a9c4c 100644 --- a/media/libstagefright/mpeg2ts/ATSParser.cpp +++ b/media/libstagefright/mpeg2ts/ATSParser.cpp @@ -509,7 +509,7 @@ int64_t ATSParser::Program::recoverPTS(uint64_t PTS_33bit) { mLastRecoveredPTS = static_cast(PTS_33bit); } else { mLastRecoveredPTS = static_cast( - ((mLastRecoveredPTS - PTS_33bit + 0x100000000ll) + ((mLastRecoveredPTS - static_cast(PTS_33bit) + 0x100000000ll) & 0xfffffffe00000000ull) | PTS_33bit); // We start from 0, but recovered PTS could be slightly below 0. // Clamp it to 0 as rest of the pipeline doesn't take negative pts. -- cgit v1.1 From 3df4facd824693020ec412cd4afcc8e469e31bb7 Mon Sep 17 00:00:00 2001 From: Dan Austin Date: Thu, 15 Oct 2015 13:06:41 -0700 Subject: Fix benign integer overflow conditions for VSYNC add and removal. There are integer overflow conditions that could occur on vsyncsForLastFrame in VideoFrameScheduler::schedule upon a VSYNC add or removal. Additional checks have been put in place to remove the overflowable conditions. Bug: 24980200 Change-Id: I7dfc25ae1d2f3e3b3382e990adb3c56518c64e8d --- media/libstagefright/VideoFrameScheduler.cpp | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) (limited to 'media/libstagefright') diff --git a/media/libstagefright/VideoFrameScheduler.cpp b/media/libstagefright/VideoFrameScheduler.cpp index 02b8783..c17faf3 100644 --- a/media/libstagefright/VideoFrameScheduler.cpp +++ b/media/libstagefright/VideoFrameScheduler.cpp @@ -459,14 +459,16 @@ nsecs_t VideoFrameScheduler::schedule(nsecs_t renderTime) { mTimeCorrection -= mVsyncPeriod / 2; renderTime -= mVsyncPeriod / 2; nextVsyncTime -= mVsyncPeriod; - --vsyncsForLastFrame; + if (vsyncsForLastFrame > 0) + --vsyncsForLastFrame; } else if (mTimeCorrection < -correctionLimit && (vsyncsPerFrameAreNearlyConstant || vsyncsForLastFrame == minVsyncsPerFrame)) { // add a VSYNC mTimeCorrection += mVsyncPeriod / 2; renderTime += mVsyncPeriod / 2; nextVsyncTime += mVsyncPeriod; - ++vsyncsForLastFrame; + if (vsyncsForLastFrame < ULONG_MAX) + ++vsyncsForLastFrame; } ATRACE_INT("FRAME_VSYNCS", vsyncsForLastFrame); } -- cgit v1.1 From 4b17bd19e9eceade55dd27aea10b2cefa4e929c7 Mon Sep 17 00:00:00 2001 From: Marco Nelissen Date: Wed, 27 Jan 2016 14:41:58 -0800 Subject: Overflow fixes for amrwbenc Most of these were encountered while running a mixed sanitized/unsanitized AMR encoder, so may not be reachable in real conditions. Change-Id: I85af7d40214133234009323e7e64432fc1be39ca --- .../libstagefright/codecs/amrwbenc/inc/basic_op.h | 10 ++++++--- media/libstagefright/codecs/amrwbenc/src/c2t64fx.c | 2 +- media/libstagefright/codecs/amrwbenc/src/c4t64fx.c | 6 +++--- media/libstagefright/codecs/amrwbenc/src/cor_h_x.c | 24 ++++++++++++++-------- 4 files changed, 26 insertions(+), 16 deletions(-) (limited to 'media/libstagefright') diff --git a/media/libstagefright/codecs/amrwbenc/inc/basic_op.h b/media/libstagefright/codecs/amrwbenc/inc/basic_op.h index e63a55a..d36f455 100644 --- a/media/libstagefright/codecs/amrwbenc/inc/basic_op.h +++ b/media/libstagefright/codecs/amrwbenc/inc/basic_op.h @@ -222,14 +222,18 @@ static_vo Word16 shl (Word16 var1, Word16 var2) } else { - result = (Word32) var1 *((Word32) 1 << var2); - if ((var2 > 15 && var1 != 0) || (result != (Word32) ((Word16) result))) + if (var2 > 15 && var1 != 0) { var_out = (Word16)((var1 > 0) ? MAX_16 : MIN_16); } else { - var_out = extract_l (result); + result = (Word32) var1 *((Word32) 1 << var2); + if ((result != (Word32) ((Word16) result))) { + var_out = (Word16)((var1 > 0) ? MAX_16 : MIN_16); + } else { + var_out = extract_l (result); + } } } return (var_out); diff --git a/media/libstagefright/codecs/amrwbenc/src/c2t64fx.c b/media/libstagefright/codecs/amrwbenc/src/c2t64fx.c index c7c9279..dbb94c6 100644 --- a/media/libstagefright/codecs/amrwbenc/src/c2t64fx.c +++ b/media/libstagefright/codecs/amrwbenc/src/c2t64fx.c @@ -93,7 +93,7 @@ void ACELP_2t64_fx( #endif Isqrt_n(&s, &exp); - k_dn = vo_round(L_shl(s, (exp + 8))); /* k_dn = 256..4096 */ + k_dn = voround(L_shl(s, (exp + 8))); /* k_dn = 256..4096 */ k_dn = vo_mult_r(alp, k_dn); /* alp in Q12 */ /* mix normalized cn[] and dn[] */ diff --git a/media/libstagefright/codecs/amrwbenc/src/c4t64fx.c b/media/libstagefright/codecs/amrwbenc/src/c4t64fx.c index b9a9e26..49a89a1 100644 --- a/media/libstagefright/codecs/amrwbenc/src/c4t64fx.c +++ b/media/libstagefright/codecs/amrwbenc/src/c4t64fx.c @@ -257,7 +257,7 @@ void ACELP_4t64_fx( #endif Isqrt_n(&s, &exp); - k_dn = (L_shl(s, (exp + 5 + 3)) + 0x8000) >> 16; /* k_dn = 256..4096 */ + k_dn = voround(L_shl(s, (exp + 5 + 3))); /* k_dn = 256..4096 */ k_dn = vo_mult_r(alp, k_dn); /* alp in Q12 */ /* mix normalized cn[] and dn[] */ @@ -1005,7 +1005,7 @@ void search_ixiy( for (x = track_x; x < L_SUBFR; x += STEP) { ps1 = *ps + dn[x]; - alp1 = alp0 + ((*p0++)<<13); + alp1 = L_add(alp0, ((*p0++)<<13)); if (dn2[x] < thres_ix) { @@ -1018,7 +1018,7 @@ void search_ixiy( alp2 = alp2 + ((*p2++)<<14); alp_16 = extract_h(alp2); sq = vo_mult(ps2, ps2); - s = vo_L_mult(alpk, sq) - ((sqk * alp_16)<<1); + s = L_sub(vo_L_mult(alpk, sq), L_mult(sqk, alp_16)); if (s > 0) { diff --git a/media/libstagefright/codecs/amrwbenc/src/cor_h_x.c b/media/libstagefright/codecs/amrwbenc/src/cor_h_x.c index b2aa759..e834396 100644 --- a/media/libstagefright/codecs/amrwbenc/src/cor_h_x.c +++ b/media/libstagefright/codecs/amrwbenc/src/cor_h_x.c @@ -55,10 +55,10 @@ void cor_h_x( p1 = &x[i]; p2 = &h[0]; for (j = i; j < L_SUBFR; j++) - L_tmp += vo_L_mult(*p1++, *p2++); + L_tmp = L_add(L_tmp, vo_L_mult(*p1++, *p2++)); y32[i] = L_tmp; - L_tmp = (L_tmp > 0)? L_tmp:-L_tmp; + L_tmp = (L_tmp > 0)? L_tmp: (L_tmp == INT_MIN ? INT_MAX : -L_tmp); if(L_tmp > L_max) { L_max = L_tmp; @@ -68,10 +68,10 @@ void cor_h_x( p1 = &x[i+1]; p2 = &h[0]; for (j = i+1; j < L_SUBFR; j++) - L_tmp += vo_L_mult(*p1++, *p2++); + L_tmp = L_add(L_tmp, vo_L_mult(*p1++, *p2++)); y32[i+1] = L_tmp; - L_tmp = (L_tmp > 0)? L_tmp:-L_tmp; + L_tmp = (L_tmp > 0)? L_tmp: (L_tmp == INT_MIN ? INT_MAX : -L_tmp); if(L_tmp > L_max1) { L_max1 = L_tmp; @@ -81,10 +81,10 @@ void cor_h_x( p1 = &x[i+2]; p2 = &h[0]; for (j = i+2; j < L_SUBFR; j++) - L_tmp += vo_L_mult(*p1++, *p2++); + L_tmp = L_add(L_tmp, vo_L_mult(*p1++, *p2++)); y32[i+2] = L_tmp; - L_tmp = (L_tmp > 0)? L_tmp:-L_tmp; + L_tmp = (L_tmp > 0)? L_tmp: (L_tmp == INT_MIN ? INT_MAX : -L_tmp); if(L_tmp > L_max2) { L_max2 = L_tmp; @@ -94,17 +94,23 @@ void cor_h_x( p1 = &x[i+3]; p2 = &h[0]; for (j = i+3; j < L_SUBFR; j++) - L_tmp += vo_L_mult(*p1++, *p2++); + L_tmp = L_add(L_tmp, vo_L_mult(*p1++, *p2++)); y32[i+3] = L_tmp; - L_tmp = (L_tmp > 0)? L_tmp:-L_tmp; + L_tmp = (L_tmp > 0)? L_tmp: (L_tmp == INT_MIN ? INT_MAX : -L_tmp); if(L_tmp > L_max3) { L_max3 = L_tmp; } } /* tot += 3*max / 8 */ - L_max = ((L_max + L_max1 + L_max2 + L_max3) >> 2); + if (L_max > INT_MAX - L_max1 || + L_max + L_max1 > INT_MAX - L_max2 || + L_max + L_max1 + L_max2 > INT_MAX - L_max3) { + L_max = INT_MAX >> 2; + } else { + L_max = ((L_max + L_max1 + L_max2 + L_max3) >> 2); + } L_tot = vo_L_add(L_tot, L_max); /* +max/4 */ L_tot = vo_L_add(L_tot, (L_max >> 1)); /* +max/8 */ -- cgit v1.1 From c4795f0ab03bc1188f2b6ca25b333b8a7220daf3 Mon Sep 17 00:00:00 2001 From: Wei Jia Date: Wed, 3 Feb 2016 14:28:00 -0800 Subject: MPEG4Extractor: cast media time to int64_t in order to avoid check on unsigned integer overflow. Change-Id: Iad5ae41f0bbfc5e837b4b78e8acaa3f9462329e6 --- media/libstagefright/MPEG4Extractor.cpp | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'media/libstagefright') diff --git a/media/libstagefright/MPEG4Extractor.cpp b/media/libstagefright/MPEG4Extractor.cpp index 2d2e8fb..c056a25 100755 --- a/media/libstagefright/MPEG4Extractor.cpp +++ b/media/libstagefright/MPEG4Extractor.cpp @@ -1032,7 +1032,7 @@ status_t MPEG4Extractor::parseChunk(off64_t *offset, int depth) { int64_t delay = (media_time * samplerate + 500000) / 1000000; mLastTrack->meta->setInt32(kKeyEncoderDelay, delay); - int64_t paddingus = duration - (segment_duration + media_time); + int64_t paddingus = duration - (int64_t)(segment_duration + media_time); if (paddingus < 0) { // track duration from media header (which is what kKeyDuration is) might // be slightly shorter than the segment duration, which would make the -- cgit v1.1 From f9ed2fe6d61259e779a37d4c2d7edb33a1c1f8ba Mon Sep 17 00:00:00 2001 From: Marco Nelissen Date: Wed, 16 Mar 2016 10:32:05 -0700 Subject: Add VPX output buffer size check and handle dead observers more gracefully Bug: 27597103 Change-Id: Id7acb25d5ef69b197da15ec200a9e4f9e7b03518 --- media/libstagefright/codecs/on2/dec/SoftVPX.cpp | 23 ++++++++++++++--------- media/libstagefright/omx/OMX.cpp | 7 ++++++- 2 files changed, 20 insertions(+), 10 deletions(-) (limited to 'media/libstagefright') diff --git a/media/libstagefright/codecs/on2/dec/SoftVPX.cpp b/media/libstagefright/codecs/on2/dec/SoftVPX.cpp index e161fb8..02e85a1 100644 --- a/media/libstagefright/codecs/on2/dec/SoftVPX.cpp +++ b/media/libstagefright/codecs/on2/dec/SoftVPX.cpp @@ -149,15 +149,20 @@ bool SoftVPX::outputBuffers(bool flushDecoder, bool display, bool eos, bool *por outHeader->nFlags = 0; outHeader->nFilledLen = (outputBufferWidth() * outputBufferHeight() * 3) / 2; outHeader->nTimeStamp = *(OMX_TICKS *)mImg->user_priv; - - uint8_t *dst = outHeader->pBuffer; - const uint8_t *srcY = (const uint8_t *)mImg->planes[VPX_PLANE_Y]; - const uint8_t *srcU = (const uint8_t *)mImg->planes[VPX_PLANE_U]; - const uint8_t *srcV = (const uint8_t *)mImg->planes[VPX_PLANE_V]; - size_t srcYStride = mImg->stride[VPX_PLANE_Y]; - size_t srcUStride = mImg->stride[VPX_PLANE_U]; - size_t srcVStride = mImg->stride[VPX_PLANE_V]; - copyYV12FrameToOutputBuffer(dst, srcY, srcU, srcV, srcYStride, srcUStride, srcVStride); + if (outHeader->nAllocLen >= outHeader->nFilledLen) { + uint8_t *dst = outHeader->pBuffer; + const uint8_t *srcY = (const uint8_t *)mImg->planes[VPX_PLANE_Y]; + const uint8_t *srcU = (const uint8_t *)mImg->planes[VPX_PLANE_U]; + const uint8_t *srcV = (const uint8_t *)mImg->planes[VPX_PLANE_V]; + size_t srcYStride = mImg->stride[VPX_PLANE_Y]; + size_t srcUStride = mImg->stride[VPX_PLANE_U]; + size_t srcVStride = mImg->stride[VPX_PLANE_V]; + copyYV12FrameToOutputBuffer(dst, srcY, srcU, srcV, srcYStride, srcUStride, srcVStride); + } else { + ALOGE("b/27597103, buffer too small"); + android_errorWriteLog(0x534e4554, "27597103"); + outHeader->nFilledLen = 0; + } mImg = NULL; outInfo->mOwnedByUs = false; diff --git a/media/libstagefright/omx/OMX.cpp b/media/libstagefright/omx/OMX.cpp index 7f357c9..56b6055 100644 --- a/media/libstagefright/omx/OMX.cpp +++ b/media/libstagefright/omx/OMX.cpp @@ -179,7 +179,12 @@ void OMX::binderDied(const wp &the_late_who) { Mutex::Autolock autoLock(mLock); ssize_t index = mLiveNodes.indexOfKey(the_late_who); - CHECK(index >= 0); + + if (index < 0) { + ALOGE("b/27597103, nonexistent observer on binderDied"); + android_errorWriteLog(0x534e4554, "27597103"); + return; + } instance = mLiveNodes.editValueAt(index); mLiveNodes.removeItemsAt(index); -- cgit v1.1 From 7fd96ebfc4c9da496c59d7c45e1f62be178e626d Mon Sep 17 00:00:00 2001 From: Wonsik Kim Date: Sun, 20 Mar 2016 10:44:44 +0900 Subject: codecs: check OMX buffer size before use in VP8 encoder. Bug: 27569635 Change-Id: I469573f40e21dc9f4c200749d4f220e3a2d31761 --- .../codecs/on2/enc/SoftVPXEncoder.cpp | 28 +++++++++++++++++----- 1 file changed, 22 insertions(+), 6 deletions(-) (limited to 'media/libstagefright') diff --git a/media/libstagefright/codecs/on2/enc/SoftVPXEncoder.cpp b/media/libstagefright/codecs/on2/enc/SoftVPXEncoder.cpp index 410f9d0..d9895f0 100644 --- a/media/libstagefright/codecs/on2/enc/SoftVPXEncoder.cpp +++ b/media/libstagefright/codecs/on2/enc/SoftVPXEncoder.cpp @@ -688,9 +688,10 @@ void SoftVPXEncoder::onQueueFilled(OMX_U32 /* portIndex */) { const uint8_t *source = inputBufferHeader->pBuffer + inputBufferHeader->nOffset; + size_t frameSize = mWidth * mHeight * 3 / 2; if (mInputDataIsMeta) { source = extractGraphicBuffer( - mConversionBuffer, mWidth * mHeight * 3 / 2, + mConversionBuffer, frameSize, source, inputBufferHeader->nFilledLen, mWidth, mHeight); if (source == NULL) { @@ -698,11 +699,21 @@ void SoftVPXEncoder::onQueueFilled(OMX_U32 /* portIndex */) { notify(OMX_EventError, OMX_ErrorUndefined, 0, 0); return; } - } else if (mColorFormat == OMX_COLOR_FormatYUV420SemiPlanar) { - ConvertYUV420SemiPlanarToYUV420Planar( - source, mConversionBuffer, mWidth, mHeight); + } else { + if (inputBufferHeader->nFilledLen < frameSize) { + android_errorWriteLog(0x534e4554, "27569635"); + notify(OMX_EventError, OMX_ErrorUndefined, 0, 0); + return; + } else if (inputBufferHeader->nFilledLen > frameSize) { + ALOGW("Input buffer contains too many pixels"); + } - source = mConversionBuffer; + if (mColorFormat == OMX_COLOR_FormatYUV420SemiPlanar) { + ConvertYUV420SemiPlanarToYUV420Planar( + source, mConversionBuffer, mWidth, mHeight); + + source = mConversionBuffer; + } } vpx_image_t raw_frame; vpx_img_wrap(&raw_frame, VPX_IMG_FMT_I420, mWidth, mHeight, @@ -764,9 +775,14 @@ void SoftVPXEncoder::onQueueFilled(OMX_U32 /* portIndex */) { outputBufferHeader->nTimeStamp = encoded_packet->data.frame.pts; outputBufferHeader->nFlags = 0; if (encoded_packet->data.frame.flags & VPX_FRAME_IS_KEY) - outputBufferHeader->nFlags |= OMX_BUFFERFLAG_SYNCFRAME; + outputBufferHeader->nFlags |= OMX_BUFFERFLAG_SYNCFRAME; outputBufferHeader->nOffset = 0; outputBufferHeader->nFilledLen = encoded_packet->data.frame.sz; + if (outputBufferHeader->nFilledLen > outputBufferHeader->nAllocLen) { + android_errorWriteLog(0x534e4554, "27569635"); + notify(OMX_EventError, OMX_ErrorUndefined, 0, 0); + return; + } memcpy(outputBufferHeader->pBuffer, encoded_packet->data.frame.buf, encoded_packet->data.frame.sz); -- cgit v1.1 From 44749eb4f273f0eb681d0fa013e3beef754fa687 Mon Sep 17 00:00:00 2001 From: Wei Jia Date: Thu, 17 Mar 2016 11:15:02 -0700 Subject: SoftAMR: check output buffer size to avoid overflow. Bug: 27662364 Change-Id: I7b26892c41d6f2e690e77478ab855c2fed1ff6b0 --- media/libstagefright/codecs/amrnb/dec/SoftAMR.cpp | 18 ++++++++++++++++++ 1 file changed, 18 insertions(+) (limited to 'media/libstagefright') diff --git a/media/libstagefright/codecs/amrnb/dec/SoftAMR.cpp b/media/libstagefright/codecs/amrnb/dec/SoftAMR.cpp index a9723ea..bcf6a62 100644 --- a/media/libstagefright/codecs/amrnb/dec/SoftAMR.cpp +++ b/media/libstagefright/codecs/amrnb/dec/SoftAMR.cpp @@ -312,6 +312,15 @@ void SoftAMR::onQueueFilled(OMX_U32 /* portIndex */) { int32_t numBytesRead; if (mMode == MODE_NARROW) { + if (outHeader->nAllocLen < kNumSamplesPerFrameNB * sizeof(int16_t)) { + ALOGE("b/27662364: NB expected output buffer %zu bytes vs %u", + kNumSamplesPerFrameNB * sizeof(int16_t), outHeader->nAllocLen); + android_errorWriteLog(0x534e4554, "27662364"); + notify(OMX_EventError, OMX_ErrorOverflow, 0, NULL); + mSignalledError = true; + return; + } + numBytesRead = AMRDecode(mState, (Frame_Type_3GPP)((inputPtr[0] >> 3) & 0x0f), @@ -339,6 +348,15 @@ void SoftAMR::onQueueFilled(OMX_U32 /* portIndex */) { return; } } else { + if (outHeader->nAllocLen < kNumSamplesPerFrameWB * sizeof(int16_t)) { + ALOGE("b/27662364: WB expected output buffer %zu bytes vs %u", + kNumSamplesPerFrameWB * sizeof(int16_t), outHeader->nAllocLen); + android_errorWriteLog(0x534e4554, "27662364"); + notify(OMX_EventError, OMX_ErrorOverflow, 0, NULL); + mSignalledError = true; + return; + } + int16 mode = ((inputPtr[0] >> 3) & 0x0f); if (mode >= 10 && mode <= 13) { -- cgit v1.1 From 65756b4082cd79a2d99b2ccb5b392291fd53703f Mon Sep 17 00:00:00 2001 From: Wei Jia Date: Fri, 18 Mar 2016 18:17:14 -0700 Subject: SoftAMR: check input buffer size to avoid overflow. Bug: 27662364 Change-Id: I47380545ea7d85845e141e722b0d84f498d27145 --- media/libstagefright/codecs/amrnb/dec/SoftAMR.cpp | 25 +++++++++++++++++++++- .../codecs/amrnb/dec/src/amrdecode.h | 1 - .../codecs/amrnb/dec/src/gsmamr_dec.h | 14 +----------- 3 files changed, 25 insertions(+), 15 deletions(-) (limited to 'media/libstagefright') diff --git a/media/libstagefright/codecs/amrnb/dec/SoftAMR.cpp b/media/libstagefright/codecs/amrnb/dec/SoftAMR.cpp index bcf6a62..77c3742 100644 --- a/media/libstagefright/codecs/amrnb/dec/SoftAMR.cpp +++ b/media/libstagefright/codecs/amrnb/dec/SoftAMR.cpp @@ -286,6 +286,13 @@ void SoftAMR::onQueueFilled(OMX_U32 /* portIndex */) { BufferInfo *inInfo = *inQueue.begin(); OMX_BUFFERHEADERTYPE *inHeader = inInfo->mHeader; + if (inHeader->nFilledLen == 0) { + inInfo->mOwnedByUs = false; + inQueue.erase(inQueue.begin()); + notifyEmptyBufferDone(inHeader); + continue; + } + BufferInfo *outInfo = *outQueue.begin(); OMX_BUFFERHEADERTYPE *outHeader = outInfo->mHeader; @@ -321,6 +328,17 @@ void SoftAMR::onQueueFilled(OMX_U32 /* portIndex */) { return; } + int16 mode = ((inputPtr[0] >> 3) & 0x0f); + // for WMF since MIME_IETF is used when calling AMRDecode. + size_t frameSize = WmfDecBytesPerFrame[mode] + 1; + + if (inHeader->nFilledLen < frameSize) { + ALOGE("b/27662364: expected %zu bytes vs %u", frameSize, inHeader->nFilledLen); + notify(OMX_EventError, OMX_ErrorStreamCorrupt, 0, NULL); + mSignalledError = true; + return; + } + numBytesRead = AMRDecode(mState, (Frame_Type_3GPP)((inputPtr[0] >> 3) & 0x0f), @@ -370,7 +388,12 @@ void SoftAMR::onQueueFilled(OMX_U32 /* portIndex */) { } size_t frameSize = getFrameSize(mode); - CHECK_GE(inHeader->nFilledLen, frameSize); + if (inHeader->nFilledLen < frameSize) { + ALOGE("b/27662364: expected %zu bytes vs %u", frameSize, inHeader->nFilledLen); + notify(OMX_EventError, OMX_ErrorStreamCorrupt, 0, NULL); + mSignalledError = true; + return; + } int16_t *outPtr = (int16_t *)outHeader->pBuffer; diff --git a/media/libstagefright/codecs/amrnb/dec/src/amrdecode.h b/media/libstagefright/codecs/amrnb/dec/src/amrdecode.h index 0988e17..f224fb6 100644 --- a/media/libstagefright/codecs/amrnb/dec/src/amrdecode.h +++ b/media/libstagefright/codecs/amrnb/dec/src/amrdecode.h @@ -104,7 +104,6 @@ terms listed above has been obtained from the copyright holder. ; INCLUDES ----------------------------------------------------------------------------*/ #include "typedef.h" -#include "mode.h" #include "frame_type_3gpp.h" /*--------------------------------------------------------------------------*/ diff --git a/media/libstagefright/codecs/amrnb/dec/src/gsmamr_dec.h b/media/libstagefright/codecs/amrnb/dec/src/gsmamr_dec.h index 8f54ee8..dc64d67 100644 --- a/media/libstagefright/codecs/amrnb/dec/src/gsmamr_dec.h +++ b/media/libstagefright/codecs/amrnb/dec/src/gsmamr_dec.h @@ -87,6 +87,7 @@ terms listed above has been obtained from the copyright holder. #include "gsm_amr_typedefs.h" #include "frame_type_3gpp.h" +#include "amrdecode.h" /*--------------------------------------------------------------------------*/ #ifdef __cplusplus @@ -136,19 +137,6 @@ extern "C" Word8 *id); /* - * AMRDecode steps into the part of the library that decodes the raw data - * speech bits for the decoding process. It returns the address offset of - * the next frame to be decoded. - */ - Word16 AMRDecode( - void *state_data, - enum Frame_Type_3GPP frame_type, - UWord8 *speech_bits_ptr, - Word16 *raw_pcm_buffer, - Word16 input_format - ); - - /* * This function resets the state memory used by the GSM AMR decoder. This * function returns zero. It will return negative one if there is an error. */ -- cgit v1.1 From daa85dac2055b22dabbb3b4e537597e6ab73a866 Mon Sep 17 00:00:00 2001 From: Marco Nelissen Date: Fri, 25 Mar 2016 08:26:18 -0700 Subject: Fix AMR decoder Previous change caused EOS to be ignored. Bug: 27843673 Related-to-bug: 27662364 Change-Id: Ia148a88abc861a9b393f42bc7cd63d8d3ae349bc --- media/libstagefright/codecs/amrnb/dec/SoftAMR.cpp | 14 +++++++------- 1 file changed, 7 insertions(+), 7 deletions(-) (limited to 'media/libstagefright') diff --git a/media/libstagefright/codecs/amrnb/dec/SoftAMR.cpp b/media/libstagefright/codecs/amrnb/dec/SoftAMR.cpp index 77c3742..955309a 100644 --- a/media/libstagefright/codecs/amrnb/dec/SoftAMR.cpp +++ b/media/libstagefright/codecs/amrnb/dec/SoftAMR.cpp @@ -286,13 +286,6 @@ void SoftAMR::onQueueFilled(OMX_U32 /* portIndex */) { BufferInfo *inInfo = *inQueue.begin(); OMX_BUFFERHEADERTYPE *inHeader = inInfo->mHeader; - if (inHeader->nFilledLen == 0) { - inInfo->mOwnedByUs = false; - inQueue.erase(inQueue.begin()); - notifyEmptyBufferDone(inHeader); - continue; - } - BufferInfo *outInfo = *outQueue.begin(); OMX_BUFFERHEADERTYPE *outHeader = outInfo->mHeader; @@ -310,6 +303,13 @@ void SoftAMR::onQueueFilled(OMX_U32 /* portIndex */) { return; } + if (inHeader->nFilledLen == 0) { + inInfo->mOwnedByUs = false; + inQueue.erase(inQueue.begin()); + notifyEmptyBufferDone(inHeader); + continue; + } + if (inHeader->nOffset == 0) { mAnchorTimeUs = inHeader->nTimeStamp; mNumSamplesOutput = 0; -- cgit v1.1 From 6635a582f449f86c1099de11aae6b27e6a33d21f Mon Sep 17 00:00:00 2001 From: Diogo Ferreira Date: Wed, 23 Mar 2016 17:45:20 +0000 Subject: omx: softcodecs: Support HAL_PIXEL_FORMAT_RGBX_8888 Adds support for the HAL_PIXEL_FORMAT_RGBX_8888 format used by mediatek's hardware. Fixes several CTS tests where interaction between hardware and software encoders and decoders is tested. Change-Id: Ie3267c7d34706c49ad415ebc04ad05f2f2ef3506 --- media/libstagefright/omx/SoftVideoEncoderOMXComponent.cpp | 3 +++ 1 file changed, 3 insertions(+) (limited to 'media/libstagefright') diff --git a/media/libstagefright/omx/SoftVideoEncoderOMXComponent.cpp b/media/libstagefright/omx/SoftVideoEncoderOMXComponent.cpp index 8ea7a6e..dc3ed39 100644 --- a/media/libstagefright/omx/SoftVideoEncoderOMXComponent.cpp +++ b/media/libstagefright/omx/SoftVideoEncoderOMXComponent.cpp @@ -606,6 +606,9 @@ const uint8_t *SoftVideoEncoderOMXComponent::extractGraphicBuffer( break; case HAL_PIXEL_FORMAT_RGBA_8888: case HAL_PIXEL_FORMAT_BGRA_8888: +#ifdef MTK_HARDWARE + case HAL_PIXEL_FORMAT_RGBX_8888: +#endif ConvertRGB32ToPlanar( dst, dstStride, dstVStride, (const uint8_t *)bits, width, height, srcStride, -- cgit v1.1 From 322d0a4dd98eae78c0f0acbebc2b622be9fd5438 Mon Sep 17 00:00:00 2001 From: Deva Ramasubramanian Date: Mon, 9 Nov 2015 18:55:59 -0800 Subject: libstagefright: Allow for MPEG4Writer extension Defer MPEG4 muxer creation to AVFactory. Change-Id: If0918be77ab7f8d82c78203f371df789e3cc29b8 --- media/libstagefright/MPEG4Writer.cpp | 2 +- media/libstagefright/MediaMuxer.cpp | 3 ++- 2 files changed, 3 insertions(+), 2 deletions(-) (limited to 'media/libstagefright') diff --git a/media/libstagefright/MPEG4Writer.cpp b/media/libstagefright/MPEG4Writer.cpp index f5e0fbf..24da000 100644 --- a/media/libstagefright/MPEG4Writer.cpp +++ b/media/libstagefright/MPEG4Writer.cpp @@ -1148,7 +1148,7 @@ off64_t MPEG4Writer::addSample_l(MediaBuffer *buffer) { return old_offset; } -static void StripStartcode(MediaBuffer *buffer) { +void MPEG4Writer::StripStartcode(MediaBuffer *buffer) { if (buffer->range_length() < 4) { return; } diff --git a/media/libstagefright/MediaMuxer.cpp b/media/libstagefright/MediaMuxer.cpp index b13877d..798a855 100644 --- a/media/libstagefright/MediaMuxer.cpp +++ b/media/libstagefright/MediaMuxer.cpp @@ -35,6 +35,7 @@ #include #include #include +#include namespace android { @@ -42,7 +43,7 @@ MediaMuxer::MediaMuxer(int fd, OutputFormat format) : mFormat(format), mState(UNINITIALIZED) { if (format == OUTPUT_FORMAT_MPEG_4) { - mWriter = new MPEG4Writer(fd); + mWriter = AVFactory::get()->CreateMPEG4Writer(fd); } else if (format == OUTPUT_FORMAT_WEBM) { mWriter = new WebmWriter(fd); } -- cgit v1.1 From f888cedf170f6d3cc060cc14ad9c56918f3a03c3 Mon Sep 17 00:00:00 2001 From: xiaoqiny Date: Tue, 13 Jan 2015 17:59:04 +0800 Subject: libstagefright: handle error when B-frame is sent to MPEG4Writer Without this patch, writing B-frame to MediaMuxer will be blocked and cannot return a result. This may cause an endless progress bar shown in gallery when triming or muting some videos. Change-Id: Ib9f902a57da470c0357ec68aab00a35fbb26fb77 CRs-Fixed: 521005 --- media/libstagefright/MPEG4Writer.cpp | 4 +++- media/libstagefright/MediaAdapter.cpp | 18 ++++++++++++++++-- 2 files changed, 19 insertions(+), 3 deletions(-) (limited to 'media/libstagefright') diff --git a/media/libstagefright/MPEG4Writer.cpp b/media/libstagefright/MPEG4Writer.cpp index 24da000..6a8664e 100644 --- a/media/libstagefright/MPEG4Writer.cpp +++ b/media/libstagefright/MPEG4Writer.cpp @@ -2452,7 +2452,9 @@ status_t MPEG4Writer::Track::threadEntry() { ALOGE("timestampUs %" PRId64 " < lastTimestampUs %" PRId64 " for %s track", timestampUs, lastTimestampUs, trackName); copy->release(); - return UNKNOWN_ERROR; + err = UNKNOWN_ERROR; + mSource->notifyError(err); + return err; } // if the duration is different for this sample, see if it is close enough to the previous diff --git a/media/libstagefright/MediaAdapter.cpp b/media/libstagefright/MediaAdapter.cpp index d680e0c..ec4550f 100644 --- a/media/libstagefright/MediaAdapter.cpp +++ b/media/libstagefright/MediaAdapter.cpp @@ -27,7 +27,8 @@ namespace android { MediaAdapter::MediaAdapter(const sp &meta) : mCurrentMediaBuffer(NULL), mStarted(false), - mOutputFormat(meta) { + mOutputFormat(meta), + mStatus(OK) { } MediaAdapter::~MediaAdapter() { @@ -51,6 +52,9 @@ status_t MediaAdapter::stop() { // If stop() happens immediately after a pushBuffer(), we should // clean up the mCurrentMediaBuffer if (mCurrentMediaBuffer != NULL) { + mCurrentMediaBuffer->setObserver(this); + mCurrentMediaBuffer->claim(); + mCurrentMediaBuffer->setObserver(0); mCurrentMediaBuffer->release(); mCurrentMediaBuffer = NULL; } @@ -113,13 +117,23 @@ status_t MediaAdapter::pushBuffer(MediaBuffer *buffer) { ALOGE("pushBuffer called before start"); return INVALID_OPERATION; } + if (mStatus != OK) { + ALOGE("pushBuffer called when MediaAdapter in error status"); + return mStatus; + } mCurrentMediaBuffer = buffer; mBufferReadCond.signal(); ALOGV("wait for the buffer returned @ pushBuffer! %p", buffer); mBufferReturnedCond.wait(mAdapterLock); - return OK; + return mStatus; +} + +void MediaAdapter::notifyError(status_t err) { + Mutex::Autolock autoLock(mAdapterLock); + mStatus = err; + mBufferReturnedCond.signal(); } } // namespace android -- cgit v1.1 From d27aa05a1e160badde0ae4ff9b09c72b1d688371 Mon Sep 17 00:00:00 2001 From: Leena Winterrowd Date: Wed, 23 Dec 2015 17:54:33 -0800 Subject: frameworks/av: Fix LOG_NDEBUG compilation issues Fix compilation issues that appear when enabling LOG_NDEBUG. Change-Id: I87e9e5ac66157759dd6f521fab0dd346089a011a --- media/libstagefright/rtsp/MyHandler.h | 2 ++ 1 file changed, 2 insertions(+) (limited to 'media/libstagefright') diff --git a/media/libstagefright/rtsp/MyHandler.h b/media/libstagefright/rtsp/MyHandler.h index 7290ee2..70063b1 100644 --- a/media/libstagefright/rtsp/MyHandler.h +++ b/media/libstagefright/rtsp/MyHandler.h @@ -18,7 +18,9 @@ #define MY_HANDLER_H_ +#ifndef LOG_NDEBUG //#define LOG_NDEBUG 0 +#endif #ifndef LOG_TAG #define LOG_TAG "MyHandler" -- cgit v1.1 From 51b3174ac272f146f7a4fb502103d8130b6f4703 Mon Sep 17 00:00:00 2001 From: Surajit Podder Date: Thu, 25 Feb 2016 20:23:24 +0530 Subject: video: Use boot clock for recording start time Camera HAL3 uses boot time for buffer timestamp, rather than system monotonic time. This leads to issues as framework uses system monotonic time as reference start time for timestamp adjustment. Add change to use boot time for reference start time. CRs-Fixed: 946735 Change-Id: Id0af9c8aed1a983095275ac03f7f59abc31594cc --- media/libstagefright/CameraSource.cpp | 10 +++++++++- media/libstagefright/MPEG4Writer.cpp | 10 ++++++++++ media/libstagefright/MediaCodecSource.cpp | 10 +++++++++- 3 files changed, 28 insertions(+), 2 deletions(-) (limited to 'media/libstagefright') diff --git a/media/libstagefright/CameraSource.cpp b/media/libstagefright/CameraSource.cpp index e2ad924..64e7f90 100644 --- a/media/libstagefright/CameraSource.cpp +++ b/media/libstagefright/CameraSource.cpp @@ -701,7 +701,15 @@ status_t CameraSource::start(MetaData *meta) { if (meta) { int64_t startTimeUs; - if (meta->findInt64(kKeyTime, &startTimeUs)) { + + auto key = kKeyTimeBoot; + char value[PROPERTY_VALUE_MAX]; + if (property_get("media.camera.ts.monotonic", value, "0") && + atoi(value)) { + key = kKeyTime; + } + + if (meta->findInt64(key, &startTimeUs)) { mStartTimeUs = startTimeUs; } diff --git a/media/libstagefright/MPEG4Writer.cpp b/media/libstagefright/MPEG4Writer.cpp index 6a8664e..16da3eb 100644 --- a/media/libstagefright/MPEG4Writer.cpp +++ b/media/libstagefright/MPEG4Writer.cpp @@ -1837,9 +1837,16 @@ status_t MPEG4Writer::Track::start(MetaData *params) { } int64_t startTimeUs; + if (params == NULL || !params->findInt64(kKeyTime, &startTimeUs)) { startTimeUs = 0; } + + int64_t startTimeBootUs; + if (params == NULL || !params->findInt64(kKeyTimeBoot, &startTimeBootUs)) { + startTimeBootUs = 0; + } + mStartTimeRealUs = startTimeUs; int32_t rotationDegrees; @@ -1850,6 +1857,7 @@ status_t MPEG4Writer::Track::start(MetaData *params) { initTrackingProgressStatus(params); sp meta = new MetaData; + if (mOwner->isRealTimeRecording() && mOwner->numTracks() > 1) { /* * This extra delay of accepting incoming audio/video signals @@ -1865,10 +1873,12 @@ status_t MPEG4Writer::Track::start(MetaData *params) { startTimeOffsetUs = kInitialDelayTimeUs; } startTimeUs += startTimeOffsetUs; + startTimeBootUs += startTimeOffsetUs; ALOGI("Start time offset: %" PRId64 " us", startTimeOffsetUs); } meta->setInt64(kKeyTime, startTimeUs); + meta->setInt64(kKeyTimeBoot, startTimeBootUs); status_t err = mSource->start(meta.get()); if (err != OK) { diff --git a/media/libstagefright/MediaCodecSource.cpp b/media/libstagefright/MediaCodecSource.cpp index adbde54..b15ee64 100644 --- a/media/libstagefright/MediaCodecSource.cpp +++ b/media/libstagefright/MediaCodecSource.cpp @@ -38,6 +38,7 @@ #include #include #include +#include namespace android { @@ -663,8 +664,15 @@ status_t MediaCodecSource::onStart(MetaData *params) { status_t err = OK; if (mFlags & FLAG_USE_SURFACE_INPUT) { + auto key = kKeyTimeBoot; + char value[PROPERTY_VALUE_MAX]; + if (property_get("media.camera.ts.monotonic", value, "0") && + atoi(value)) { + key = kKeyTime; + } + int64_t startTimeUs; - if (!params || !params->findInt64(kKeyTime, &startTimeUs)) { + if (!params || !params->findInt64(key, &startTimeUs)) { startTimeUs = -1ll; } resume(startTimeUs); -- cgit v1.1 From 20f078273de062f24b603e12197667b47ab20d05 Mon Sep 17 00:00:00 2001 From: Leena Winterrowd Date: Tue, 26 Jan 2016 13:41:38 -0800 Subject: stagefright: Fix CLANG compilation for AMR decoder Fix invalid type in error log's format string. Change-Id: I26aabfcdc1a03c0a7d9cd10fb3b39a660a9be03a --- media/libstagefright/codecs/amrnb/dec/SoftAMR.cpp | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'media/libstagefright') diff --git a/media/libstagefright/codecs/amrnb/dec/SoftAMR.cpp b/media/libstagefright/codecs/amrnb/dec/SoftAMR.cpp index f8316fd..1a4ed55 100644 --- a/media/libstagefright/codecs/amrnb/dec/SoftAMR.cpp +++ b/media/libstagefright/codecs/amrnb/dec/SoftAMR.cpp @@ -353,7 +353,7 @@ void SoftAMR::onQueueFilled(OMX_U32 /* portIndex */) { size_t frameSize = getFrameSize(mode); if (inHeader->nFilledLen < frameSize) { - ALOGE("Filled length vs frameSize %u vs %lu. Corrupt clip?", + ALOGE("Filled length vs frameSize %u vs %zu. Corrupt clip?", inHeader->nFilledLen, frameSize); notify(OMX_EventError, OMX_ErrorUndefined, 0, NULL); -- cgit v1.1 From c38d4f266ee016950bff2e08a8987e84f1d6461e Mon Sep 17 00:00:00 2001 From: Keith Mok Date: Fri, 15 Apr 2016 10:24:22 -0700 Subject: frameworks/av: Fix video recording breaks Change Id0af9c8aed1a983095275ac03f7f59abc31594cc using boot time for video recording start time as default, but it is specific on devices using qcom camera HAL3 and it breaks all devices using camera HAL1. Fix by changing the default behaviour when property media.camera.ts.monotonic is not set. And newer devices such as 8996 might need to setprop media.camera.ts.monotonic 0 in order to work properly when using camera HAL3. Change-Id: Iee07ed1147713a6397fff43e3bbd4f4ed08b56b7 --- media/libstagefright/CameraSource.cpp | 9 ++++----- media/libstagefright/MediaCodecSource.cpp | 9 ++++----- 2 files changed, 8 insertions(+), 10 deletions(-) (limited to 'media/libstagefright') diff --git a/media/libstagefright/CameraSource.cpp b/media/libstagefright/CameraSource.cpp index 64e7f90..1f26872 100644 --- a/media/libstagefright/CameraSource.cpp +++ b/media/libstagefright/CameraSource.cpp @@ -702,11 +702,10 @@ status_t CameraSource::start(MetaData *meta) { if (meta) { int64_t startTimeUs; - auto key = kKeyTimeBoot; - char value[PROPERTY_VALUE_MAX]; - if (property_get("media.camera.ts.monotonic", value, "0") && - atoi(value)) { - key = kKeyTime; + auto key = kKeyTime; + if (property_get_bool("persist.camera.HAL3.enabled", true) && + !property_get_bool("media.camera.ts.monotonic", true)) { + key = kKeyTimeBoot; } if (meta->findInt64(key, &startTimeUs)) { diff --git a/media/libstagefright/MediaCodecSource.cpp b/media/libstagefright/MediaCodecSource.cpp index b15ee64..94427ef 100644 --- a/media/libstagefright/MediaCodecSource.cpp +++ b/media/libstagefright/MediaCodecSource.cpp @@ -664,11 +664,10 @@ status_t MediaCodecSource::onStart(MetaData *params) { status_t err = OK; if (mFlags & FLAG_USE_SURFACE_INPUT) { - auto key = kKeyTimeBoot; - char value[PROPERTY_VALUE_MAX]; - if (property_get("media.camera.ts.monotonic", value, "0") && - atoi(value)) { - key = kKeyTime; + auto key = kKeyTime; + if (property_get_bool("persist.camera.HAL3.enabled", true) && + !property_get_bool("media.camera.ts.monotonic", true)) { + key = kKeyTimeBoot; } int64_t startTimeUs; -- cgit v1.1 From 295c883fe3105b19bcd0f9e07d54c6b589fc5bff Mon Sep 17 00:00:00 2001 From: Marco Nelissen Date: Mon, 29 Feb 2016 12:47:20 -0800 Subject: DO NOT MERGE Verify OMX buffer sizes prior to access Bug: 27207275 Change-Id: I4412825d1ee233d993af0a67708bea54304ff62d --- media/libstagefright/codecs/aacdec/SoftAAC2.cpp | 25 +++++ .../codecs/aacenc/SoftAACEncoder.cpp | 28 +++++ .../codecs/aacenc/SoftAACEncoder2.cpp | 28 +++++ media/libstagefright/codecs/amrnb/dec/SoftAMR.cpp | 20 ++++ .../codecs/amrnb/enc/SoftAMRNBEncoder.cpp | 28 +++++ .../codecs/amrwbenc/SoftAMRWBEncoder.cpp | 28 +++++ .../codecs/avc/enc/SoftAVCEncoder.cpp | 16 +++ media/libstagefright/codecs/avcenc/SoftAVCEnc.cpp | 30 ++++- .../codecs/flac/enc/SoftFlacEncoder.cpp | 26 +++++ media/libstagefright/codecs/g711/dec/SoftG711.cpp | 12 ++ media/libstagefright/codecs/gsm/dec/SoftGSM.cpp | 12 ++ .../codecs/m4v_h263/enc/SoftMPEG4Encoder.cpp | 24 ++++ media/libstagefright/codecs/mp3dec/SoftMP3.cpp | 16 +++ .../codecs/on2/enc/SoftVPXEncoder.cpp | 121 ++++++++++++++------- media/libstagefright/codecs/opus/dec/SoftOpus.cpp | 16 +++ media/libstagefright/codecs/raw/SoftRaw.cpp | 12 ++ .../codecs/vorbis/dec/SoftVorbis.cpp | 16 +++ media/libstagefright/include/SoftOMXComponent.h | 16 +++ .../libstagefright/omx/SimpleSoftOMXComponent.cpp | 8 ++ .../omx/SoftVideoDecoderOMXComponent.cpp | 30 +++++ 20 files changed, 470 insertions(+), 42 deletions(-) (limited to 'media/libstagefright') diff --git a/media/libstagefright/codecs/aacdec/SoftAAC2.cpp b/media/libstagefright/codecs/aacdec/SoftAAC2.cpp index 965c55e..520ecb4 100644 --- a/media/libstagefright/codecs/aacdec/SoftAAC2.cpp +++ b/media/libstagefright/codecs/aacdec/SoftAAC2.cpp @@ -209,6 +209,10 @@ OMX_ERRORTYPE SoftAAC2::internalGetParameter( OMX_AUDIO_PARAM_AACPROFILETYPE *aacParams = (OMX_AUDIO_PARAM_AACPROFILETYPE *)params; + if (!isValidOMXParam(aacParams)) { + return OMX_ErrorBadParameter; + } + if (aacParams->nPortIndex != 0) { return OMX_ErrorUndefined; } @@ -244,6 +248,10 @@ OMX_ERRORTYPE SoftAAC2::internalGetParameter( OMX_AUDIO_PARAM_PCMMODETYPE *pcmParams = (OMX_AUDIO_PARAM_PCMMODETYPE *)params; + if (!isValidOMXParam(pcmParams)) { + return OMX_ErrorBadParameter; + } + if (pcmParams->nPortIndex != 1) { return OMX_ErrorUndefined; } @@ -284,6 +292,10 @@ OMX_ERRORTYPE SoftAAC2::internalSetParameter( const OMX_PARAM_COMPONENTROLETYPE *roleParams = (const OMX_PARAM_COMPONENTROLETYPE *)params; + if (!isValidOMXParam(roleParams)) { + return OMX_ErrorBadParameter; + } + if (strncmp((const char *)roleParams->cRole, "audio_decoder.aac", OMX_MAX_STRINGNAME_SIZE - 1)) { @@ -298,6 +310,10 @@ OMX_ERRORTYPE SoftAAC2::internalSetParameter( const OMX_AUDIO_PARAM_AACPROFILETYPE *aacParams = (const OMX_AUDIO_PARAM_AACPROFILETYPE *)params; + if (!isValidOMXParam(aacParams)) { + return OMX_ErrorBadParameter; + } + if (aacParams->nPortIndex != 0) { return OMX_ErrorUndefined; } @@ -318,6 +334,11 @@ OMX_ERRORTYPE SoftAAC2::internalSetParameter( { const OMX_AUDIO_PARAM_ANDROID_AACPRESENTATIONTYPE *aacPresParams = (const OMX_AUDIO_PARAM_ANDROID_AACPRESENTATIONTYPE *)params; + + if (!isValidOMXParam(aacPresParams)) { + return OMX_ErrorBadParameter; + } + // for the following parameters of the OMX_AUDIO_PARAM_AACPROFILETYPE structure, // a value of -1 implies the parameter is not set by the application: // nMaxOutputChannels uses default platform properties, see configureDownmix() @@ -384,6 +405,10 @@ OMX_ERRORTYPE SoftAAC2::internalSetParameter( const OMX_AUDIO_PARAM_PCMMODETYPE *pcmParams = (OMX_AUDIO_PARAM_PCMMODETYPE *)params; + if (!isValidOMXParam(pcmParams)) { + return OMX_ErrorBadParameter; + } + if (pcmParams->nPortIndex != 1) { return OMX_ErrorUndefined; } diff --git a/media/libstagefright/codecs/aacenc/SoftAACEncoder.cpp b/media/libstagefright/codecs/aacenc/SoftAACEncoder.cpp index c6724c2..ab0a228 100644 --- a/media/libstagefright/codecs/aacenc/SoftAACEncoder.cpp +++ b/media/libstagefright/codecs/aacenc/SoftAACEncoder.cpp @@ -154,6 +154,10 @@ OMX_ERRORTYPE SoftAACEncoder::internalGetParameter( OMX_AUDIO_PARAM_PORTFORMATTYPE *formatParams = (OMX_AUDIO_PARAM_PORTFORMATTYPE *)params; + if (!isValidOMXParam(formatParams)) { + return OMX_ErrorBadParameter; + } + if (formatParams->nPortIndex > 1) { return OMX_ErrorUndefined; } @@ -174,6 +178,10 @@ OMX_ERRORTYPE SoftAACEncoder::internalGetParameter( OMX_AUDIO_PARAM_AACPROFILETYPE *aacParams = (OMX_AUDIO_PARAM_AACPROFILETYPE *)params; + if (!isValidOMXParam(aacParams)) { + return OMX_ErrorBadParameter; + } + if (aacParams->nPortIndex != 1) { return OMX_ErrorUndefined; } @@ -198,6 +206,10 @@ OMX_ERRORTYPE SoftAACEncoder::internalGetParameter( OMX_AUDIO_PARAM_PCMMODETYPE *pcmParams = (OMX_AUDIO_PARAM_PCMMODETYPE *)params; + if (!isValidOMXParam(pcmParams)) { + return OMX_ErrorBadParameter; + } + if (pcmParams->nPortIndex != 0) { return OMX_ErrorUndefined; } @@ -229,6 +241,10 @@ OMX_ERRORTYPE SoftAACEncoder::internalSetParameter( const OMX_PARAM_COMPONENTROLETYPE *roleParams = (const OMX_PARAM_COMPONENTROLETYPE *)params; + if (!isValidOMXParam(roleParams)) { + return OMX_ErrorBadParameter; + } + if (strncmp((const char *)roleParams->cRole, "audio_encoder.aac", OMX_MAX_STRINGNAME_SIZE - 1)) { @@ -243,6 +259,10 @@ OMX_ERRORTYPE SoftAACEncoder::internalSetParameter( const OMX_AUDIO_PARAM_PORTFORMATTYPE *formatParams = (const OMX_AUDIO_PARAM_PORTFORMATTYPE *)params; + if (!isValidOMXParam(formatParams)) { + return OMX_ErrorBadParameter; + } + if (formatParams->nPortIndex > 1) { return OMX_ErrorUndefined; } @@ -266,6 +286,10 @@ OMX_ERRORTYPE SoftAACEncoder::internalSetParameter( OMX_AUDIO_PARAM_AACPROFILETYPE *aacParams = (OMX_AUDIO_PARAM_AACPROFILETYPE *)params; + if (!isValidOMXParam(aacParams)) { + return OMX_ErrorBadParameter; + } + if (aacParams->nPortIndex != 1) { return OMX_ErrorUndefined; } @@ -286,6 +310,10 @@ OMX_ERRORTYPE SoftAACEncoder::internalSetParameter( OMX_AUDIO_PARAM_PCMMODETYPE *pcmParams = (OMX_AUDIO_PARAM_PCMMODETYPE *)params; + if (!isValidOMXParam(pcmParams)) { + return OMX_ErrorBadParameter; + } + if (pcmParams->nPortIndex != 0) { return OMX_ErrorUndefined; } diff --git a/media/libstagefright/codecs/aacenc/SoftAACEncoder2.cpp b/media/libstagefright/codecs/aacenc/SoftAACEncoder2.cpp index 35aa883..e8dabed 100644 --- a/media/libstagefright/codecs/aacenc/SoftAACEncoder2.cpp +++ b/media/libstagefright/codecs/aacenc/SoftAACEncoder2.cpp @@ -123,6 +123,10 @@ OMX_ERRORTYPE SoftAACEncoder2::internalGetParameter( OMX_AUDIO_PARAM_PORTFORMATTYPE *formatParams = (OMX_AUDIO_PARAM_PORTFORMATTYPE *)params; + if (!isValidOMXParam(formatParams)) { + return OMX_ErrorBadParameter; + } + if (formatParams->nPortIndex > 1) { return OMX_ErrorUndefined; } @@ -143,6 +147,10 @@ OMX_ERRORTYPE SoftAACEncoder2::internalGetParameter( OMX_AUDIO_PARAM_AACPROFILETYPE *aacParams = (OMX_AUDIO_PARAM_AACPROFILETYPE *)params; + if (!isValidOMXParam(aacParams)) { + return OMX_ErrorBadParameter; + } + if (aacParams->nPortIndex != 1) { return OMX_ErrorUndefined; } @@ -202,6 +210,10 @@ OMX_ERRORTYPE SoftAACEncoder2::internalGetParameter( OMX_AUDIO_PARAM_PCMMODETYPE *pcmParams = (OMX_AUDIO_PARAM_PCMMODETYPE *)params; + if (!isValidOMXParam(pcmParams)) { + return OMX_ErrorBadParameter; + } + if (pcmParams->nPortIndex != 0) { return OMX_ErrorUndefined; } @@ -233,6 +245,10 @@ OMX_ERRORTYPE SoftAACEncoder2::internalSetParameter( const OMX_PARAM_COMPONENTROLETYPE *roleParams = (const OMX_PARAM_COMPONENTROLETYPE *)params; + if (!isValidOMXParam(roleParams)) { + return OMX_ErrorBadParameter; + } + if (strncmp((const char *)roleParams->cRole, "audio_encoder.aac", OMX_MAX_STRINGNAME_SIZE - 1)) { @@ -247,6 +263,10 @@ OMX_ERRORTYPE SoftAACEncoder2::internalSetParameter( const OMX_AUDIO_PARAM_PORTFORMATTYPE *formatParams = (const OMX_AUDIO_PARAM_PORTFORMATTYPE *)params; + if (!isValidOMXParam(formatParams)) { + return OMX_ErrorBadParameter; + } + if (formatParams->nPortIndex > 1) { return OMX_ErrorUndefined; } @@ -270,6 +290,10 @@ OMX_ERRORTYPE SoftAACEncoder2::internalSetParameter( OMX_AUDIO_PARAM_AACPROFILETYPE *aacParams = (OMX_AUDIO_PARAM_AACPROFILETYPE *)params; + if (!isValidOMXParam(aacParams)) { + return OMX_ErrorBadParameter; + } + if (aacParams->nPortIndex != 1) { return OMX_ErrorUndefined; } @@ -310,6 +334,10 @@ OMX_ERRORTYPE SoftAACEncoder2::internalSetParameter( OMX_AUDIO_PARAM_PCMMODETYPE *pcmParams = (OMX_AUDIO_PARAM_PCMMODETYPE *)params; + if (!isValidOMXParam(pcmParams)) { + return OMX_ErrorBadParameter; + } + if (pcmParams->nPortIndex != 0) { return OMX_ErrorUndefined; } diff --git a/media/libstagefright/codecs/amrnb/dec/SoftAMR.cpp b/media/libstagefright/codecs/amrnb/dec/SoftAMR.cpp index 955309a..edf648d 100644 --- a/media/libstagefright/codecs/amrnb/dec/SoftAMR.cpp +++ b/media/libstagefright/codecs/amrnb/dec/SoftAMR.cpp @@ -148,6 +148,10 @@ OMX_ERRORTYPE SoftAMR::internalGetParameter( OMX_AUDIO_PARAM_AMRTYPE *amrParams = (OMX_AUDIO_PARAM_AMRTYPE *)params; + if (!isValidOMXParam(amrParams)) { + return OMX_ErrorBadParameter; + } + if (amrParams->nPortIndex != 0) { return OMX_ErrorUndefined; } @@ -174,6 +178,10 @@ OMX_ERRORTYPE SoftAMR::internalGetParameter( OMX_AUDIO_PARAM_PCMMODETYPE *pcmParams = (OMX_AUDIO_PARAM_PCMMODETYPE *)params; + if (!isValidOMXParam(pcmParams)) { + return OMX_ErrorBadParameter; + } + if (pcmParams->nPortIndex != 1) { return OMX_ErrorUndefined; } @@ -207,6 +215,10 @@ OMX_ERRORTYPE SoftAMR::internalSetParameter( const OMX_PARAM_COMPONENTROLETYPE *roleParams = (const OMX_PARAM_COMPONENTROLETYPE *)params; + if (!isValidOMXParam(roleParams)) { + return OMX_ErrorBadParameter; + } + if (mMode == MODE_NARROW) { if (strncmp((const char *)roleParams->cRole, "audio_decoder.amrnb", @@ -229,6 +241,10 @@ OMX_ERRORTYPE SoftAMR::internalSetParameter( const OMX_AUDIO_PARAM_AMRTYPE *aacParams = (const OMX_AUDIO_PARAM_AMRTYPE *)params; + if (!isValidOMXParam(aacParams)) { + return OMX_ErrorBadParameter; + } + if (aacParams->nPortIndex != 0) { return OMX_ErrorUndefined; } @@ -241,6 +257,10 @@ OMX_ERRORTYPE SoftAMR::internalSetParameter( const OMX_AUDIO_PARAM_PCMMODETYPE *pcmParams = (OMX_AUDIO_PARAM_PCMMODETYPE *)params; + if (!isValidOMXParam(pcmParams)) { + return OMX_ErrorBadParameter; + } + if (pcmParams->nPortIndex != 1) { return OMX_ErrorUndefined; } diff --git a/media/libstagefright/codecs/amrnb/enc/SoftAMRNBEncoder.cpp b/media/libstagefright/codecs/amrnb/enc/SoftAMRNBEncoder.cpp index 9489457..aaa6731 100644 --- a/media/libstagefright/codecs/amrnb/enc/SoftAMRNBEncoder.cpp +++ b/media/libstagefright/codecs/amrnb/enc/SoftAMRNBEncoder.cpp @@ -120,6 +120,10 @@ OMX_ERRORTYPE SoftAMRNBEncoder::internalGetParameter( OMX_AUDIO_PARAM_PORTFORMATTYPE *formatParams = (OMX_AUDIO_PARAM_PORTFORMATTYPE *)params; + if (!isValidOMXParam(formatParams)) { + return OMX_ErrorBadParameter; + } + if (formatParams->nPortIndex > 1) { return OMX_ErrorUndefined; } @@ -140,6 +144,10 @@ OMX_ERRORTYPE SoftAMRNBEncoder::internalGetParameter( OMX_AUDIO_PARAM_AMRTYPE *amrParams = (OMX_AUDIO_PARAM_AMRTYPE *)params; + if (!isValidOMXParam(amrParams)) { + return OMX_ErrorBadParameter; + } + if (amrParams->nPortIndex != 1) { return OMX_ErrorUndefined; } @@ -158,6 +166,10 @@ OMX_ERRORTYPE SoftAMRNBEncoder::internalGetParameter( OMX_AUDIO_PARAM_PCMMODETYPE *pcmParams = (OMX_AUDIO_PARAM_PCMMODETYPE *)params; + if (!isValidOMXParam(pcmParams)) { + return OMX_ErrorBadParameter; + } + if (pcmParams->nPortIndex != 0) { return OMX_ErrorUndefined; } @@ -188,6 +200,10 @@ OMX_ERRORTYPE SoftAMRNBEncoder::internalSetParameter( const OMX_PARAM_COMPONENTROLETYPE *roleParams = (const OMX_PARAM_COMPONENTROLETYPE *)params; + if (!isValidOMXParam(roleParams)) { + return OMX_ErrorBadParameter; + } + if (strncmp((const char *)roleParams->cRole, "audio_encoder.amrnb", OMX_MAX_STRINGNAME_SIZE - 1)) { @@ -202,6 +218,10 @@ OMX_ERRORTYPE SoftAMRNBEncoder::internalSetParameter( const OMX_AUDIO_PARAM_PORTFORMATTYPE *formatParams = (const OMX_AUDIO_PARAM_PORTFORMATTYPE *)params; + if (!isValidOMXParam(formatParams)) { + return OMX_ErrorBadParameter; + } + if (formatParams->nPortIndex > 1) { return OMX_ErrorUndefined; } @@ -225,6 +245,10 @@ OMX_ERRORTYPE SoftAMRNBEncoder::internalSetParameter( OMX_AUDIO_PARAM_AMRTYPE *amrParams = (OMX_AUDIO_PARAM_AMRTYPE *)params; + if (!isValidOMXParam(amrParams)) { + return OMX_ErrorBadParameter; + } + if (amrParams->nPortIndex != 1) { return OMX_ErrorUndefined; } @@ -252,6 +276,10 @@ OMX_ERRORTYPE SoftAMRNBEncoder::internalSetParameter( OMX_AUDIO_PARAM_PCMMODETYPE *pcmParams = (OMX_AUDIO_PARAM_PCMMODETYPE *)params; + if (!isValidOMXParam(pcmParams)) { + return OMX_ErrorBadParameter; + } + if (pcmParams->nPortIndex != 0) { return OMX_ErrorUndefined; } diff --git a/media/libstagefright/codecs/amrwbenc/SoftAMRWBEncoder.cpp b/media/libstagefright/codecs/amrwbenc/SoftAMRWBEncoder.cpp index 91a512d..9d50c4e 100644 --- a/media/libstagefright/codecs/amrwbenc/SoftAMRWBEncoder.cpp +++ b/media/libstagefright/codecs/amrwbenc/SoftAMRWBEncoder.cpp @@ -155,6 +155,10 @@ OMX_ERRORTYPE SoftAMRWBEncoder::internalGetParameter( OMX_AUDIO_PARAM_PORTFORMATTYPE *formatParams = (OMX_AUDIO_PARAM_PORTFORMATTYPE *)params; + if (!isValidOMXParam(formatParams)) { + return OMX_ErrorBadParameter; + } + if (formatParams->nPortIndex > 1) { return OMX_ErrorUndefined; } @@ -175,6 +179,10 @@ OMX_ERRORTYPE SoftAMRWBEncoder::internalGetParameter( OMX_AUDIO_PARAM_AMRTYPE *amrParams = (OMX_AUDIO_PARAM_AMRTYPE *)params; + if (!isValidOMXParam(amrParams)) { + return OMX_ErrorBadParameter; + } + if (amrParams->nPortIndex != 1) { return OMX_ErrorUndefined; } @@ -196,6 +204,10 @@ OMX_ERRORTYPE SoftAMRWBEncoder::internalGetParameter( OMX_AUDIO_PARAM_PCMMODETYPE *pcmParams = (OMX_AUDIO_PARAM_PCMMODETYPE *)params; + if (!isValidOMXParam(pcmParams)) { + return OMX_ErrorBadParameter; + } + if (pcmParams->nPortIndex != 0) { return OMX_ErrorUndefined; } @@ -226,6 +238,10 @@ OMX_ERRORTYPE SoftAMRWBEncoder::internalSetParameter( const OMX_PARAM_COMPONENTROLETYPE *roleParams = (const OMX_PARAM_COMPONENTROLETYPE *)params; + if (!isValidOMXParam(roleParams)) { + return OMX_ErrorBadParameter; + } + if (strncmp((const char *)roleParams->cRole, "audio_encoder.amrwb", OMX_MAX_STRINGNAME_SIZE - 1)) { @@ -240,6 +256,10 @@ OMX_ERRORTYPE SoftAMRWBEncoder::internalSetParameter( const OMX_AUDIO_PARAM_PORTFORMATTYPE *formatParams = (const OMX_AUDIO_PARAM_PORTFORMATTYPE *)params; + if (!isValidOMXParam(formatParams)) { + return OMX_ErrorBadParameter; + } + if (formatParams->nPortIndex > 1) { return OMX_ErrorUndefined; } @@ -263,6 +283,10 @@ OMX_ERRORTYPE SoftAMRWBEncoder::internalSetParameter( OMX_AUDIO_PARAM_AMRTYPE *amrParams = (OMX_AUDIO_PARAM_AMRTYPE *)params; + if (!isValidOMXParam(amrParams)) { + return OMX_ErrorBadParameter; + } + if (amrParams->nPortIndex != 1) { return OMX_ErrorUndefined; } @@ -299,6 +323,10 @@ OMX_ERRORTYPE SoftAMRWBEncoder::internalSetParameter( OMX_AUDIO_PARAM_PCMMODETYPE *pcmParams = (OMX_AUDIO_PARAM_PCMMODETYPE *)params; + if (!isValidOMXParam(pcmParams)) { + return OMX_ErrorBadParameter; + } + if (pcmParams->nPortIndex != 0) { return OMX_ErrorUndefined; } diff --git a/media/libstagefright/codecs/avc/enc/SoftAVCEncoder.cpp b/media/libstagefright/codecs/avc/enc/SoftAVCEncoder.cpp index fa6ec40..cce6d15 100644 --- a/media/libstagefright/codecs/avc/enc/SoftAVCEncoder.cpp +++ b/media/libstagefright/codecs/avc/enc/SoftAVCEncoder.cpp @@ -370,6 +370,10 @@ OMX_ERRORTYPE SoftAVCEncoder::internalGetParameter( OMX_VIDEO_PARAM_BITRATETYPE *bitRate = (OMX_VIDEO_PARAM_BITRATETYPE *) params; + if (!isValidOMXParam(bitRate)) { + return OMX_ErrorBadParameter; + } + if (bitRate->nPortIndex != 1) { return OMX_ErrorUndefined; } @@ -384,6 +388,10 @@ OMX_ERRORTYPE SoftAVCEncoder::internalGetParameter( OMX_VIDEO_PARAM_AVCTYPE *avcParams = (OMX_VIDEO_PARAM_AVCTYPE *)params; + if (!isValidOMXParam(avcParams)) { + return OMX_ErrorBadParameter; + } + if (avcParams->nPortIndex != 1) { return OMX_ErrorUndefined; } @@ -427,6 +435,10 @@ OMX_ERRORTYPE SoftAVCEncoder::internalSetParameter( OMX_VIDEO_PARAM_BITRATETYPE *bitRate = (OMX_VIDEO_PARAM_BITRATETYPE *) params; + if (!isValidOMXParam(bitRate)) { + return OMX_ErrorBadParameter; + } + if (bitRate->nPortIndex != 1 || bitRate->eControlRate != OMX_Video_ControlRateVariable) { return OMX_ErrorUndefined; @@ -441,6 +453,10 @@ OMX_ERRORTYPE SoftAVCEncoder::internalSetParameter( OMX_VIDEO_PARAM_AVCTYPE *avcType = (OMX_VIDEO_PARAM_AVCTYPE *)params; + if (!isValidOMXParam(avcType)) { + return OMX_ErrorBadParameter; + } + if (avcType->nPortIndex != 1) { return OMX_ErrorUndefined; } diff --git a/media/libstagefright/codecs/avcenc/SoftAVCEnc.cpp b/media/libstagefright/codecs/avcenc/SoftAVCEnc.cpp index 387d17d..e4e8fd7 100644 --- a/media/libstagefright/codecs/avcenc/SoftAVCEnc.cpp +++ b/media/libstagefright/codecs/avcenc/SoftAVCEnc.cpp @@ -926,6 +926,10 @@ OMX_ERRORTYPE SoftAVC::internalGetParameter(OMX_INDEXTYPE index, OMX_PTR params) OMX_VIDEO_PARAM_BITRATETYPE *bitRate = (OMX_VIDEO_PARAM_BITRATETYPE *)params; + if (!isValidOMXParam(bitRate)) { + return OMX_ErrorBadParameter; + } + if (bitRate->nPortIndex != 1) { return OMX_ErrorUndefined; } @@ -939,6 +943,10 @@ OMX_ERRORTYPE SoftAVC::internalGetParameter(OMX_INDEXTYPE index, OMX_PTR params) { OMX_VIDEO_PARAM_AVCTYPE *avcParams = (OMX_VIDEO_PARAM_AVCTYPE *)params; + if (!isValidOMXParam(avcParams)) { + return OMX_ErrorBadParameter; + } + if (avcParams->nPortIndex != 1) { return OMX_ErrorUndefined; } @@ -976,14 +984,24 @@ OMX_ERRORTYPE SoftAVC::internalSetParameter(OMX_INDEXTYPE index, const OMX_PTR p switch (indexFull) { case OMX_IndexParamVideoBitrate: { - return internalSetBitrateParams( - (const OMX_VIDEO_PARAM_BITRATETYPE *)params); + OMX_VIDEO_PARAM_BITRATETYPE *bitRate = + (OMX_VIDEO_PARAM_BITRATETYPE *)params; + + if (!isValidOMXParam(bitRate)) { + return OMX_ErrorBadParameter; + } + + return internalSetBitrateParams(bitRate); } case OMX_IndexParamVideoAvc: { OMX_VIDEO_PARAM_AVCTYPE *avcType = (OMX_VIDEO_PARAM_AVCTYPE *)params; + if (!isValidOMXParam(avcType)) { + return OMX_ErrorBadParameter; + } + if (avcType->nPortIndex != 1) { return OMX_ErrorUndefined; } @@ -1035,6 +1053,10 @@ OMX_ERRORTYPE SoftAVC::setConfig( OMX_CONFIG_INTRAREFRESHVOPTYPE *params = (OMX_CONFIG_INTRAREFRESHVOPTYPE *)_params; + if (!isValidOMXParam(params)) { + return OMX_ErrorBadParameter; + } + if (params->nPortIndex != kOutputPortIndex) { return OMX_ErrorBadPortIndex; } @@ -1048,6 +1070,10 @@ OMX_ERRORTYPE SoftAVC::setConfig( OMX_VIDEO_CONFIG_BITRATETYPE *params = (OMX_VIDEO_CONFIG_BITRATETYPE *)_params; + if (!isValidOMXParam(params)) { + return OMX_ErrorBadParameter; + } + if (params->nPortIndex != kOutputPortIndex) { return OMX_ErrorBadPortIndex; } diff --git a/media/libstagefright/codecs/flac/enc/SoftFlacEncoder.cpp b/media/libstagefright/codecs/flac/enc/SoftFlacEncoder.cpp index 9edffd2..caceda9 100644 --- a/media/libstagefright/codecs/flac/enc/SoftFlacEncoder.cpp +++ b/media/libstagefright/codecs/flac/enc/SoftFlacEncoder.cpp @@ -159,6 +159,10 @@ OMX_ERRORTYPE SoftFlacEncoder::internalGetParameter( OMX_AUDIO_PARAM_PCMMODETYPE *pcmParams = (OMX_AUDIO_PARAM_PCMMODETYPE *)params; + if (!isValidOMXParam(pcmParams)) { + return OMX_ErrorBadParameter; + } + if (pcmParams->nPortIndex > 1) { return OMX_ErrorUndefined; } @@ -180,6 +184,11 @@ OMX_ERRORTYPE SoftFlacEncoder::internalGetParameter( case OMX_IndexParamAudioFlac: { OMX_AUDIO_PARAM_FLACTYPE *flacParams = (OMX_AUDIO_PARAM_FLACTYPE *)params; + + if (!isValidOMXParam(flacParams)) { + return OMX_ErrorBadParameter; + } + flacParams->nCompressionLevel = mCompressionLevel; flacParams->nChannels = mNumChannels; flacParams->nSampleRate = mSampleRate; @@ -199,6 +208,10 @@ OMX_ERRORTYPE SoftFlacEncoder::internalSetParameter( ALOGV("SoftFlacEncoder::internalSetParameter(OMX_IndexParamAudioPcm)"); OMX_AUDIO_PARAM_PCMMODETYPE *pcmParams = (OMX_AUDIO_PARAM_PCMMODETYPE *)params; + if (!isValidOMXParam(pcmParams)) { + return OMX_ErrorBadParameter; + } + if (pcmParams->nPortIndex != 0 && pcmParams->nPortIndex != 1) { ALOGE("SoftFlacEncoder::internalSetParameter() Error #1"); return OMX_ErrorUndefined; @@ -221,6 +234,10 @@ OMX_ERRORTYPE SoftFlacEncoder::internalSetParameter( const OMX_PARAM_COMPONENTROLETYPE *roleParams = (const OMX_PARAM_COMPONENTROLETYPE *)params; + if (!isValidOMXParam(roleParams)) { + return OMX_ErrorBadParameter; + } + if (strncmp((const char *)roleParams->cRole, "audio_encoder.flac", OMX_MAX_STRINGNAME_SIZE - 1)) { @@ -236,6 +253,11 @@ OMX_ERRORTYPE SoftFlacEncoder::internalSetParameter( { // used only for setting the compression level OMX_AUDIO_PARAM_FLACTYPE *flacParams = (OMX_AUDIO_PARAM_FLACTYPE *)params; + + if (!isValidOMXParam(flacParams)) { + return OMX_ErrorBadParameter; + } + mCompressionLevel = flacParams->nCompressionLevel; // range clamping done inside encoder return OMX_ErrorNone; } @@ -245,6 +267,10 @@ OMX_ERRORTYPE SoftFlacEncoder::internalSetParameter( OMX_PARAM_PORTDEFINITIONTYPE *defParams = (OMX_PARAM_PORTDEFINITIONTYPE *)params; + if (!isValidOMXParam(defParams)) { + return OMX_ErrorBadParameter; + } + if (defParams->nPortIndex == 0) { if (defParams->nBufferSize > kMaxInputBufferSize) { ALOGE("Input buffer size must be at most %d bytes", diff --git a/media/libstagefright/codecs/g711/dec/SoftG711.cpp b/media/libstagefright/codecs/g711/dec/SoftG711.cpp index 015515e..3de95a5 100644 --- a/media/libstagefright/codecs/g711/dec/SoftG711.cpp +++ b/media/libstagefright/codecs/g711/dec/SoftG711.cpp @@ -110,6 +110,10 @@ OMX_ERRORTYPE SoftG711::internalGetParameter( OMX_AUDIO_PARAM_PCMMODETYPE *pcmParams = (OMX_AUDIO_PARAM_PCMMODETYPE *)params; + if (!isValidOMXParam(pcmParams)) { + return OMX_ErrorBadParameter; + } + if (pcmParams->nPortIndex > 1) { return OMX_ErrorUndefined; } @@ -148,6 +152,10 @@ OMX_ERRORTYPE SoftG711::internalSetParameter( OMX_AUDIO_PARAM_PCMMODETYPE *pcmParams = (OMX_AUDIO_PARAM_PCMMODETYPE *)params; + if (!isValidOMXParam(pcmParams)) { + return OMX_ErrorBadParameter; + } + if (pcmParams->nPortIndex != 0 && pcmParams->nPortIndex != 1) { return OMX_ErrorUndefined; } @@ -170,6 +178,10 @@ OMX_ERRORTYPE SoftG711::internalSetParameter( const OMX_PARAM_COMPONENTROLETYPE *roleParams = (const OMX_PARAM_COMPONENTROLETYPE *)params; + if (!isValidOMXParam(roleParams)) { + return OMX_ErrorBadParameter; + } + if (mIsMLaw) { if (strncmp((const char *)roleParams->cRole, "audio_decoder.g711mlaw", diff --git a/media/libstagefright/codecs/gsm/dec/SoftGSM.cpp b/media/libstagefright/codecs/gsm/dec/SoftGSM.cpp index bd01a1a..7916c45 100644 --- a/media/libstagefright/codecs/gsm/dec/SoftGSM.cpp +++ b/media/libstagefright/codecs/gsm/dec/SoftGSM.cpp @@ -110,6 +110,10 @@ OMX_ERRORTYPE SoftGSM::internalGetParameter( OMX_AUDIO_PARAM_PCMMODETYPE *pcmParams = (OMX_AUDIO_PARAM_PCMMODETYPE *)params; + if (!isValidOMXParam(pcmParams)) { + return OMX_ErrorBadParameter; + } + if (pcmParams->nPortIndex > 1) { return OMX_ErrorUndefined; } @@ -141,6 +145,10 @@ OMX_ERRORTYPE SoftGSM::internalSetParameter( OMX_AUDIO_PARAM_PCMMODETYPE *pcmParams = (OMX_AUDIO_PARAM_PCMMODETYPE *)params; + if (!isValidOMXParam(pcmParams)) { + return OMX_ErrorBadParameter; + } + if (pcmParams->nPortIndex != 0 && pcmParams->nPortIndex != 1) { return OMX_ErrorUndefined; } @@ -161,6 +169,10 @@ OMX_ERRORTYPE SoftGSM::internalSetParameter( const OMX_PARAM_COMPONENTROLETYPE *roleParams = (const OMX_PARAM_COMPONENTROLETYPE *)params; + if (!isValidOMXParam(roleParams)) { + return OMX_ErrorBadParameter; + } + if (strncmp((const char *)roleParams->cRole, "audio_decoder.gsm", OMX_MAX_STRINGNAME_SIZE - 1)) { diff --git a/media/libstagefright/codecs/m4v_h263/enc/SoftMPEG4Encoder.cpp b/media/libstagefright/codecs/m4v_h263/enc/SoftMPEG4Encoder.cpp index f2a4e65..7638bb7 100644 --- a/media/libstagefright/codecs/m4v_h263/enc/SoftMPEG4Encoder.cpp +++ b/media/libstagefright/codecs/m4v_h263/enc/SoftMPEG4Encoder.cpp @@ -232,6 +232,10 @@ OMX_ERRORTYPE SoftMPEG4Encoder::internalGetParameter( OMX_VIDEO_PARAM_BITRATETYPE *bitRate = (OMX_VIDEO_PARAM_BITRATETYPE *) params; + if (!isValidOMXParam(bitRate)) { + return OMX_ErrorBadParameter; + } + if (bitRate->nPortIndex != 1) { return OMX_ErrorUndefined; } @@ -246,6 +250,10 @@ OMX_ERRORTYPE SoftMPEG4Encoder::internalGetParameter( OMX_VIDEO_PARAM_H263TYPE *h263type = (OMX_VIDEO_PARAM_H263TYPE *)params; + if (!isValidOMXParam(h263type)) { + return OMX_ErrorBadParameter; + } + if (h263type->nPortIndex != 1) { return OMX_ErrorUndefined; } @@ -267,6 +275,10 @@ OMX_ERRORTYPE SoftMPEG4Encoder::internalGetParameter( OMX_VIDEO_PARAM_MPEG4TYPE *mpeg4type = (OMX_VIDEO_PARAM_MPEG4TYPE *)params; + if (!isValidOMXParam(mpeg4type)) { + return OMX_ErrorBadParameter; + } + if (mpeg4type->nPortIndex != 1) { return OMX_ErrorUndefined; } @@ -301,6 +313,10 @@ OMX_ERRORTYPE SoftMPEG4Encoder::internalSetParameter( OMX_VIDEO_PARAM_BITRATETYPE *bitRate = (OMX_VIDEO_PARAM_BITRATETYPE *) params; + if (!isValidOMXParam(bitRate)) { + return OMX_ErrorBadParameter; + } + if (bitRate->nPortIndex != 1 || bitRate->eControlRate != OMX_Video_ControlRateVariable) { return OMX_ErrorUndefined; @@ -315,6 +331,10 @@ OMX_ERRORTYPE SoftMPEG4Encoder::internalSetParameter( OMX_VIDEO_PARAM_H263TYPE *h263type = (OMX_VIDEO_PARAM_H263TYPE *)params; + if (!isValidOMXParam(h263type)) { + return OMX_ErrorBadParameter; + } + if (h263type->nPortIndex != 1) { return OMX_ErrorUndefined; } @@ -337,6 +357,10 @@ OMX_ERRORTYPE SoftMPEG4Encoder::internalSetParameter( OMX_VIDEO_PARAM_MPEG4TYPE *mpeg4type = (OMX_VIDEO_PARAM_MPEG4TYPE *)params; + if (!isValidOMXParam(mpeg4type)) { + return OMX_ErrorBadParameter; + } + if (mpeg4type->nPortIndex != 1) { return OMX_ErrorUndefined; } diff --git a/media/libstagefright/codecs/mp3dec/SoftMP3.cpp b/media/libstagefright/codecs/mp3dec/SoftMP3.cpp index f743b1c..9988015 100644 --- a/media/libstagefright/codecs/mp3dec/SoftMP3.cpp +++ b/media/libstagefright/codecs/mp3dec/SoftMP3.cpp @@ -128,6 +128,10 @@ OMX_ERRORTYPE SoftMP3::internalGetParameter( OMX_AUDIO_PARAM_PCMMODETYPE *pcmParams = (OMX_AUDIO_PARAM_PCMMODETYPE *)params; + if (!isValidOMXParam(pcmParams)) { + return OMX_ErrorBadParameter; + } + if (pcmParams->nPortIndex > 1) { return OMX_ErrorUndefined; } @@ -151,6 +155,10 @@ OMX_ERRORTYPE SoftMP3::internalGetParameter( OMX_AUDIO_PARAM_MP3TYPE *mp3Params = (OMX_AUDIO_PARAM_MP3TYPE *)params; + if (!isValidOMXParam(mp3Params)) { + return OMX_ErrorBadParameter; + } + if (mp3Params->nPortIndex > 1) { return OMX_ErrorUndefined; } @@ -176,6 +184,10 @@ OMX_ERRORTYPE SoftMP3::internalSetParameter( const OMX_PARAM_COMPONENTROLETYPE *roleParams = (const OMX_PARAM_COMPONENTROLETYPE *)params; + if (!isValidOMXParam(roleParams)) { + return OMX_ErrorBadParameter; + } + if (strncmp((const char *)roleParams->cRole, "audio_decoder.mp3", OMX_MAX_STRINGNAME_SIZE - 1)) { @@ -190,6 +202,10 @@ OMX_ERRORTYPE SoftMP3::internalSetParameter( const OMX_AUDIO_PARAM_PCMMODETYPE *pcmParams = (const OMX_AUDIO_PARAM_PCMMODETYPE *)params; + if (!isValidOMXParam(pcmParams)) { + return OMX_ErrorBadParameter; + } + if (pcmParams->nPortIndex != 1) { return OMX_ErrorUndefined; } diff --git a/media/libstagefright/codecs/on2/enc/SoftVPXEncoder.cpp b/media/libstagefright/codecs/on2/enc/SoftVPXEncoder.cpp index d9895f0..5c950c7 100644 --- a/media/libstagefright/codecs/on2/enc/SoftVPXEncoder.cpp +++ b/media/libstagefright/codecs/on2/enc/SoftVPXEncoder.cpp @@ -368,20 +368,24 @@ OMX_ERRORTYPE SoftVPXEncoder::internalGetParameter(OMX_INDEXTYPE index, OMX_VIDEO_PARAM_BITRATETYPE *bitrate = (OMX_VIDEO_PARAM_BITRATETYPE *)param; - if (bitrate->nPortIndex != kOutputPortIndex) { - return OMX_ErrorUnsupportedIndex; - } + if (!isValidOMXParam(bitrate)) { + return OMX_ErrorBadParameter; + } - bitrate->nTargetBitrate = mBitrate; + if (bitrate->nPortIndex != kOutputPortIndex) { + return OMX_ErrorUnsupportedIndex; + } - if (mBitrateControlMode == VPX_VBR) { - bitrate->eControlRate = OMX_Video_ControlRateVariable; - } else if (mBitrateControlMode == VPX_CBR) { - bitrate->eControlRate = OMX_Video_ControlRateConstant; - } else { - return OMX_ErrorUnsupportedSetting; - } - return OMX_ErrorNone; + bitrate->nTargetBitrate = mBitrate; + + if (mBitrateControlMode == VPX_VBR) { + bitrate->eControlRate = OMX_Video_ControlRateVariable; + } else if (mBitrateControlMode == VPX_CBR) { + bitrate->eControlRate = OMX_Video_ControlRateConstant; + } else { + return OMX_ErrorUnsupportedSetting; + } + return OMX_ErrorNone; } // VP8 specific parameters that use extension headers @@ -389,33 +393,41 @@ OMX_ERRORTYPE SoftVPXEncoder::internalGetParameter(OMX_INDEXTYPE index, OMX_VIDEO_PARAM_VP8TYPE *vp8Params = (OMX_VIDEO_PARAM_VP8TYPE *)param; - if (vp8Params->nPortIndex != kOutputPortIndex) { - return OMX_ErrorUnsupportedIndex; - } + if (!isValidOMXParam(vp8Params)) { + return OMX_ErrorBadParameter; + } - vp8Params->eProfile = OMX_VIDEO_VP8ProfileMain; - vp8Params->eLevel = mLevel; - vp8Params->nDCTPartitions = mDCTPartitions; - vp8Params->bErrorResilientMode = mErrorResilience; - return OMX_ErrorNone; + if (vp8Params->nPortIndex != kOutputPortIndex) { + return OMX_ErrorUnsupportedIndex; + } + + vp8Params->eProfile = OMX_VIDEO_VP8ProfileMain; + vp8Params->eLevel = mLevel; + vp8Params->nDCTPartitions = mDCTPartitions; + vp8Params->bErrorResilientMode = mErrorResilience; + return OMX_ErrorNone; } case OMX_IndexParamVideoAndroidVp8Encoder: { OMX_VIDEO_PARAM_ANDROID_VP8ENCODERTYPE *vp8AndroidParams = (OMX_VIDEO_PARAM_ANDROID_VP8ENCODERTYPE *)param; - if (vp8AndroidParams->nPortIndex != kOutputPortIndex) { - return OMX_ErrorUnsupportedIndex; - } + if (!isValidOMXParam(vp8AndroidParams)) { + return OMX_ErrorBadParameter; + } - vp8AndroidParams->nKeyFrameInterval = mKeyFrameInterval; - vp8AndroidParams->eTemporalPattern = mTemporalPatternType; - vp8AndroidParams->nTemporalLayerCount = mTemporalLayers; - vp8AndroidParams->nMinQuantizer = mMinQuantizer; - vp8AndroidParams->nMaxQuantizer = mMaxQuantizer; - memcpy(vp8AndroidParams->nTemporalLayerBitrateRatio, - mTemporalLayerBitrateRatio, sizeof(mTemporalLayerBitrateRatio)); - return OMX_ErrorNone; + if (vp8AndroidParams->nPortIndex != kOutputPortIndex) { + return OMX_ErrorUnsupportedIndex; + } + + vp8AndroidParams->nKeyFrameInterval = mKeyFrameInterval; + vp8AndroidParams->eTemporalPattern = mTemporalPatternType; + vp8AndroidParams->nTemporalLayerCount = mTemporalLayers; + vp8AndroidParams->nMinQuantizer = mMinQuantizer; + vp8AndroidParams->nMaxQuantizer = mMaxQuantizer; + memcpy(vp8AndroidParams->nTemporalLayerBitrateRatio, + mTemporalLayerBitrateRatio, sizeof(mTemporalLayerBitrateRatio)); + return OMX_ErrorNone; } default: @@ -430,17 +442,38 @@ OMX_ERRORTYPE SoftVPXEncoder::internalSetParameter(OMX_INDEXTYPE index, const int32_t indexFull = index; switch (indexFull) { - case OMX_IndexParamVideoBitrate: - return internalSetBitrateParams( - (const OMX_VIDEO_PARAM_BITRATETYPE *)param); + case OMX_IndexParamVideoBitrate: { + const OMX_VIDEO_PARAM_BITRATETYPE *bitRate = + (const OMX_VIDEO_PARAM_BITRATETYPE*) param; + + if (!isValidOMXParam(bitRate)) { + return OMX_ErrorBadParameter; + } + + return internalSetBitrateParams(bitRate); + } + + case OMX_IndexParamVideoVp8: { + const OMX_VIDEO_PARAM_VP8TYPE *vp8Params = + (const OMX_VIDEO_PARAM_VP8TYPE*) param; + + if (!isValidOMXParam(vp8Params)) { + return OMX_ErrorBadParameter; + } + + return internalSetVp8Params(vp8Params); + } - case OMX_IndexParamVideoVp8: - return internalSetVp8Params( - (const OMX_VIDEO_PARAM_VP8TYPE *)param); + case OMX_IndexParamVideoAndroidVp8Encoder: { + const OMX_VIDEO_PARAM_ANDROID_VP8ENCODERTYPE *vp8AndroidParams = + (const OMX_VIDEO_PARAM_ANDROID_VP8ENCODERTYPE*) param; + + if (!isValidOMXParam(vp8AndroidParams)) { + return OMX_ErrorBadParameter; + } - case OMX_IndexParamVideoAndroidVp8Encoder: - return internalSetAndroidVp8Params( - (const OMX_VIDEO_PARAM_ANDROID_VP8ENCODERTYPE *)param); + return internalSetAndroidVp8Params(vp8AndroidParams); + } default: return SoftVideoEncoderOMXComponent::internalSetParameter(index, param); @@ -455,6 +488,10 @@ OMX_ERRORTYPE SoftVPXEncoder::setConfig( OMX_CONFIG_INTRAREFRESHVOPTYPE *params = (OMX_CONFIG_INTRAREFRESHVOPTYPE *)_params; + if (!isValidOMXParam(params)) { + return OMX_ErrorBadParameter; + } + if (params->nPortIndex != kOutputPortIndex) { return OMX_ErrorBadPortIndex; } @@ -468,6 +505,10 @@ OMX_ERRORTYPE SoftVPXEncoder::setConfig( OMX_VIDEO_CONFIG_BITRATETYPE *params = (OMX_VIDEO_CONFIG_BITRATETYPE *)_params; + if (!isValidOMXParam(params)) { + return OMX_ErrorBadParameter; + } + if (params->nPortIndex != kOutputPortIndex) { return OMX_ErrorBadPortIndex; } diff --git a/media/libstagefright/codecs/opus/dec/SoftOpus.cpp b/media/libstagefright/codecs/opus/dec/SoftOpus.cpp index cb10bce..2afa0ed 100644 --- a/media/libstagefright/codecs/opus/dec/SoftOpus.cpp +++ b/media/libstagefright/codecs/opus/dec/SoftOpus.cpp @@ -134,6 +134,10 @@ OMX_ERRORTYPE SoftOpus::internalGetParameter( OMX_AUDIO_PARAM_ANDROID_OPUSTYPE *opusParams = (OMX_AUDIO_PARAM_ANDROID_OPUSTYPE *)params; + if (!isValidOMXParam(opusParams)) { + return OMX_ErrorBadParameter; + } + if (opusParams->nPortIndex != 0) { return OMX_ErrorUndefined; } @@ -156,6 +160,10 @@ OMX_ERRORTYPE SoftOpus::internalGetParameter( OMX_AUDIO_PARAM_PCMMODETYPE *pcmParams = (OMX_AUDIO_PARAM_PCMMODETYPE *)params; + if (!isValidOMXParam(pcmParams)) { + return OMX_ErrorBadParameter; + } + if (pcmParams->nPortIndex != 1) { return OMX_ErrorUndefined; } @@ -191,6 +199,10 @@ OMX_ERRORTYPE SoftOpus::internalSetParameter( const OMX_PARAM_COMPONENTROLETYPE *roleParams = (const OMX_PARAM_COMPONENTROLETYPE *)params; + if (!isValidOMXParam(roleParams)) { + return OMX_ErrorBadParameter; + } + if (strncmp((const char *)roleParams->cRole, "audio_decoder.opus", OMX_MAX_STRINGNAME_SIZE - 1)) { @@ -205,6 +217,10 @@ OMX_ERRORTYPE SoftOpus::internalSetParameter( const OMX_AUDIO_PARAM_ANDROID_OPUSTYPE *opusParams = (const OMX_AUDIO_PARAM_ANDROID_OPUSTYPE *)params; + if (!isValidOMXParam(opusParams)) { + return OMX_ErrorBadParameter; + } + if (opusParams->nPortIndex != 0) { return OMX_ErrorUndefined; } diff --git a/media/libstagefright/codecs/raw/SoftRaw.cpp b/media/libstagefright/codecs/raw/SoftRaw.cpp index 9d514a6..4f7ae95 100644 --- a/media/libstagefright/codecs/raw/SoftRaw.cpp +++ b/media/libstagefright/codecs/raw/SoftRaw.cpp @@ -103,6 +103,10 @@ OMX_ERRORTYPE SoftRaw::internalGetParameter( OMX_AUDIO_PARAM_PCMMODETYPE *pcmParams = (OMX_AUDIO_PARAM_PCMMODETYPE *)params; + if (!isValidOMXParam(pcmParams)) { + return OMX_ErrorBadParameter; + } + if (pcmParams->nPortIndex != 0 && pcmParams->nPortIndex != 1) { return OMX_ErrorUndefined; } @@ -134,6 +138,10 @@ OMX_ERRORTYPE SoftRaw::internalSetParameter( const OMX_PARAM_COMPONENTROLETYPE *roleParams = (const OMX_PARAM_COMPONENTROLETYPE *)params; + if (!isValidOMXParam(roleParams)) { + return OMX_ErrorBadParameter; + } + if (strncmp((const char *)roleParams->cRole, "audio_decoder.raw", OMX_MAX_STRINGNAME_SIZE - 1)) { @@ -148,6 +156,10 @@ OMX_ERRORTYPE SoftRaw::internalSetParameter( const OMX_AUDIO_PARAM_PCMMODETYPE *pcmParams = (OMX_AUDIO_PARAM_PCMMODETYPE *)params; + if (!isValidOMXParam(pcmParams)) { + return OMX_ErrorBadParameter; + } + if (pcmParams->nPortIndex != 0) { return OMX_ErrorUndefined; } diff --git a/media/libstagefright/codecs/vorbis/dec/SoftVorbis.cpp b/media/libstagefright/codecs/vorbis/dec/SoftVorbis.cpp index c559682..4e1e6a5 100644 --- a/media/libstagefright/codecs/vorbis/dec/SoftVorbis.cpp +++ b/media/libstagefright/codecs/vorbis/dec/SoftVorbis.cpp @@ -130,6 +130,10 @@ OMX_ERRORTYPE SoftVorbis::internalGetParameter( OMX_AUDIO_PARAM_VORBISTYPE *vorbisParams = (OMX_AUDIO_PARAM_VORBISTYPE *)params; + if (!isValidOMXParam(vorbisParams)) { + return OMX_ErrorBadParameter; + } + if (vorbisParams->nPortIndex != 0) { return OMX_ErrorUndefined; } @@ -161,6 +165,10 @@ OMX_ERRORTYPE SoftVorbis::internalGetParameter( OMX_AUDIO_PARAM_PCMMODETYPE *pcmParams = (OMX_AUDIO_PARAM_PCMMODETYPE *)params; + if (!isValidOMXParam(pcmParams)) { + return OMX_ErrorBadParameter; + } + if (pcmParams->nPortIndex != 1) { return OMX_ErrorUndefined; } @@ -197,6 +205,10 @@ OMX_ERRORTYPE SoftVorbis::internalSetParameter( const OMX_PARAM_COMPONENTROLETYPE *roleParams = (const OMX_PARAM_COMPONENTROLETYPE *)params; + if (!isValidOMXParam(roleParams)) { + return OMX_ErrorBadParameter; + } + if (strncmp((const char *)roleParams->cRole, "audio_decoder.vorbis", OMX_MAX_STRINGNAME_SIZE - 1)) { @@ -211,6 +223,10 @@ OMX_ERRORTYPE SoftVorbis::internalSetParameter( const OMX_AUDIO_PARAM_VORBISTYPE *vorbisParams = (const OMX_AUDIO_PARAM_VORBISTYPE *)params; + if (!isValidOMXParam(vorbisParams)) { + return OMX_ErrorBadParameter; + } + if (vorbisParams->nPortIndex != 0) { return OMX_ErrorUndefined; } diff --git a/media/libstagefright/include/SoftOMXComponent.h b/media/libstagefright/include/SoftOMXComponent.h index a808611..3ab6f88 100644 --- a/media/libstagefright/include/SoftOMXComponent.h +++ b/media/libstagefright/include/SoftOMXComponent.h @@ -168,6 +168,22 @@ private: DISALLOW_EVIL_CONSTRUCTORS(SoftOMXComponent); }; +template +bool isValidOMXParam(T *a) { + static_assert(offsetof(typeof(*a), nSize) == 0, "nSize not at offset 0"); + static_assert(std::is_same< decltype(a->nSize), OMX_U32>::value, "nSize has wrong type"); + static_assert(offsetof(typeof(*a), nVersion) == 4, "nVersion not at offset 4"); + static_assert(std::is_same< decltype(a->nVersion), OMX_VERSIONTYPE>::value, + "nVersion has wrong type"); + + if (a->nSize < sizeof(*a)) { + ALOGE("b/27207275: need %zu, got %u", sizeof(*a), a->nSize); + android_errorWriteLog(0x534e4554, "27207275"); + return false; + } + return true; +} + } // namespace android #endif // SOFT_OMX_COMPONENT_H_ diff --git a/media/libstagefright/omx/SimpleSoftOMXComponent.cpp b/media/libstagefright/omx/SimpleSoftOMXComponent.cpp index e6a0c49..60c1e2e 100644 --- a/media/libstagefright/omx/SimpleSoftOMXComponent.cpp +++ b/media/libstagefright/omx/SimpleSoftOMXComponent.cpp @@ -125,6 +125,10 @@ OMX_ERRORTYPE SimpleSoftOMXComponent::internalGetParameter( OMX_PARAM_PORTDEFINITIONTYPE *defParams = (OMX_PARAM_PORTDEFINITIONTYPE *)params; + if (!isValidOMXParam(defParams)) { + return OMX_ErrorBadParameter; + } + if (defParams->nPortIndex >= mPorts.size() || defParams->nSize != sizeof(OMX_PARAM_PORTDEFINITIONTYPE)) { @@ -152,6 +156,10 @@ OMX_ERRORTYPE SimpleSoftOMXComponent::internalSetParameter( OMX_PARAM_PORTDEFINITIONTYPE *defParams = (OMX_PARAM_PORTDEFINITIONTYPE *)params; + if (!isValidOMXParam(defParams)) { + return OMX_ErrorBadParameter; + } + if (defParams->nPortIndex >= mPorts.size()) { return OMX_ErrorBadPortIndex; } diff --git a/media/libstagefright/omx/SoftVideoDecoderOMXComponent.cpp b/media/libstagefright/omx/SoftVideoDecoderOMXComponent.cpp index 4ce165b..19dde83 100644 --- a/media/libstagefright/omx/SoftVideoDecoderOMXComponent.cpp +++ b/media/libstagefright/omx/SoftVideoDecoderOMXComponent.cpp @@ -264,6 +264,10 @@ OMX_ERRORTYPE SoftVideoDecoderOMXComponent::internalGetParameter( OMX_VIDEO_PARAM_PORTFORMATTYPE *formatParams = (OMX_VIDEO_PARAM_PORTFORMATTYPE *)params; + if (!isValidOMXParam(formatParams)) { + return OMX_ErrorBadParameter; + } + if (formatParams->nPortIndex > kMaxPortIndex) { return OMX_ErrorBadPortIndex; } @@ -292,6 +296,10 @@ OMX_ERRORTYPE SoftVideoDecoderOMXComponent::internalGetParameter( OMX_VIDEO_PARAM_PROFILELEVELTYPE *profileLevel = (OMX_VIDEO_PARAM_PROFILELEVELTYPE *) params; + if (!isValidOMXParam(profileLevel)) { + return OMX_ErrorBadParameter; + } + if (profileLevel->nPortIndex != kInputPortIndex) { ALOGE("Invalid port index: %" PRIu32, profileLevel->nPortIndex); return OMX_ErrorUnsupportedIndex; @@ -322,6 +330,10 @@ OMX_ERRORTYPE SoftVideoDecoderOMXComponent::internalSetParameter( const OMX_PARAM_COMPONENTROLETYPE *roleParams = (const OMX_PARAM_COMPONENTROLETYPE *)params; + if (!isValidOMXParam(roleParams)) { + return OMX_ErrorBadParameter; + } + if (strncmp((const char *)roleParams->cRole, mComponentRole, OMX_MAX_STRINGNAME_SIZE - 1)) { @@ -336,6 +348,10 @@ OMX_ERRORTYPE SoftVideoDecoderOMXComponent::internalSetParameter( OMX_VIDEO_PARAM_PORTFORMATTYPE *formatParams = (OMX_VIDEO_PARAM_PORTFORMATTYPE *)params; + if (!isValidOMXParam(formatParams)) { + return OMX_ErrorBadParameter; + } + if (formatParams->nPortIndex > kMaxPortIndex) { return OMX_ErrorBadPortIndex; } @@ -363,6 +379,11 @@ OMX_ERRORTYPE SoftVideoDecoderOMXComponent::internalSetParameter( { const PrepareForAdaptivePlaybackParams* adaptivePlaybackParams = (const PrepareForAdaptivePlaybackParams *)params; + + if (!isValidOMXParam(adaptivePlaybackParams)) { + return OMX_ErrorBadParameter; + } + mIsAdaptive = adaptivePlaybackParams->bEnable; if (mIsAdaptive) { mAdaptiveMaxWidth = adaptivePlaybackParams->nMaxFrameWidth; @@ -381,6 +402,11 @@ OMX_ERRORTYPE SoftVideoDecoderOMXComponent::internalSetParameter( { OMX_PARAM_PORTDEFINITIONTYPE *newParams = (OMX_PARAM_PORTDEFINITIONTYPE *)params; + + if (!isValidOMXParam(newParams)) { + return OMX_ErrorBadParameter; + } + OMX_VIDEO_PORTDEFINITIONTYPE *video_def = &newParams->format.video; OMX_PARAM_PORTDEFINITIONTYPE *def = &editPortInfo(newParams->nPortIndex)->mDef; @@ -421,6 +447,10 @@ OMX_ERRORTYPE SoftVideoDecoderOMXComponent::getConfig( { OMX_CONFIG_RECTTYPE *rectParams = (OMX_CONFIG_RECTTYPE *)params; + if (!isValidOMXParam(rectParams)) { + return OMX_ErrorBadParameter; + } + if (rectParams->nPortIndex != kOutputPortIndex) { return OMX_ErrorUndefined; } -- cgit v1.1 From 94d9e646454f6246bf823b6897bd6aea5f08eda3 Mon Sep 17 00:00:00 2001 From: Marco Nelissen Date: Thu, 10 Mar 2016 14:29:26 -0800 Subject: Fix initialization of AAC presentation struct Otherwise the new size checks trip on this. Bug: 27207275 Change-Id: I1f8f01097e3a88ff041b69279a6121be842f1766 --- media/libstagefright/ACodec.cpp | 1 + 1 file changed, 1 insertion(+) (limited to 'media/libstagefright') diff --git a/media/libstagefright/ACodec.cpp b/media/libstagefright/ACodec.cpp index 8d9bd21..6399b79 100644 --- a/media/libstagefright/ACodec.cpp +++ b/media/libstagefright/ACodec.cpp @@ -2418,6 +2418,7 @@ status_t ACodec::setupAACCodec( : OMX_AUDIO_AACStreamFormatMP4FF; OMX_AUDIO_PARAM_ANDROID_AACPRESENTATIONTYPE presentation; + InitOMXParams(&presentation); presentation.nMaxOutputChannels = maxOutputChannelCount; presentation.nDrcCut = drc.drcCut; presentation.nDrcBoost = drc.drcBoost; -- cgit v1.1 From 0bb5ced60304da7f61478ffd359e7ba65d72f181 Mon Sep 17 00:00:00 2001 From: Marco Nelissen Date: Thu, 10 Mar 2016 15:02:13 -0800 Subject: Fix size check for OMX_IndexParamConsumerUsageBits since it doesn't follow the OMX convention. And remove support for the kClientNeedsFrameBuffer flag. Bug: 27207275 Change-Id: Ia2c119e2456ebf9e2f4e1de5104ef9032a212255 --- media/libstagefright/OMXCodec.cpp | 44 --------------------------------------- 1 file changed, 44 deletions(-) (limited to 'media/libstagefright') diff --git a/media/libstagefright/OMXCodec.cpp b/media/libstagefright/OMXCodec.cpp index b1dde80..4618e21 100644 --- a/media/libstagefright/OMXCodec.cpp +++ b/media/libstagefright/OMXCodec.cpp @@ -349,21 +349,6 @@ sp OMXCodec::Create( ALOGV("Attempting to allocate OMX node '%s'", componentName); - if (!createEncoder - && (quirks & kOutputBuffersAreUnreadable) - && (flags & kClientNeedsFramebuffer)) { - if (strncmp(componentName, "OMX.SEC.", 8)) { - // For OMX.SEC.* decoders we can enable a special mode that - // gives the client access to the framebuffer contents. - - ALOGW("Component '%s' does not give the client access to " - "the framebuffer contents. Skipping.", - componentName); - - continue; - } - } - status_t err = omx->allocateNode(componentName, observer, &node); if (err == OK) { ALOGV("Successfully allocated OMX node '%s'", componentName); @@ -672,35 +657,6 @@ status_t OMXCodec::configureCodec(const sp &meta) { initOutputFormat(meta); - if ((mFlags & kClientNeedsFramebuffer) - && !strncmp(mComponentName, "OMX.SEC.", 8)) { - // This appears to no longer be needed??? - - OMX_INDEXTYPE index; - - status_t err = - mOMX->getExtensionIndex( - mNode, - "OMX.SEC.index.ThumbnailMode", - &index); - - if (err != OK) { - return err; - } - - OMX_BOOL enable = OMX_TRUE; - err = mOMX->setConfig(mNode, index, &enable, sizeof(enable)); - - if (err != OK) { - CODEC_LOGE("setConfig('OMX.SEC.index.ThumbnailMode') " - "returned error 0x%08x", err); - - return err; - } - - mQuirks &= ~kOutputBuffersAreUnreadable; - } - if (mNativeWindow != NULL && !mIsEncoder && !strncasecmp(mMIME, "video/", 6) -- cgit v1.1 From 4e32001e4196f39ddd0b86686ae0231c8f5ed944 Mon Sep 17 00:00:00 2001 From: Wonsik Kim Date: Wed, 30 Mar 2016 17:13:00 +0900 Subject: DO NOT MERGE codecs: check OMX buffer size before use in (vorbis|opus)dec Bug: 27833616 Change-Id: I1ccdd16a00741da072527a6d13e87fd7c7fe8c54 --- media/libstagefright/codecs/opus/dec/SoftOpus.cpp | 7 ++++++- media/libstagefright/codecs/vorbis/dec/SoftVorbis.cpp | 13 ++++++++++++- 2 files changed, 18 insertions(+), 2 deletions(-) (limited to 'media/libstagefright') diff --git a/media/libstagefright/codecs/opus/dec/SoftOpus.cpp b/media/libstagefright/codecs/opus/dec/SoftOpus.cpp index 2afa0ed..2e44ed7 100644 --- a/media/libstagefright/codecs/opus/dec/SoftOpus.cpp +++ b/media/libstagefright/codecs/opus/dec/SoftOpus.cpp @@ -458,12 +458,17 @@ void SoftOpus::onQueueFilled(OMX_U32 portIndex) { const uint8_t *data = inHeader->pBuffer + inHeader->nOffset; const uint32_t size = inHeader->nFilledLen; + size_t frameSize = kMaxOpusOutputPacketSizeSamples; + if (frameSize > outHeader->nAllocLen / sizeof(int16_t) / mHeader->channels) { + frameSize = outHeader->nAllocLen / sizeof(int16_t) / mHeader->channels; + android_errorWriteLog(0x534e4554, "27833616"); + } int numFrames = opus_multistream_decode(mDecoder, data, size, (int16_t *)outHeader->pBuffer, - kMaxOpusOutputPacketSizeSamples, + frameSize, 0); if (numFrames < 0) { ALOGE("opus_multistream_decode returned %d", numFrames); diff --git a/media/libstagefright/codecs/vorbis/dec/SoftVorbis.cpp b/media/libstagefright/codecs/vorbis/dec/SoftVorbis.cpp index 4e1e6a5..5f4e346 100644 --- a/media/libstagefright/codecs/vorbis/dec/SoftVorbis.cpp +++ b/media/libstagefright/codecs/vorbis/dec/SoftVorbis.cpp @@ -273,6 +273,12 @@ void SoftVorbis::onQueueFilled(OMX_U32 portIndex) { const uint8_t *data = header->pBuffer + header->nOffset; size_t size = header->nFilledLen; + if (size < 7) { + ALOGE("Too small input buffer: %zu bytes", size); + android_errorWriteLog(0x534e4554, "27833616"); + notify(OMX_EventError, OMX_ErrorUndefined, 0, NULL); + return; + } ogg_buffer buf; ogg_reference ref; @@ -378,9 +384,14 @@ void SoftVorbis::onQueueFilled(OMX_U32 portIndex) { ALOGW("vorbis_dsp_synthesis returned %d", err); #endif } else { + size_t numSamplesPerBuffer = kMaxNumSamplesPerBuffer; + if (numSamplesPerBuffer > outHeader->nAllocLen / sizeof(int16_t)) { + numSamplesPerBuffer = outHeader->nAllocLen / sizeof(int16_t); + android_errorWriteLog(0x534e4554, "27833616"); + } numFrames = vorbis_dsp_pcmout( mState, (int16_t *)outHeader->pBuffer, - (kMaxNumSamplesPerBuffer / mVi->channels)); + (numSamplesPerBuffer / mVi->channels)); if (numFrames < 0) { ALOGE("vorbis_dsp_pcmout returned %d", numFrames); -- cgit v1.1 From d2f47191538837e796e2b10c1ff7e1ee35f6e0ab Mon Sep 17 00:00:00 2001 From: Wonsik Kim Date: Sun, 20 Mar 2016 10:44:44 +0900 Subject: codecs: check OMX buffer size before use in (h263|h264)dec Bug: 27833616 Change-Id: I0fd599b3da431425d89236ffdd9df423c11947c0 --- .../codecs/m4v_h263/dec/SoftMPEG4.cpp | 10 ++++++++- .../libstagefright/codecs/on2/h264dec/SoftAVC.cpp | 26 +++++++++++++++++----- media/libstagefright/codecs/on2/h264dec/SoftAVC.h | 2 +- 3 files changed, 31 insertions(+), 7 deletions(-) (limited to 'media/libstagefright') diff --git a/media/libstagefright/codecs/m4v_h263/dec/SoftMPEG4.cpp b/media/libstagefright/codecs/m4v_h263/dec/SoftMPEG4.cpp index 0c1a149..bb59ae4 100644 --- a/media/libstagefright/codecs/m4v_h263/dec/SoftMPEG4.cpp +++ b/media/libstagefright/codecs/m4v_h263/dec/SoftMPEG4.cpp @@ -229,6 +229,14 @@ void SoftMPEG4::onQueueFilled(OMX_U32 /* portIndex */) { int32_t bufferSize = inHeader->nFilledLen; int32_t tmp = bufferSize; + OMX_U32 frameSize = (mWidth * mHeight * 3) / 2; + if (outHeader->nAllocLen < frameSize) { + android_errorWriteLog(0x534e4554, "27833616"); + ALOGE("Insufficient output buffer size"); + notify(OMX_EventError, OMX_ErrorUndefined, 0, NULL); + mSignalledError = true; + return; + } // The PV decoder is lying to us, sometimes it'll claim to only have // consumed a subset of the buffer when it clearly consumed all of it. // ignore whatever it says... @@ -272,7 +280,7 @@ void SoftMPEG4::onQueueFilled(OMX_U32 /* portIndex */) { ++mInputBufferCount; outHeader->nOffset = 0; - outHeader->nFilledLen = (mWidth * mHeight * 3) / 2; + outHeader->nFilledLen = frameSize; List::iterator it = outQueue.begin(); while ((*it)->mHeader != outHeader) { diff --git a/media/libstagefright/codecs/on2/h264dec/SoftAVC.cpp b/media/libstagefright/codecs/on2/h264dec/SoftAVC.cpp index 6b8b395..2f61d12 100644 --- a/media/libstagefright/codecs/on2/h264dec/SoftAVC.cpp +++ b/media/libstagefright/codecs/on2/h264dec/SoftAVC.cpp @@ -202,7 +202,12 @@ void SoftAVC::onQueueFilled(OMX_U32 /* portIndex */) { } if (mFirstPicture && !outQueue.empty()) { - drainOneOutputBuffer(mFirstPictureId, mFirstPicture); + if (!drainOneOutputBuffer(mFirstPictureId, mFirstPicture)) { + ALOGE("Drain failed"); + notify(OMX_EventError, OMX_ErrorUndefined, 0, NULL); + mSignalledError = true; + return; + } delete[] mFirstPicture; mFirstPicture = NULL; mFirstPictureId = -1; @@ -242,15 +247,20 @@ void SoftAVC::saveFirstOutputBuffer(int32_t picId, uint8_t *data) { memcpy(mFirstPicture, data, pictureSize); } -void SoftAVC::drainOneOutputBuffer(int32_t picId, uint8_t* data) { +bool SoftAVC::drainOneOutputBuffer(int32_t picId, uint8_t* data) { List &outQueue = getPortQueue(kOutputPortIndex); BufferInfo *outInfo = *outQueue.begin(); - outQueue.erase(outQueue.begin()); OMX_BUFFERHEADERTYPE *outHeader = outInfo->mHeader; + OMX_U32 frameSize = mWidth * mHeight * 3 / 2; + if (outHeader->nAllocLen - outHeader->nOffset < frameSize) { + android_errorWriteLog(0x534e4554, "27833616"); + return false; + } + outQueue.erase(outQueue.begin()); OMX_BUFFERHEADERTYPE *header = mPicToHeaderMap.valueFor(picId); outHeader->nTimeStamp = header->nTimeStamp; outHeader->nFlags = header->nFlags; - outHeader->nFilledLen = mWidth * mHeight * 3 / 2; + outHeader->nFilledLen = frameSize; uint8_t *dst = outHeader->pBuffer + outHeader->nOffset; const uint8_t *srcY = data; @@ -265,6 +275,7 @@ void SoftAVC::drainOneOutputBuffer(int32_t picId, uint8_t* data) { delete header; outInfo->mOwnedByUs = false; notifyFillBufferDone(outHeader); + return true; } void SoftAVC::drainAllOutputBuffers(bool eos) { @@ -277,7 +288,12 @@ void SoftAVC::drainAllOutputBuffers(bool eos) { mHandle, &decodedPicture, eos /* flush */)) { int32_t picId = decodedPicture.picId; uint8_t *data = (uint8_t *) decodedPicture.pOutputPicture; - drainOneOutputBuffer(picId, data); + if (!drainOneOutputBuffer(picId, data)) { + ALOGE("Drain failed"); + notify(OMX_EventError, OMX_ErrorUndefined, 0, NULL); + mSignalledError = true; + return; + } } } diff --git a/media/libstagefright/codecs/on2/h264dec/SoftAVC.h b/media/libstagefright/codecs/on2/h264dec/SoftAVC.h index 069107d..b8c1807 100644 --- a/media/libstagefright/codecs/on2/h264dec/SoftAVC.h +++ b/media/libstagefright/codecs/on2/h264dec/SoftAVC.h @@ -71,7 +71,7 @@ private: status_t initDecoder(); void drainAllOutputBuffers(bool eos); - void drainOneOutputBuffer(int32_t picId, uint8_t *data); + bool drainOneOutputBuffer(int32_t picId, uint8_t *data); void saveFirstOutputBuffer(int32_t pidId, uint8_t *data); CropSettingsMode handleCropParams(const H264SwDecInfo& decInfo); -- cgit v1.1 From ad40e57890f81a3cf436c5f06da66396010bd9e5 Mon Sep 17 00:00:00 2001 From: Marco Nelissen Date: Wed, 23 Mar 2016 15:36:36 -0700 Subject: Check mp3 output buffer size Bug: 27793371 Change-Id: I0fe40a4cfd0a5b488f93d3f3ba6f9495235926ac --- media/libstagefright/codecs/mp3dec/SoftMP3.cpp | 8 ++++++++ 1 file changed, 8 insertions(+) (limited to 'media/libstagefright') diff --git a/media/libstagefright/codecs/mp3dec/SoftMP3.cpp b/media/libstagefright/codecs/mp3dec/SoftMP3.cpp index 9988015..aa946e6 100644 --- a/media/libstagefright/codecs/mp3dec/SoftMP3.cpp +++ b/media/libstagefright/codecs/mp3dec/SoftMP3.cpp @@ -263,6 +263,14 @@ void SoftMP3::onQueueFilled(OMX_U32 /* portIndex */) { mConfig->inputBufferUsedLength = 0; mConfig->outputFrameSize = kOutputBufferSize / sizeof(int16_t); + if ((int32)outHeader->nAllocLen < mConfig->outputFrameSize) { + ALOGE("input buffer too small: got %lu, expected %u", + outHeader->nAllocLen, mConfig->outputFrameSize); + android_errorWriteLog(0x534e4554, "27793371"); + notify(OMX_EventError, OMX_ErrorUndefined, OUTPUT_BUFFER_TOO_SMALL, NULL); + mSignalledError = true; + return; + } mConfig->pOutputBuffer = reinterpret_cast(outHeader->pBuffer); -- cgit v1.1 From dd3546765710ce8dd49eb23901d90345dec8282f Mon Sep 17 00:00:00 2001 From: Marco Nelissen Date: Tue, 5 Apr 2016 14:20:11 -0700 Subject: AudioSource: initialize variables to prevent info leak Bug: 27855172 Change-Id: I3d33e0a9cc5cf8a758d7b0794590b09c43a24561 --- media/libstagefright/AudioSource.cpp | 4 ++++ 1 file changed, 4 insertions(+) (limited to 'media/libstagefright') diff --git a/media/libstagefright/AudioSource.cpp b/media/libstagefright/AudioSource.cpp index 6e4a1dd..55f4361 100644 --- a/media/libstagefright/AudioSource.cpp +++ b/media/libstagefright/AudioSource.cpp @@ -55,8 +55,12 @@ AudioSource::AudioSource( : mStarted(false), mSampleRate(sampleRate), mOutSampleRate(outSampleRate > 0 ? outSampleRate : sampleRate), + mTrackMaxAmplitude(false), + mStartTimeUs(0), + mMaxAmplitude(0), mPrevSampleTimeUs(0), mFirstSampleTimeUs(-1ll), + mInitialReadTimeUs(0), mNumFramesReceived(0), mNumClientOwnedBuffers(0) { ALOGV("sampleRate: %u, outSampleRate: %u, channelCount: %u", -- cgit v1.1 From 7cea5cb64b83d690fe02bc210bbdf08f5a87636f Mon Sep 17 00:00:00 2001 From: Wonsik Kim Date: Thu, 7 Apr 2016 17:45:02 +0900 Subject: codecs: check OMX buffer size before use in (gsm|g711)dec Bug: 27793163 Bug: 27793367 Change-Id: Iec3de8a237ee2379d87a8371c13e543878c6652c --- media/libstagefright/codecs/g711/dec/SoftG711.cpp | 9 +++++++++ media/libstagefright/codecs/gsm/dec/SoftGSM.cpp | 8 ++++++++ 2 files changed, 17 insertions(+) (limited to 'media/libstagefright') diff --git a/media/libstagefright/codecs/g711/dec/SoftG711.cpp b/media/libstagefright/codecs/g711/dec/SoftG711.cpp index 3de95a5..c8277de 100644 --- a/media/libstagefright/codecs/g711/dec/SoftG711.cpp +++ b/media/libstagefright/codecs/g711/dec/SoftG711.cpp @@ -240,6 +240,15 @@ void SoftG711::onQueueFilled(OMX_U32 /* portIndex */) { mSignalledError = true; } + if (inHeader->nFilledLen * sizeof(int16_t) > outHeader->nAllocLen) { + ALOGE("output buffer too small (%d).", outHeader->nAllocLen); + android_errorWriteLog(0x534e4554, "27793163"); + + notify(OMX_EventError, OMX_ErrorUndefined, 0, NULL); + mSignalledError = true; + return; + } + const uint8_t *inputptr = inHeader->pBuffer + inHeader->nOffset; if (mIsMLaw) { diff --git a/media/libstagefright/codecs/gsm/dec/SoftGSM.cpp b/media/libstagefright/codecs/gsm/dec/SoftGSM.cpp index 7916c45..04d5a33 100644 --- a/media/libstagefright/codecs/gsm/dec/SoftGSM.cpp +++ b/media/libstagefright/codecs/gsm/dec/SoftGSM.cpp @@ -228,6 +228,14 @@ void SoftGSM::onQueueFilled(OMX_U32 /* portIndex */) { mSignalledError = true; } + if (outHeader->nAllocLen < (inHeader->nFilledLen / kMSGSMFrameSize) * 320) { + ALOGE("output buffer is not large enough (%d).", outHeader->nAllocLen); + android_errorWriteLog(0x534e4554, "27793367"); + notify(OMX_EventError, OMX_ErrorUndefined, 0, NULL); + mSignalledError = true; + return; + } + uint8_t *inputptr = inHeader->pBuffer + inHeader->nOffset; int n = mSignalledError ? 0 : DecodeGSM(mGsm, -- cgit v1.1 From 918eeaa29d99d257282fafec931b4bda0e3bae12 Mon Sep 17 00:00:00 2001 From: Wonsik Kim Date: Sun, 20 Mar 2016 10:44:44 +0900 Subject: codecs: check OMX buffer size before use in (avc|hevc|mpeg2)dec Bug: 27833616 Change-Id: Ic4045a3f56f53b08d0b1264b2a91b8f43e91b738 (cherry picked from commit 87fdee0bc9e3ac4d2a88ef0a8e150cfdf08c161d) --- media/libstagefright/codecs/avcdec/SoftAVCDec.cpp | 28 ++++++++++++------ media/libstagefright/codecs/avcdec/SoftAVCDec.h | 2 +- media/libstagefright/codecs/hevcdec/SoftHEVC.cpp | 28 ++++++++++++------ media/libstagefright/codecs/hevcdec/SoftHEVC.h | 2 +- media/libstagefright/codecs/mpeg2dec/SoftMPEG2.cpp | 33 ++++++++++++++-------- media/libstagefright/codecs/mpeg2dec/SoftMPEG2.h | 2 +- 6 files changed, 62 insertions(+), 33 deletions(-) (limited to 'media/libstagefright') diff --git a/media/libstagefright/codecs/avcdec/SoftAVCDec.cpp b/media/libstagefright/codecs/avcdec/SoftAVCDec.cpp index afbe230..2130ccf 100644 --- a/media/libstagefright/codecs/avcdec/SoftAVCDec.cpp +++ b/media/libstagefright/codecs/avcdec/SoftAVCDec.cpp @@ -381,7 +381,7 @@ void SoftAVC::onReset() { resetPlugin(); } -void SoftAVC::setDecodeArgs( +bool SoftAVC::setDecodeArgs( ivd_video_decode_ip_t *ps_dec_ip, ivd_video_decode_op_t *ps_dec_op, OMX_BUFFERHEADERTYPE *inHeader, @@ -389,7 +389,6 @@ void SoftAVC::setDecodeArgs( size_t timeStampIx) { size_t sizeY = outputBufferWidth() * outputBufferHeight(); size_t sizeUV; - uint8_t *pBuf; ps_dec_ip->u4_size = sizeof(ivd_video_decode_ip_t); ps_dec_op->u4_size = sizeof(ivd_video_decode_op_t); @@ -409,22 +408,28 @@ void SoftAVC::setDecodeArgs( ps_dec_ip->u4_num_Bytes = 0; } + sizeUV = sizeY / 4; + ps_dec_ip->s_out_buffer.u4_min_out_buf_size[0] = sizeY; + ps_dec_ip->s_out_buffer.u4_min_out_buf_size[1] = sizeUV; + ps_dec_ip->s_out_buffer.u4_min_out_buf_size[2] = sizeUV; + + uint8_t *pBuf; if (outHeader) { + if (outHeader->nAllocLen < sizeY + (sizeUV * 2)) { + android_errorWriteLog(0x534e4554, "27569635"); + return false; + } pBuf = outHeader->pBuffer; } else { + // mFlushOutBuffer always has the right size. pBuf = mFlushOutBuffer; } - sizeUV = sizeY / 4; - ps_dec_ip->s_out_buffer.u4_min_out_buf_size[0] = sizeY; - ps_dec_ip->s_out_buffer.u4_min_out_buf_size[1] = sizeUV; - ps_dec_ip->s_out_buffer.u4_min_out_buf_size[2] = sizeUV; - ps_dec_ip->s_out_buffer.pu1_bufs[0] = pBuf; ps_dec_ip->s_out_buffer.pu1_bufs[1] = pBuf + sizeY; ps_dec_ip->s_out_buffer.pu1_bufs[2] = pBuf + sizeY + sizeUV; ps_dec_ip->s_out_buffer.u4_num_bufs = 3; - return; + return true; } void SoftAVC::onPortFlushCompleted(OMX_U32 portIndex) { /* Once the output buffers are flushed, ignore any buffers that are held in decoder */ @@ -573,7 +578,12 @@ void SoftAVC::onQueueFilled(OMX_U32 portIndex) { WORD32 timeDelay, timeTaken; size_t sizeY, sizeUV; - setDecodeArgs(&s_dec_ip, &s_dec_op, inHeader, outHeader, timeStampIx); + if (!setDecodeArgs(&s_dec_ip, &s_dec_op, inHeader, outHeader, timeStampIx)) { + ALOGE("Decoder arg setup failed"); + notify(OMX_EventError, OMX_ErrorUndefined, 0, NULL); + mSignalledError = true; + return; + } // If input dump is enabled, then write to file DUMP_TO_FILE(mInFile, s_dec_ip.pv_stream_buffer, s_dec_ip.u4_num_Bytes); diff --git a/media/libstagefright/codecs/avcdec/SoftAVCDec.h b/media/libstagefright/codecs/avcdec/SoftAVCDec.h index 9dcabb4..c710c76 100644 --- a/media/libstagefright/codecs/avcdec/SoftAVCDec.h +++ b/media/libstagefright/codecs/avcdec/SoftAVCDec.h @@ -109,7 +109,7 @@ private: status_t resetPlugin(); - void setDecodeArgs( + bool setDecodeArgs( ivd_video_decode_ip_t *ps_dec_ip, ivd_video_decode_op_t *ps_dec_op, OMX_BUFFERHEADERTYPE *inHeader, diff --git a/media/libstagefright/codecs/hevcdec/SoftHEVC.cpp b/media/libstagefright/codecs/hevcdec/SoftHEVC.cpp index e601125..a70755c 100644 --- a/media/libstagefright/codecs/hevcdec/SoftHEVC.cpp +++ b/media/libstagefright/codecs/hevcdec/SoftHEVC.cpp @@ -343,14 +343,13 @@ void SoftHEVC::onReset() { resetPlugin(); } -void SoftHEVC::setDecodeArgs(ivd_video_decode_ip_t *ps_dec_ip, +bool SoftHEVC::setDecodeArgs(ivd_video_decode_ip_t *ps_dec_ip, ivd_video_decode_op_t *ps_dec_op, OMX_BUFFERHEADERTYPE *inHeader, OMX_BUFFERHEADERTYPE *outHeader, size_t timeStampIx) { size_t sizeY = outputBufferWidth() * outputBufferHeight(); size_t sizeUV; - uint8_t *pBuf; ps_dec_ip->u4_size = sizeof(ivd_video_decode_ip_t); ps_dec_op->u4_size = sizeof(ivd_video_decode_op_t); @@ -370,22 +369,28 @@ void SoftHEVC::setDecodeArgs(ivd_video_decode_ip_t *ps_dec_ip, ps_dec_ip->u4_num_Bytes = 0; } + sizeUV = sizeY / 4; + ps_dec_ip->s_out_buffer.u4_min_out_buf_size[0] = sizeY; + ps_dec_ip->s_out_buffer.u4_min_out_buf_size[1] = sizeUV; + ps_dec_ip->s_out_buffer.u4_min_out_buf_size[2] = sizeUV; + + uint8_t *pBuf; if (outHeader) { + if (outHeader->nAllocLen < sizeY + (sizeUV * 2)) { + android_errorWriteLog(0x534e4554, "27569635"); + return false; + } pBuf = outHeader->pBuffer; } else { + // mFlushOutBuffer always has the right size. pBuf = mFlushOutBuffer; } - sizeUV = sizeY / 4; - ps_dec_ip->s_out_buffer.u4_min_out_buf_size[0] = sizeY; - ps_dec_ip->s_out_buffer.u4_min_out_buf_size[1] = sizeUV; - ps_dec_ip->s_out_buffer.u4_min_out_buf_size[2] = sizeUV; - ps_dec_ip->s_out_buffer.pu1_bufs[0] = pBuf; ps_dec_ip->s_out_buffer.pu1_bufs[1] = pBuf + sizeY; ps_dec_ip->s_out_buffer.pu1_bufs[2] = pBuf + sizeY + sizeUV; ps_dec_ip->s_out_buffer.u4_num_bufs = 3; - return; + return true; } void SoftHEVC::onPortFlushCompleted(OMX_U32 portIndex) { /* Once the output buffers are flushed, ignore any buffers that are held in decoder */ @@ -520,7 +525,12 @@ void SoftHEVC::onQueueFilled(OMX_U32 portIndex) { WORD32 timeDelay, timeTaken; size_t sizeY, sizeUV; - setDecodeArgs(&s_dec_ip, &s_dec_op, inHeader, outHeader, timeStampIx); + if (!setDecodeArgs(&s_dec_ip, &s_dec_op, inHeader, outHeader, timeStampIx)) { + ALOGE("Decoder arg setup failed"); + notify(OMX_EventError, OMX_ErrorUndefined, 0, NULL); + mSignalledError = true; + return; + } GETTIME(&mTimeStart, NULL); /* Compute time elapsed between end of previous decode() diff --git a/media/libstagefright/codecs/hevcdec/SoftHEVC.h b/media/libstagefright/codecs/hevcdec/SoftHEVC.h index 21bb99e..943edfd 100644 --- a/media/libstagefright/codecs/hevcdec/SoftHEVC.h +++ b/media/libstagefright/codecs/hevcdec/SoftHEVC.h @@ -106,7 +106,7 @@ private: status_t resetDecoder(); status_t resetPlugin(); - void setDecodeArgs(ivd_video_decode_ip_t *ps_dec_ip, + bool setDecodeArgs(ivd_video_decode_ip_t *ps_dec_ip, ivd_video_decode_op_t *ps_dec_op, OMX_BUFFERHEADERTYPE *inHeader, OMX_BUFFERHEADERTYPE *outHeader, diff --git a/media/libstagefright/codecs/mpeg2dec/SoftMPEG2.cpp b/media/libstagefright/codecs/mpeg2dec/SoftMPEG2.cpp index 4307c4e..e134d38 100644 --- a/media/libstagefright/codecs/mpeg2dec/SoftMPEG2.cpp +++ b/media/libstagefright/codecs/mpeg2dec/SoftMPEG2.cpp @@ -466,7 +466,7 @@ OMX_ERRORTYPE SoftMPEG2::internalSetParameter(OMX_INDEXTYPE index, const OMX_PTR return ret; } -void SoftMPEG2::setDecodeArgs( +bool SoftMPEG2::setDecodeArgs( ivd_video_decode_ip_t *ps_dec_ip, ivd_video_decode_op_t *ps_dec_op, OMX_BUFFERHEADERTYPE *inHeader, @@ -474,7 +474,6 @@ void SoftMPEG2::setDecodeArgs( size_t timeStampIx) { size_t sizeY = outputBufferWidth() * outputBufferHeight(); size_t sizeUV; - uint8_t *pBuf; ps_dec_ip->u4_size = sizeof(ivd_video_decode_ip_t); ps_dec_op->u4_size = sizeof(ivd_video_decode_op_t); @@ -494,22 +493,28 @@ void SoftMPEG2::setDecodeArgs( ps_dec_ip->u4_num_Bytes = 0; } + sizeUV = sizeY / 4; + ps_dec_ip->s_out_buffer.u4_min_out_buf_size[0] = sizeY; + ps_dec_ip->s_out_buffer.u4_min_out_buf_size[1] = sizeUV; + ps_dec_ip->s_out_buffer.u4_min_out_buf_size[2] = sizeUV; + + uint8_t *pBuf; if (outHeader) { + if (outHeader->nAllocLen < sizeY + (sizeUV * 2)) { + android_errorWriteLog(0x534e4554, "27569635"); + return false; + } pBuf = outHeader->pBuffer; } else { + // mFlushOutBuffer always has the right size. pBuf = mFlushOutBuffer; } - sizeUV = sizeY / 4; - ps_dec_ip->s_out_buffer.u4_min_out_buf_size[0] = sizeY; - ps_dec_ip->s_out_buffer.u4_min_out_buf_size[1] = sizeUV; - ps_dec_ip->s_out_buffer.u4_min_out_buf_size[2] = sizeUV; - ps_dec_ip->s_out_buffer.pu1_bufs[0] = pBuf; ps_dec_ip->s_out_buffer.pu1_bufs[1] = pBuf + sizeY; ps_dec_ip->s_out_buffer.pu1_bufs[2] = pBuf + sizeY + sizeUV; ps_dec_ip->s_out_buffer.u4_num_bufs = 3; - return; + return true; } void SoftMPEG2::onPortFlushCompleted(OMX_U32 portIndex) { /* Once the output buffers are flushed, ignore any buffers that are held in decoder */ @@ -622,7 +627,11 @@ void SoftMPEG2::onQueueFilled(OMX_U32 portIndex) { WORD32 timeDelay, timeTaken; size_t sizeY, sizeUV; - setDecodeArgs(&s_dec_ip, &s_dec_op, inHeader, outHeader, timeStampIx); + if (!setDecodeArgs(&s_dec_ip, &s_dec_op, inHeader, outHeader, timeStampIx)) { + ALOGE("Decoder arg setup failed"); + notify(OMX_EventError, OMX_ErrorUndefined, 0, NULL); + return; + } // If input dump is enabled, then write to file DUMP_TO_FILE(mInFile, s_dec_ip.pv_stream_buffer, s_dec_ip.u4_num_Bytes); @@ -665,9 +674,9 @@ void SoftMPEG2::onQueueFilled(OMX_U32 portIndex) { CHECK_EQ(reInitDecoder(), (status_t)OK); - setDecodeArgs(&s_dec_ip, &s_dec_op, inHeader, outHeader, timeStampIx); - - ivdec_api_function(mCodecCtx, (void *)&s_dec_ip, (void *)&s_dec_op); + if (setDecodeArgs(&s_dec_ip, &s_dec_op, inHeader, outHeader, timeStampIx)) { + ivdec_api_function(mCodecCtx, (void *)&s_dec_ip, (void *)&s_dec_op); + } return; } diff --git a/media/libstagefright/codecs/mpeg2dec/SoftMPEG2.h b/media/libstagefright/codecs/mpeg2dec/SoftMPEG2.h index a625e08..f48b70b 100644 --- a/media/libstagefright/codecs/mpeg2dec/SoftMPEG2.h +++ b/media/libstagefright/codecs/mpeg2dec/SoftMPEG2.h @@ -117,7 +117,7 @@ private: status_t resetPlugin(); status_t reInitDecoder(); - void setDecodeArgs( + bool setDecodeArgs( ivd_video_decode_ip_t *ps_dec_ip, ivd_video_decode_op_t *ps_dec_op, OMX_BUFFERHEADERTYPE *inHeader, -- cgit v1.1 From 2b6f22dc64d456471a1dc6df09d515771d1427c8 Mon Sep 17 00:00:00 2001 From: Marco Nelissen Date: Fri, 8 Apr 2016 10:04:48 -0700 Subject: h264dec: check for overflows when calculating allocation size. Bug: 27855419 Change-Id: Idabedca52913ec31ea5cb6a6109ab94e3fb2badd --- media/libstagefright/codecs/on2/h264dec/inc/H264SwDecApi.h | 2 +- .../libstagefright/codecs/on2/h264dec/source/DecTestBench.c | 9 ++++++--- .../codecs/on2/h264dec/source/EvaluationTestBench.c | 9 ++++++--- .../libstagefright/codecs/on2/h264dec/source/H264SwDecApi.c | 13 ++++++++++--- .../codecs/on2/h264dec/source/TestBenchMultipleInstance.c | 7 +++++-- .../codecs/on2/h264dec/source/h264bsd_decoder.c | 2 +- .../libstagefright/codecs/on2/h264dec/source/h264bsd_util.h | 2 +- 7 files changed, 30 insertions(+), 14 deletions(-) (limited to 'media/libstagefright') diff --git a/media/libstagefright/codecs/on2/h264dec/inc/H264SwDecApi.h b/media/libstagefright/codecs/on2/h264dec/inc/H264SwDecApi.h index fe112bc..9814e73 100644 --- a/media/libstagefright/codecs/on2/h264dec/inc/H264SwDecApi.h +++ b/media/libstagefright/codecs/on2/h264dec/inc/H264SwDecApi.h @@ -161,7 +161,7 @@ extern "C" void H264SwDecTrace(char *); /* function prototype for memory allocation */ - void* H264SwDecMalloc(u32 size); + void* H264SwDecMalloc(u32 size, u32 num); /* function prototype for memory free */ void H264SwDecFree(void *ptr); diff --git a/media/libstagefright/codecs/on2/h264dec/source/DecTestBench.c b/media/libstagefright/codecs/on2/h264dec/source/DecTestBench.c index dcf2ef6..55c0065 100644 --- a/media/libstagefright/codecs/on2/h264dec/source/DecTestBench.c +++ b/media/libstagefright/codecs/on2/h264dec/source/DecTestBench.c @@ -700,18 +700,21 @@ void H264SwDecTrace(char *string) library function malloc for allocation of memory. ------------------------------------------------------------------------------*/ -void* H264SwDecMalloc(u32 size) +void* H264SwDecMalloc(u32 size, u32 num) { + if (size > UINT32_MAX / num) { + return NULL; + } #if defined(CHECK_MEMORY_USAGE) /* Note that if the decoder has to free and reallocate some of the buffers * the total value will be invalid */ static u32 numBytes = 0; - numBytes += size; + numBytes += size * num; DEBUG(("Allocated %d bytes, total %d\n", size, numBytes)); #endif - return malloc(size); + return malloc(size * num); } /*------------------------------------------------------------------------------ diff --git a/media/libstagefright/codecs/on2/h264dec/source/EvaluationTestBench.c b/media/libstagefright/codecs/on2/h264dec/source/EvaluationTestBench.c index aadc75f..e756a1f 100644 --- a/media/libstagefright/codecs/on2/h264dec/source/EvaluationTestBench.c +++ b/media/libstagefright/codecs/on2/h264dec/source/EvaluationTestBench.c @@ -85,7 +85,7 @@ int main(int argc, char **argv) rewind(finput); /* allocate memory for stream buffer, exit if unsuccessful */ - byteStrm = byteStrmStart = (u8 *)H264SwDecMalloc(sizeof(u8)*strmLen); + byteStrm = byteStrmStart = (u8 *)H264SwDecMalloc(sizeof(u8), strmLen); if (byteStrm == NULL) { printf("UNABLE TO ALLOCATE MEMORY\n"); @@ -298,9 +298,12 @@ void H264SwDecTrace(char *string) library function malloc for allocation of memory. ------------------------------------------------------------------------------*/ -void* H264SwDecMalloc(u32 size) +void* H264SwDecMalloc(u32 size, u32 num) { - return malloc(size); + if (size > UINT32_MAX / num) { + return NULL; + } + return malloc(size * num); } /*------------------------------------------------------------------------------ diff --git a/media/libstagefright/codecs/on2/h264dec/source/H264SwDecApi.c b/media/libstagefright/codecs/on2/h264dec/source/H264SwDecApi.c index a073dcb..f820dfd 100644 --- a/media/libstagefright/codecs/on2/h264dec/source/H264SwDecApi.c +++ b/media/libstagefright/codecs/on2/h264dec/source/H264SwDecApi.c @@ -35,6 +35,8 @@ /*------------------------------------------------------------------------------ 1. Include headers ------------------------------------------------------------------------------*/ +#include + #include #include #include "basetype.h" @@ -79,8 +81,13 @@ void H264SwDecTrace(char *string) { UNUSED(string); } -void* H264SwDecMalloc(u32 size) { - return malloc(size); +void* H264SwDecMalloc(u32 size, u32 num) { + if (size > UINT32_MAX / num) { + ALOGE("can't allocate %u * %u bytes", size, num); + android_errorWriteLog(0x534e4554, "27855419"); + return NULL; + } + return malloc(size * num); } void H264SwDecFree(void *ptr) { @@ -144,7 +151,7 @@ H264SwDecRet H264SwDecInit(H264SwDecInst *decInst, u32 noOutputReordering) return(H264SWDEC_PARAM_ERR); } - pDecCont = (decContainer_t *)H264SwDecMalloc(sizeof(decContainer_t)); + pDecCont = (decContainer_t *)H264SwDecMalloc(sizeof(decContainer_t), 1); if (pDecCont == NULL) { diff --git a/media/libstagefright/codecs/on2/h264dec/source/TestBenchMultipleInstance.c b/media/libstagefright/codecs/on2/h264dec/source/TestBenchMultipleInstance.c index 42170d3..9a386bb 100644 --- a/media/libstagefright/codecs/on2/h264dec/source/TestBenchMultipleInstance.c +++ b/media/libstagefright/codecs/on2/h264dec/source/TestBenchMultipleInstance.c @@ -413,9 +413,12 @@ void H264SwDecTrace(char *string) Function name: H264SwDecmalloc ------------------------------------------------------------------------------*/ -void* H264SwDecMalloc(u32 size) +void* H264SwDecMalloc(u32 size, u32 num) { - return malloc(size); + if (size > UINT32_MAX / num) { + return NULL; + } + return malloc(size * num); } /*------------------------------------------------------------------------------ diff --git a/media/libstagefright/codecs/on2/h264dec/source/h264bsd_decoder.c b/media/libstagefright/codecs/on2/h264dec/source/h264bsd_decoder.c index a816871..0ac480f 100644 --- a/media/libstagefright/codecs/on2/h264dec/source/h264bsd_decoder.c +++ b/media/libstagefright/codecs/on2/h264dec/source/h264bsd_decoder.c @@ -101,7 +101,7 @@ u32 h264bsdInit(storage_t *pStorage, u32 noOutputReordering) * specific NEON optimized "memset" for clearing the structure */ size = (sizeof(macroblockLayer_t) + 63) & ~0x3F; - pStorage->mbLayer = (macroblockLayer_t*)H264SwDecMalloc(size); + pStorage->mbLayer = (macroblockLayer_t*)H264SwDecMalloc(size, 1); if (!pStorage->mbLayer) return HANTRO_NOK; diff --git a/media/libstagefright/codecs/on2/h264dec/source/h264bsd_util.h b/media/libstagefright/codecs/on2/h264dec/source/h264bsd_util.h index 216ad04..9f0eb7d 100644 --- a/media/libstagefright/codecs/on2/h264dec/source/h264bsd_util.h +++ b/media/libstagefright/codecs/on2/h264dec/source/h264bsd_util.h @@ -141,7 +141,7 @@ /* macro to allocate memory */ #define ALLOCATE(ptr, count, type) \ { \ - (ptr) = H264SwDecMalloc((count) * sizeof(type)); \ + (ptr) = H264SwDecMalloc(sizeof(type), (count)); \ } /* macro to free allocated memory */ -- cgit v1.1 From 45737cb776625f17384540523674761e6313e6d4 Mon Sep 17 00:00:00 2001 From: Zach Jang Date: Thu, 21 Apr 2016 16:10:50 -0700 Subject: Resolve merge conflict when cp'ing ag/931301 to mnc-mr1-release Change-Id: I079d1db2d30d126f8aed348bd62451acf741037d --- media/libstagefright/SampleTable.cpp | 37 ++++++++++++++++-------------- media/libstagefright/include/SampleTable.h | 3 ++- 2 files changed, 22 insertions(+), 18 deletions(-) (limited to 'media/libstagefright') diff --git a/media/libstagefright/SampleTable.cpp b/media/libstagefright/SampleTable.cpp index 97dff43..5344ae4 100644 --- a/media/libstagefright/SampleTable.cpp +++ b/media/libstagefright/SampleTable.cpp @@ -122,7 +122,7 @@ SampleTable::SampleTable(const sp &source) mDefaultSampleSize(0), mNumSampleSizes(0), mTimeToSampleCount(0), - mTimeToSample(NULL), + mTimeToSample(), mSampleTimeEntries(NULL), mCompositionTimeDeltaEntries(NULL), mNumCompositionTimeDeltaEntries(0), @@ -151,9 +151,6 @@ SampleTable::~SampleTable() { delete[] mSampleTimeEntries; mSampleTimeEntries = NULL; - delete[] mTimeToSample; - mTimeToSample = NULL; - delete mSampleIterator; mSampleIterator = NULL; } @@ -162,7 +159,7 @@ bool SampleTable::isValid() const { return mChunkOffsetOffset >= 0 && mSampleToChunkOffset >= 0 && mSampleSizeOffset >= 0 - && mTimeToSample != NULL; + && !mTimeToSample.empty(); } status_t SampleTable::setChunkOffsetParams( @@ -327,7 +324,7 @@ status_t SampleTable::setSampleSizeParams( status_t SampleTable::setTimeToSampleParams( off64_t data_offset, size_t data_size) { - if (mTimeToSample != NULL || data_size < 8) { + if (!mTimeToSample.empty() || data_size < 8) { return ERROR_MALFORMED; } @@ -343,24 +340,30 @@ status_t SampleTable::setTimeToSampleParams( } mTimeToSampleCount = U32_AT(&header[4]); - uint64_t allocSize = (uint64_t)mTimeToSampleCount * 2 * sizeof(uint32_t); - if (allocSize > UINT32_MAX) { + if ((uint64_t)mTimeToSampleCount > + (uint64_t)UINT32_MAX / (2 * sizeof(uint32_t))) { + // Choose this bound because + // 1) 2 * sizeof(uint32_t) is the amount of memory needed for one + // time-to-sample entry in the time-to-sample table. + // 2) mTimeToSampleCount is the number of entries of the time-to-sample + // table. + // 3) We hope that the table size does not exceed UINT32_MAX. + ALOGE(" Error: Time-to-sample table size too large."); + return ERROR_OUT_OF_RANGE; } - mTimeToSample = new (std::nothrow) uint32_t[mTimeToSampleCount * 2]; - if (!mTimeToSample) - return ERROR_OUT_OF_RANGE; - size_t size = sizeof(uint32_t) * mTimeToSampleCount * 2; - if (mDataSource->readAt( - data_offset + 8, mTimeToSample, size) < (ssize_t)size) { + // Note: At this point, we know that mTimeToSampleCount * 2 will not + // overflow because of the above condition. + if (!mDataSource->getVector(data_offset + 8, &mTimeToSample, + mTimeToSampleCount * 2)) { + ALOGE(" Error: Incomplete data read for time-to-sample table."); return ERROR_IO; } - for (uint32_t i = 0; i < mTimeToSampleCount * 2; ++i) { - mTimeToSample[i] = ntohl(mTimeToSample[i]); + for (size_t i = 0; i < mTimeToSample.size(); ++i) { + mTimeToSample.editItemAt(i) = ntohl(mTimeToSample[i]); } - return OK; } diff --git a/media/libstagefright/include/SampleTable.h b/media/libstagefright/include/SampleTable.h index 460492b..3764adb 100644 --- a/media/libstagefright/include/SampleTable.h +++ b/media/libstagefright/include/SampleTable.h @@ -24,6 +24,7 @@ #include #include #include +#include namespace android { @@ -111,7 +112,7 @@ private: uint32_t mNumSampleSizes; uint32_t mTimeToSampleCount; - uint32_t *mTimeToSample; + Vector mTimeToSample; struct SampleTimeEntry { uint32_t mSampleIndex; -- cgit v1.1 From b57b3967b1a42dd505dbe4fcf1e1d810e3ae3777 Mon Sep 17 00:00:00 2001 From: Pawin Vongmasa Date: Wed, 20 Apr 2016 15:51:48 -0700 Subject: SampleTable.cpp: Fixed a regression caused by a fix for bug 28076789. Detail: Before the original fix (Id207f369ab7b27787d83f5d8fc48dc53ed9fcdc9) for 28076789, the code allowed a time-to-sample table size to be 0. The change made in that fix disallowed such situation, which in fact should be allowed. This current patch allows it again while maintaining the security of the previous fix. Bug: 28288202 Bug: 28076789 Change-Id: I1c9a60c7f0cfcbd3d908f24998dde15d5136a295 --- media/libstagefright/SampleTable.cpp | 7 +++++-- media/libstagefright/include/SampleTable.h | 1 + 2 files changed, 6 insertions(+), 2 deletions(-) (limited to 'media/libstagefright') diff --git a/media/libstagefright/SampleTable.cpp b/media/libstagefright/SampleTable.cpp index 5344ae4..8df9cb8 100644 --- a/media/libstagefright/SampleTable.cpp +++ b/media/libstagefright/SampleTable.cpp @@ -121,6 +121,7 @@ SampleTable::SampleTable(const sp &source) mSampleSizeFieldSize(0), mDefaultSampleSize(0), mNumSampleSizes(0), + mHasTimeToSample(false), mTimeToSampleCount(0), mTimeToSample(), mSampleTimeEntries(NULL), @@ -159,7 +160,7 @@ bool SampleTable::isValid() const { return mChunkOffsetOffset >= 0 && mSampleToChunkOffset >= 0 && mSampleSizeOffset >= 0 - && !mTimeToSample.empty(); + && mHasTimeToSample; } status_t SampleTable::setChunkOffsetParams( @@ -324,7 +325,7 @@ status_t SampleTable::setSampleSizeParams( status_t SampleTable::setTimeToSampleParams( off64_t data_offset, size_t data_size) { - if (!mTimeToSample.empty() || data_size < 8) { + if (mHasTimeToSample || data_size < 8) { return ERROR_MALFORMED; } @@ -364,6 +365,8 @@ status_t SampleTable::setTimeToSampleParams( for (size_t i = 0; i < mTimeToSample.size(); ++i) { mTimeToSample.editItemAt(i) = ntohl(mTimeToSample[i]); } + + mHasTimeToSample = true; return OK; } diff --git a/media/libstagefright/include/SampleTable.h b/media/libstagefright/include/SampleTable.h index 3764adb..465f37c 100644 --- a/media/libstagefright/include/SampleTable.h +++ b/media/libstagefright/include/SampleTable.h @@ -111,6 +111,7 @@ private: uint32_t mDefaultSampleSize; uint32_t mNumSampleSizes; + bool mHasTimeToSample; uint32_t mTimeToSampleCount; Vector mTimeToSample; -- cgit v1.1 From 5c7669385726b8aab6a554e31cc720e27dd446e8 Mon Sep 17 00:00:00 2001 From: Ricardo Cerqueira Date: Wed, 11 May 2016 16:26:44 +0100 Subject: FFMPEGSoftCodec: Initialize the OMX param struct before using it Make sure all the items in the port param config are filled out, not just those we expect to use. Ref: CYNGNOS-2797 Change-Id: I9271a83fc6496cfe5ad14e45841cd8a05ffece30 --- media/libstagefright/FFMPEGSoftCodec.cpp | 1 + 1 file changed, 1 insertion(+) (limited to 'media/libstagefright') diff --git a/media/libstagefright/FFMPEGSoftCodec.cpp b/media/libstagefright/FFMPEGSoftCodec.cpp index 26afd89..f981c71 100644 --- a/media/libstagefright/FFMPEGSoftCodec.cpp +++ b/media/libstagefright/FFMPEGSoftCodec.cpp @@ -325,6 +325,7 @@ status_t FFMPEGSoftCodec::setVideoFormat( int32_t mode = 0; OMX_QCOM_PARAM_PORTDEFINITIONTYPE portFmt; + InitOMXParams(&portFmt); portFmt.nPortIndex = kPortIndexInput; if (msg->findInt32("use-arbitrary-mode", &mode) && mode) { -- cgit v1.1 From 0eb2f24bf01894947fededbc097b47c962287dda Mon Sep 17 00:00:00 2001 From: Keith Mok Date: Wed, 18 May 2016 14:26:49 -0700 Subject: stagefright: Fix cts issue with divx test 8909 is using soft-ip divx decoder using component name starts with "OMX.ittiam." instead of "OMX.qcom." leading to FFMPEGSoftCodec override with wrong compression format using OMX_VIDEO_CodingDIVX (0x7F000003) defined in OMX_FFMPEG_Extn.h. But qcom omx component actually use QOMX_VIDEO_CodingDivx (0x7FA30C02) which defined in OMX_QCOMExtns.h. Add checking for OMX.ittiam in additional to OMX.qcom solved the problem. FEIJ-700 Change-Id: I4071eb3978974d1072373f0c88ea83653c0c53a9 --- media/libstagefright/FFMPEGSoftCodec.cpp | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) (limited to 'media/libstagefright') diff --git a/media/libstagefright/FFMPEGSoftCodec.cpp b/media/libstagefright/FFMPEGSoftCodec.cpp index f981c71..7233162 100644 --- a/media/libstagefright/FFMPEGSoftCodec.cpp +++ b/media/libstagefright/FFMPEGSoftCodec.cpp @@ -319,7 +319,8 @@ status_t FFMPEGSoftCodec::setVideoFormat( // from the CAF L release. It was unfortunately moved to a proprietary // blob and an architecture which is hellish for OEMs who wish to // customize the platform. - if (err == OK && (!strncmp(componentName, "OMX.qcom.", 9))) { + if (err == OK && (!strncmp(componentName, "OMX.qcom.", 9) + || !strncmp(componentName, "OMX.ittiam.", 11))) { status_t xerr = OK; -- cgit v1.1 From af1fa68cd4038409c941b6ef09ff7c43a75e0007 Mon Sep 17 00:00:00 2001 From: Caio Schnepper Date: Wed, 5 Aug 2015 16:17:14 -0300 Subject: stagefright: Correct Exynos4 stride alignment For the OMX_COLOR_FormatYUV420Planar color format case, Google's VP9 codec is used, in that case the colors were shifting 16 bytes per horizontal line, causing green lines to appear on video playback. Change-Id: I4cf0fd40b79e53882d99f1c3f263c8a98fff1f30 --- media/libstagefright/colorconversion/SoftwareRenderer.cpp | 6 ++++++ 1 file changed, 6 insertions(+) (limited to 'media/libstagefright') diff --git a/media/libstagefright/colorconversion/SoftwareRenderer.cpp b/media/libstagefright/colorconversion/SoftwareRenderer.cpp index 3fa29a2..59af12a 100644 --- a/media/libstagefright/colorconversion/SoftwareRenderer.cpp +++ b/media/libstagefright/colorconversion/SoftwareRenderer.cpp @@ -261,8 +261,14 @@ std::list SoftwareRenderer::render( uint8_t *dst_y = (uint8_t *)dst; size_t dst_y_size = buf->stride * buf->height; + +#ifdef EXYNOS4_ENHANCEMENTS + size_t dst_c_stride = buf->stride / 2; + size_t dst_c_size = ALIGN(dst_c_stride, 16) * buf->height / 2; +#else size_t dst_c_stride = ALIGN(buf->stride / 2, 16); size_t dst_c_size = dst_c_stride * buf->height / 2; +#endif uint8_t *dst_v = dst_y + dst_y_size; uint8_t *dst_u = dst_v + dst_c_size; -- cgit v1.1 From 4f236c532039a61f0cf681d2e3c6e022911bbb5c Mon Sep 17 00:00:00 2001 From: Marco Nelissen Date: Thu, 28 Apr 2016 13:32:41 -0700 Subject: Check section size when verifying CRC Bug: 28333006 Change-Id: Ief7a2da848face78f0edde21e2f2009316076679 --- media/libstagefright/mpeg2ts/ATSParser.cpp | 7 +++++++ 1 file changed, 7 insertions(+) (limited to 'media/libstagefright') diff --git a/media/libstagefright/mpeg2ts/ATSParser.cpp b/media/libstagefright/mpeg2ts/ATSParser.cpp index e3c3e80..2f2b115 100644 --- a/media/libstagefright/mpeg2ts/ATSParser.cpp +++ b/media/libstagefright/mpeg2ts/ATSParser.cpp @@ -1713,6 +1713,13 @@ bool ATSParser::PSISection::isCRCOkay() const { unsigned sectionLength = U16_AT(data + 1) & 0xfff; ALOGV("sectionLength %u, skip %u", sectionLength, mSkipBytes); + + if(sectionLength < mSkipBytes) { + ALOGE("b/28333006"); + android_errorWriteLog(0x534e4554, "28333006"); + return false; + } + // Skip the preceding field present when payload start indicator is on. sectionLength -= mSkipBytes; -- cgit v1.1 From 60547808ca4e9cfac50028c00c58a6ceb2319301 Mon Sep 17 00:00:00 2001 From: Pawin Vongmasa Date: Wed, 11 May 2016 16:08:21 -0700 Subject: h264bsdActivateParamSets: Prevent multiplication overflow. Report MEMORY_ALLOCATION_ERROR if pStorage->picSizeInMbs would exceed UINT32_MAX bytes. Bug: 28532266 Change-Id: Ia6f11efb18818afcdb5fa2a38a14f2a2d8c8447a --- .../codecs/on2/h264dec/source/h264bsd_storage.c | 24 +++++++++++++++++++--- 1 file changed, 21 insertions(+), 3 deletions(-) (limited to 'media/libstagefright') diff --git a/media/libstagefright/codecs/on2/h264dec/source/h264bsd_storage.c b/media/libstagefright/codecs/on2/h264dec/source/h264bsd_storage.c index 3234754..ff7a42a 100644 --- a/media/libstagefright/codecs/on2/h264dec/source/h264bsd_storage.c +++ b/media/libstagefright/codecs/on2/h264dec/source/h264bsd_storage.c @@ -58,6 +58,10 @@ 3. Module defines ------------------------------------------------------------------------------*/ +#ifndef UINT32_MAX +#define UINT32_MAX (4294967295U) +#endif + /*------------------------------------------------------------------------------ 4. Local function prototypes ------------------------------------------------------------------------------*/ @@ -326,9 +330,23 @@ u32 h264bsdActivateParamSets(storage_t *pStorage, u32 ppsId, u32 isIdr) pStorage->activePps = pStorage->pps[ppsId]; pStorage->activeSpsId = pStorage->activePps->seqParameterSetId; pStorage->activeSps = pStorage->sps[pStorage->activeSpsId]; - pStorage->picSizeInMbs = - pStorage->activeSps->picWidthInMbs * - pStorage->activeSps->picHeightInMbs; + + /* report error before multiplication to prevent integer overflow */ + if (pStorage->activeSps->picWidthInMbs == 0) + { + pStorage->picSizeInMbs = 0; + } + else if (pStorage->activeSps->picHeightInMbs > + UINT32_MAX / pStorage->activeSps->picWidthInMbs) + { + return(MEMORY_ALLOCATION_ERROR); + } + else + { + pStorage->picSizeInMbs = + pStorage->activeSps->picWidthInMbs * + pStorage->activeSps->picHeightInMbs; + } pStorage->currImage->width = pStorage->activeSps->picWidthInMbs; pStorage->currImage->height = pStorage->activeSps->picHeightInMbs; -- cgit v1.1 From e248db02fbab2ee9162940bc19f087fd7d96cb9d Mon Sep 17 00:00:00 2001 From: Jeff Tinker Date: Fri, 13 May 2016 11:48:11 -0700 Subject: Fix security vulnerability in libstagefright bug: 28175045 Change-Id: Icee6c7eb5b761da4aa3e412fb71825508d74d38f --- media/libstagefright/DRMExtractor.cpp | 12 +++++++++++- 1 file changed, 11 insertions(+), 1 deletion(-) (limited to 'media/libstagefright') diff --git a/media/libstagefright/DRMExtractor.cpp b/media/libstagefright/DRMExtractor.cpp index 9cb6e86..e2bc89c 100644 --- a/media/libstagefright/DRMExtractor.cpp +++ b/media/libstagefright/DRMExtractor.cpp @@ -200,7 +200,17 @@ status_t DRMSource::read(MediaBuffer **buffer, const ReadOptions *options) { continue; } - CHECK(dstOffset + 4 <= (*buffer)->size()); + if (dstOffset > SIZE_MAX - 4 || + dstOffset + 4 > SIZE_MAX - nalLength || + dstOffset + 4 + nalLength > (*buffer)->size()) { + (*buffer)->release(); + (*buffer) = NULL; + if (decryptedDrmBuffer.data) { + delete [] decryptedDrmBuffer.data; + decryptedDrmBuffer.data = NULL; + } + return ERROR_MALFORMED; + } dstData[dstOffset++] = 0; dstData[dstOffset++] = 0; -- cgit v1.1 From e7142a0703bc93f75e213e96ebc19000022afed9 Mon Sep 17 00:00:00 2001 From: Marco Nelissen Date: Wed, 11 May 2016 11:11:20 -0700 Subject: Check malloc result to avoid NPD Bug: 28471206 Change-Id: Id5d055d76893d6f53a2e524ff5f282d1ddca3345 --- media/libstagefright/MPEG4Extractor.cpp | 18 ++++++++++++++++++ 1 file changed, 18 insertions(+) (limited to 'media/libstagefright') diff --git a/media/libstagefright/MPEG4Extractor.cpp b/media/libstagefright/MPEG4Extractor.cpp index f8789da..f6206d2 100755 --- a/media/libstagefright/MPEG4Extractor.cpp +++ b/media/libstagefright/MPEG4Extractor.cpp @@ -535,6 +535,10 @@ status_t MPEG4Extractor::readMetaData() { } if (psshsize > 0 && psshsize <= UINT32_MAX) { char *buf = (char*)malloc(psshsize); + if (!buf) { + ALOGE("b/28471206"); + return NO_MEMORY; + } char *ptr = buf; for (size_t i = 0; i < mPssh.size(); i++) { memcpy(ptr, mPssh[i].uuid, 20); // uuid + length @@ -1702,6 +1706,11 @@ status_t MPEG4Extractor::parseChunk(off64_t *offset, int depth) { sp buffer = new ABuffer(chunk_data_size); + if (buffer->data() == NULL) { + ALOGE("b/28471206"); + return NO_MEMORY; + } + if (mDataSource->readAt( data_offset, buffer->data(), chunk_data_size) < chunk_data_size) { return ERROR_IO; @@ -1719,6 +1728,11 @@ status_t MPEG4Extractor::parseChunk(off64_t *offset, int depth) { { sp buffer = new ABuffer(chunk_data_size); + if (buffer->data() == NULL) { + ALOGE("b/28471206"); + return NO_MEMORY; + } + if (mDataSource->readAt( data_offset, buffer->data(), chunk_data_size) < chunk_data_size) { return ERROR_IO; @@ -2051,6 +2065,10 @@ status_t MPEG4Extractor::parseChunk(off64_t *offset, int depth) { return ERROR_MALFORMED; } sp buffer = new ABuffer(chunk_data_size + 1); + if (buffer->data() == NULL) { + ALOGE("b/28471206"); + return NO_MEMORY; + } if (mDataSource->readAt( data_offset, buffer->data(), chunk_data_size) != (ssize_t)chunk_data_size) { return ERROR_IO; -- cgit v1.1 From f81038006b4c59a5a148dcad887371206033c28f Mon Sep 17 00:00:00 2001 From: Wei Jia Date: Fri, 28 Aug 2015 10:35:35 -0700 Subject: MPEG4Extractor: ensure kKeyTrackID exists before creating an MPEG4Source as track. GenericSource: return error when no track exists. SampleIterator: make sure mSamplesPerChunk is not zero before using it as divisor. Bug: 21657957 Bug: 23705695 Bug: 22802344 Bug: 28799341 Change-Id: I7664992ade90b935d3f255dcd43ecc2898f30b04 (cherry picked from commit 0386c91b8a910a134e5898ffa924c1b6c7560b13) --- media/libstagefright/MPEG4Extractor.cpp | 8 ++++++++ media/libstagefright/SampleIterator.cpp | 5 +++++ 2 files changed, 13 insertions(+) (limited to 'media/libstagefright') diff --git a/media/libstagefright/MPEG4Extractor.cpp b/media/libstagefright/MPEG4Extractor.cpp index f6206d2..4c10cc9 100755 --- a/media/libstagefright/MPEG4Extractor.cpp +++ b/media/libstagefright/MPEG4Extractor.cpp @@ -933,6 +933,11 @@ status_t MPEG4Extractor::parseChunk(off64_t *offset, int depth) { } if (isTrack) { + int32_t trackId; + // There must be exact one track header per track. + if (!mLastTrack->meta->findInt32(kKeyTrackID, &trackId)) { + mLastTrack->skipTrack = true; + } if (mLastTrack->skipTrack) { Track *cur = mFirstTrack; @@ -2869,6 +2874,9 @@ sp MPEG4Extractor::getTrack(size_t index) { break; } } + } else { + ALOGE("b/21657957"); + return NULL; } ALOGV("getTrack called, pssh: %zu", mPssh.size()); diff --git a/media/libstagefright/SampleIterator.cpp b/media/libstagefright/SampleIterator.cpp index 2748349..c5f359e 100644 --- a/media/libstagefright/SampleIterator.cpp +++ b/media/libstagefright/SampleIterator.cpp @@ -84,6 +84,11 @@ status_t SampleIterator::seekTo(uint32_t sampleIndex) { CHECK(sampleIndex < mStopChunkSampleIndex); + if (mSamplesPerChunk == 0) { + ALOGE("b/22802344"); + return ERROR_MALFORMED; + } + uint32_t chunk = (sampleIndex - mFirstChunkSampleIndex) / mSamplesPerChunk + mFirstChunk; -- cgit v1.1 From fdc7d1f59c2da25246ec1dce7a6bbc32fcd6525d Mon Sep 17 00:00:00 2001 From: Jessica Wagantall Date: Tue, 7 Jun 2016 15:27:51 -0700 Subject: Fixing ALOGE message in commit ad40e57890f81a3cf436c5f06da66396010bd9e5 Change-Id: Icdfe4662ff6b53cff53142706bbd5ade1636fb27 --- media/libstagefright/codecs/mp3dec/SoftMP3.cpp | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'media/libstagefright') diff --git a/media/libstagefright/codecs/mp3dec/SoftMP3.cpp b/media/libstagefright/codecs/mp3dec/SoftMP3.cpp index ba13338..cd4b0ba 100644 --- a/media/libstagefright/codecs/mp3dec/SoftMP3.cpp +++ b/media/libstagefright/codecs/mp3dec/SoftMP3.cpp @@ -279,7 +279,7 @@ void SoftMP3::onQueueFilled(OMX_U32 /* portIndex */) { mConfig->outputFrameSize = kOutputBufferSize / sizeof(int16_t); if ((int32)outHeader->nAllocLen < mConfig->outputFrameSize) { - ALOGE("input buffer too small: got %lu, expected %u", + ALOGE("input buffer too small: got %u, expected %u", outHeader->nAllocLen, mConfig->outputFrameSize); android_errorWriteLog(0x534e4554, "27793371"); notify(OMX_EventError, OMX_ErrorUndefined, OUTPUT_BUFFER_TOO_SMALL, NULL); -- cgit v1.1 From fbef511c958b5f1b3e015d032dcac4ed7cc84876 Mon Sep 17 00:00:00 2001 From: "Christopher N. Hesse" Date: Thu, 9 Jun 2016 18:55:14 +0200 Subject: OMXCodec: Remove kClientNeedsFrameBuffer for S3D Upstream commit 0bb5ced removed support for this flag. Reference: https://github.com/CyanogenMod/android_frameworks_av/commit/0bb5ced60304da7f61478ffd359e7ba65d72f181 Change-Id: I56c8c0957b556f70b1a52cd6dd8a2bdd8f958381 --- media/libstagefright/OMXCodec.cpp | 3 --- 1 file changed, 3 deletions(-) (limited to 'media/libstagefright') diff --git a/media/libstagefright/OMXCodec.cpp b/media/libstagefright/OMXCodec.cpp index af30780..ca310bc 100644 --- a/media/libstagefright/OMXCodec.cpp +++ b/media/libstagefright/OMXCodec.cpp @@ -2358,9 +2358,6 @@ void OMXCodec::onEvent(OMX_EVENTTYPE event, OMX_U32 data1, OMX_U32 data2) { #ifdef USE_S3D_SUPPORT case (OMX_EVENTTYPE)OMX_EventS3DInformation: { - if (mFlags & kClientNeedsFramebuffer) - break; - sp sm = defaultServiceManager(); sp hwc = interface_cast( sm->getService(String16("Exynos.HWCService"))); -- cgit v1.1 From 590d1729883f700ab905cdc9ad850f3ddd7e1f56 Mon Sep 17 00:00:00 2001 From: Marco Nelissen Date: Tue, 7 Jun 2016 15:48:07 -0700 Subject: Fix potential overflow Bug: 28533562 Change-Id: I798ab24caa4c81f3ba564cad7c9ee019284fb702 --- media/libstagefright/codecs/on2/h264dec/source/h264bsd_dpb.c | 8 ++++++++ 1 file changed, 8 insertions(+) (limited to 'media/libstagefright') diff --git a/media/libstagefright/codecs/on2/h264dec/source/h264bsd_dpb.c b/media/libstagefright/codecs/on2/h264dec/source/h264bsd_dpb.c index 9517d0a..799bd16 100644 --- a/media/libstagefright/codecs/on2/h264dec/source/h264bsd_dpb.c +++ b/media/libstagefright/codecs/on2/h264dec/source/h264bsd_dpb.c @@ -60,6 +60,7 @@ #include "h264bsd_util.h" #include "basetype.h" +#include /*------------------------------------------------------------------------------ 2. External compiler flags -------------------------------------------------------------------------------- @@ -998,6 +999,13 @@ u32 h264bsdInitDpb( ASSERT(maxFrameNum); ASSERT(dpbSize); + // see comment in loop below about size calculation + if (picSizeInMbs > (UINT32_MAX - 32 - 15) / 384) { + ALOGE("b/28533562"); + android_errorWriteLog(0x534e4554, "28533562"); + return(MEMORY_ALLOCATION_ERROR); + } + dpb->maxLongTermFrameIdx = NO_LONG_TERM_FRAME_INDICES; dpb->maxRefFrames = MAX(maxRefFrames, 1); if (noReordering) -- cgit v1.1 From 8e438e153f661e9df8db0ac41d587e940352df06 Mon Sep 17 00:00:00 2001 From: Marco Nelissen Date: Wed, 8 Jun 2016 14:31:42 -0700 Subject: SoftAAC2: fix crash on all-zero adts buffer Bug: 29153599 Change-Id: I1cb81c054098b86cf24f024f8479909ca7bc85a6 --- media/libstagefright/codecs/aacdec/SoftAAC2.cpp | 15 +++++++++------ 1 file changed, 9 insertions(+), 6 deletions(-) (limited to 'media/libstagefright') diff --git a/media/libstagefright/codecs/aacdec/SoftAAC2.cpp b/media/libstagefright/codecs/aacdec/SoftAAC2.cpp index 520ecb4..8ddff90 100644 --- a/media/libstagefright/codecs/aacdec/SoftAAC2.cpp +++ b/media/libstagefright/codecs/aacdec/SoftAAC2.cpp @@ -625,12 +625,15 @@ void SoftAAC2::onQueueFilled(OMX_U32 /* portIndex */) { signalError = true; } else { adtsHeaderSize = (protectionAbsent ? 7 : 9); - - inBuffer[0] = (UCHAR *)adtsHeader + adtsHeaderSize; - inBufferLength[0] = aac_frame_length - adtsHeaderSize; - - inHeader->nOffset += adtsHeaderSize; - inHeader->nFilledLen -= adtsHeaderSize; + if (aac_frame_length < adtsHeaderSize) { + signalError = true; + } else { + inBuffer[0] = (UCHAR *)adtsHeader + adtsHeaderSize; + inBufferLength[0] = aac_frame_length - adtsHeaderSize; + + inHeader->nOffset += adtsHeaderSize; + inHeader->nFilledLen -= adtsHeaderSize; + } } } -- cgit v1.1 From a4567c66f4764442c6cb7b5c1858810194480fb5 Mon Sep 17 00:00:00 2001 From: Harish Mahendrakar Date: Mon, 12 Oct 2015 19:24:18 +0530 Subject: SoftHEVC: Exit gracefully in case of decoder errors Exit for error in allocation and unsupported resolutions Bug: 28816956 Change-Id: Ieb830bedeb3a7431d1d21a024927df630f7eda1e --- media/libstagefright/codecs/hevcdec/SoftHEVC.cpp | 22 ++++++++++++++++++++++ 1 file changed, 22 insertions(+) (limited to 'media/libstagefright') diff --git a/media/libstagefright/codecs/hevcdec/SoftHEVC.cpp b/media/libstagefright/codecs/hevcdec/SoftHEVC.cpp index a70755c..1dac868 100644 --- a/media/libstagefright/codecs/hevcdec/SoftHEVC.cpp +++ b/media/libstagefright/codecs/hevcdec/SoftHEVC.cpp @@ -444,6 +444,9 @@ void SoftHEVC::onQueueFilled(OMX_U32 portIndex) { if (NULL == mCodecCtx) { if (OK != initDecoder()) { + ALOGE("Failed to initialize decoder"); + notify(OMX_EventError, OMX_ErrorUnsupportedSetting, 0, NULL); + mSignalledError = true; return; } } @@ -540,6 +543,25 @@ void SoftHEVC::onQueueFilled(OMX_U32 portIndex) { IV_API_CALL_STATUS_T status; status = ivdec_api_function(mCodecCtx, (void *)&s_dec_ip, (void *)&s_dec_op); + bool unsupportedResolution = + (IVD_STREAM_WIDTH_HEIGHT_NOT_SUPPORTED == (s_dec_op.u4_error_code & 0xFF)); + + /* Check for unsupported dimensions */ + if (unsupportedResolution) { + ALOGE("Unsupported resolution : %dx%d", mWidth, mHeight); + notify(OMX_EventError, OMX_ErrorUnsupportedSetting, 0, NULL); + mSignalledError = true; + return; + } + + bool allocationFailed = (IVD_MEM_ALLOC_FAILED == (s_dec_op.u4_error_code & 0xFF)); + if (allocationFailed) { + ALOGE("Allocation failure in decoder"); + notify(OMX_EventError, OMX_ErrorUnsupportedSetting, 0, NULL); + mSignalledError = true; + return; + } + bool resChanged = (IVD_RES_CHANGED == (s_dec_op.u4_error_code & 0xFF)); GETTIME(&mTimeEnd, NULL); -- cgit v1.1 From b351eabb428c7ca85a34513c64601f437923d576 Mon Sep 17 00:00:00 2001 From: Wonsik Kim Date: Wed, 25 May 2016 16:54:08 +0900 Subject: DO NOT MERGE omx: check buffer port before using Bug: 28816827 Change-Id: I3d5bad4a1ef96dec544b05bb31cc6f7109aae0a5 --- media/libstagefright/include/OMXNodeInstance.h | 2 +- media/libstagefright/omx/OMXNodeInstance.cpp | 73 +++++++++++++++++++------- 2 files changed, 55 insertions(+), 20 deletions(-) (limited to 'media/libstagefright') diff --git a/media/libstagefright/include/OMXNodeInstance.h b/media/libstagefright/include/OMXNodeInstance.h index e5fb45b..babf5b7 100644 --- a/media/libstagefright/include/OMXNodeInstance.h +++ b/media/libstagefright/include/OMXNodeInstance.h @@ -187,7 +187,7 @@ private: // For buffer id management OMX::buffer_id makeBufferID(OMX_BUFFERHEADERTYPE *bufferHeader); - OMX_BUFFERHEADERTYPE *findBufferHeader(OMX::buffer_id buffer); + OMX_BUFFERHEADERTYPE *findBufferHeader(OMX::buffer_id buffer, OMX_U32 portIndex); OMX::buffer_id findBufferID(OMX_BUFFERHEADERTYPE *bufferHeader); void invalidateBufferID(OMX::buffer_id buffer); diff --git a/media/libstagefright/omx/OMXNodeInstance.cpp b/media/libstagefright/omx/OMXNodeInstance.cpp index 8735eff..7f534b5 100644 --- a/media/libstagefright/omx/OMXNodeInstance.cpp +++ b/media/libstagefright/omx/OMXNodeInstance.cpp @@ -101,19 +101,22 @@ static void InitOMXParams(T *params) { namespace android { struct BufferMeta { - BufferMeta(const sp &mem, bool is_backup = false) + BufferMeta(const sp &mem, OMX_U32 portIndex, bool is_backup = false) : mMem(mem), - mIsBackup(is_backup) { + mIsBackup(is_backup), + mPortIndex(portIndex) { } - BufferMeta(size_t size) + BufferMeta(size_t size, OMX_U32 portIndex) : mSize(size), - mIsBackup(false) { + mIsBackup(false), + mPortIndex(portIndex) { } - BufferMeta(const sp &graphicBuffer) + BufferMeta(const sp &graphicBuffer, OMX_U32 portIndex) : mGraphicBuffer(graphicBuffer), - mIsBackup(false) { + mIsBackup(false), + mPortIndex(portIndex) { } void CopyFromOMX(const OMX_BUFFERHEADERTYPE *header) { @@ -160,11 +163,16 @@ struct BufferMeta { mGraphicBuffer = graphicBuffer; } + OMX_U32 getPortIndex() { + return mPortIndex; + } + private: sp mGraphicBuffer; sp mMem; size_t mSize; bool mIsBackup; + OMX_U32 mPortIndex; BufferMeta(const BufferMeta &); BufferMeta &operator=(const BufferMeta &); @@ -661,7 +669,7 @@ status_t OMXNodeInstance::useBuffer( return BAD_VALUE; } - BufferMeta *buffer_meta = new BufferMeta(params); + BufferMeta *buffer_meta = new BufferMeta(params, portIndex); OMX_BUFFERHEADERTYPE *header; @@ -713,7 +721,7 @@ status_t OMXNodeInstance::useGraphicBuffer2_l( return UNKNOWN_ERROR; } - BufferMeta *bufferMeta = new BufferMeta(graphicBuffer); + BufferMeta *bufferMeta = new BufferMeta(graphicBuffer, portIndex); OMX_BUFFERHEADERTYPE *header = NULL; OMX_U8* bufferHandle = const_cast( @@ -771,7 +779,7 @@ status_t OMXNodeInstance::useGraphicBuffer( return StatusFromOMXError(err); } - BufferMeta *bufferMeta = new BufferMeta(graphicBuffer); + BufferMeta *bufferMeta = new BufferMeta(graphicBuffer, portIndex); OMX_BUFFERHEADERTYPE *header; @@ -812,6 +820,9 @@ status_t OMXNodeInstance::useGraphicBuffer( status_t OMXNodeInstance::updateGraphicBufferInMeta_l( OMX_U32 portIndex, const sp& graphicBuffer, OMX::buffer_id buffer, OMX_BUFFERHEADERTYPE *header) { + if (header == NULL) { + return BAD_VALUE; + } if (portIndex != kPortIndexInput && portIndex != kPortIndexOutput) { return BAD_VALUE; } @@ -845,7 +856,7 @@ status_t OMXNodeInstance::updateGraphicBufferInMeta( OMX_U32 portIndex, const sp& graphicBuffer, OMX::buffer_id buffer) { Mutex::Autolock autoLock(mLock); - OMX_BUFFERHEADERTYPE *header = findBufferHeader(buffer); + OMX_BUFFERHEADERTYPE *header = findBufferHeader(buffer, portIndex); return updateGraphicBufferInMeta_l(portIndex, graphicBuffer, buffer, header); } @@ -974,7 +985,7 @@ status_t OMXNodeInstance::allocateBuffer( void **buffer_data) { Mutex::Autolock autoLock(mLock); - BufferMeta *buffer_meta = new BufferMeta(size); + BufferMeta *buffer_meta = new BufferMeta(size, portIndex); OMX_BUFFERHEADERTYPE *header; @@ -1015,7 +1026,7 @@ status_t OMXNodeInstance::allocateBufferWithBackup( return BAD_VALUE; } - BufferMeta *buffer_meta = new BufferMeta(params, true); + BufferMeta *buffer_meta = new BufferMeta(params, portIndex, true); OMX_BUFFERHEADERTYPE *header; @@ -1056,7 +1067,10 @@ status_t OMXNodeInstance::freeBuffer( removeActiveBuffer(portIndex, buffer); - OMX_BUFFERHEADERTYPE *header = findBufferHeader(buffer); + OMX_BUFFERHEADERTYPE *header = findBufferHeader(buffer, portIndex); + if (header == NULL) { + return BAD_VALUE; + } BufferMeta *buffer_meta = static_cast(header->pAppPrivate); OMX_ERRORTYPE err = OMX_FreeBuffer(mHandle, portIndex, header); @@ -1072,7 +1086,10 @@ status_t OMXNodeInstance::freeBuffer( status_t OMXNodeInstance::fillBuffer(OMX::buffer_id buffer, int fenceFd) { Mutex::Autolock autoLock(mLock); - OMX_BUFFERHEADERTYPE *header = findBufferHeader(buffer); + OMX_BUFFERHEADERTYPE *header = findBufferHeader(buffer, kPortIndexOutput); + if (header == NULL) { + return BAD_VALUE; + } header->nFilledLen = 0; header->nOffset = 0; header->nFlags = 0; @@ -1105,7 +1122,10 @@ status_t OMXNodeInstance::emptyBuffer( OMX_U32 flags, OMX_TICKS timestamp, int fenceFd) { Mutex::Autolock autoLock(mLock); - OMX_BUFFERHEADERTYPE *header = findBufferHeader(buffer); + OMX_BUFFERHEADERTYPE *header = findBufferHeader(buffer, kPortIndexInput); + if (header == NULL) { + return BAD_VALUE; + } BufferMeta *buffer_meta = static_cast(header->pAppPrivate); sp backup = buffer_meta->getBuffer(header, true /* backup */, false /* limit */); @@ -1385,7 +1405,10 @@ bool OMXNodeInstance::handleMessage(omx_message &msg) { if (msg.type == omx_message::FILL_BUFFER_DONE) { OMX_BUFFERHEADERTYPE *buffer = - findBufferHeader(msg.u.extended_buffer_data.buffer); + findBufferHeader(msg.u.extended_buffer_data.buffer, kPortIndexOutput); + if (buffer == NULL) { + return false; + } { Mutex::Autolock _l(mDebugLock); @@ -1416,7 +1439,10 @@ bool OMXNodeInstance::handleMessage(omx_message &msg) { } } else if (msg.type == omx_message::EMPTY_BUFFER_DONE) { OMX_BUFFERHEADERTYPE *buffer = - findBufferHeader(msg.u.buffer_data.buffer); + findBufferHeader(msg.u.buffer_data.buffer, kPortIndexInput); + if (buffer == NULL) { + return false; + } { Mutex::Autolock _l(mDebugLock); @@ -1613,7 +1639,8 @@ OMX::buffer_id OMXNodeInstance::makeBufferID(OMX_BUFFERHEADERTYPE *bufferHeader) return buffer; } -OMX_BUFFERHEADERTYPE *OMXNodeInstance::findBufferHeader(OMX::buffer_id buffer) { +OMX_BUFFERHEADERTYPE *OMXNodeInstance::findBufferHeader( + OMX::buffer_id buffer, OMX_U32 portIndex) { if (buffer == 0) { return NULL; } @@ -1623,7 +1650,15 @@ OMX_BUFFERHEADERTYPE *OMXNodeInstance::findBufferHeader(OMX::buffer_id buffer) { CLOGW("findBufferHeader: buffer %u not found", buffer); return NULL; } - return mBufferIDToBufferHeader.valueAt(index); + OMX_BUFFERHEADERTYPE *header = mBufferIDToBufferHeader.valueAt(index); + BufferMeta *buffer_meta = + static_cast(header->pAppPrivate); + if (buffer_meta->getPortIndex() != portIndex) { + CLOGW("findBufferHeader: buffer %u found but with incorrect port index.", buffer); + android_errorWriteLog(0x534e4554, "28816827"); + return NULL; + } + return header; } OMX::buffer_id OMXNodeInstance::findBufferID(OMX_BUFFERHEADERTYPE *bufferHeader) { -- cgit v1.1 From 1f24c730ab6ca5aff1e3137b340b8aeaeda4bdbc Mon Sep 17 00:00:00 2001 From: Eino-Ville Talvala Date: Mon, 20 Jun 2016 17:00:14 -0700 Subject: DO NOT MERGE: Camera: Adjust pointers to ANW buffers to avoid infoleak Subtract address of a random static object from pointers being routed through app process. Bug: 28466701 Change-Id: Idcbfe81e9507433769672f3dc6d67db5eeed4e04 --- media/libstagefright/CameraSource.cpp | 29 +++++++++++++++++++++++++++++ 1 file changed, 29 insertions(+) (limited to 'media/libstagefright') diff --git a/media/libstagefright/CameraSource.cpp b/media/libstagefright/CameraSource.cpp index 66280da..fa30644 100644 --- a/media/libstagefright/CameraSource.cpp +++ b/media/libstagefright/CameraSource.cpp @@ -27,8 +27,10 @@ #include #include #include +#include #include #include +#include #include #include #include @@ -792,6 +794,8 @@ void CameraSource::releaseQueuedFrames() { List >::iterator it; while (!mFramesReceived.empty()) { it = mFramesReceived.begin(); + // b/28466701 + adjustOutgoingANWBuffer(it->get()); releaseRecordingFrame(*it); mFramesReceived.erase(it); ++mNumFramesDropped; @@ -812,6 +816,9 @@ void CameraSource::signalBufferReturned(MediaBuffer *buffer) { for (List >::iterator it = mFramesBeingEncoded.begin(); it != mFramesBeingEncoded.end(); ++it) { if ((*it)->pointer() == buffer->data()) { + // b/28466701 + adjustOutgoingANWBuffer(it->get()); + releaseOneRecordingFrame((*it)); mFramesBeingEncoded.erase(it); ++mNumFramesEncoded; @@ -917,6 +924,10 @@ void CameraSource::dataCallbackTimestamp(int64_t timestampUs, ++mNumFramesReceived; CHECK(data != NULL && data->size() > 0); + + // b/28466701 + adjustIncomingANWBuffer(data.get()); + mFramesReceived.push_back(data); int64_t timeUs = mStartTimeUs + (timestampUs - mFirstFrameTimeUs); mFrameTimes.push_back(timeUs); @@ -930,6 +941,24 @@ bool CameraSource::isMetaDataStoredInVideoBuffers() const { return mIsMetaDataStoredInVideoBuffers; } +void CameraSource::adjustIncomingANWBuffer(IMemory* data) { + VideoNativeMetadata *payload = + reinterpret_cast(data->pointer()); + if (payload->eType == kMetadataBufferTypeANWBuffer) { + payload->pBuffer = (ANativeWindowBuffer*)(((uint8_t*)payload->pBuffer) + + ICameraRecordingProxy::getCommonBaseAddress()); + } +} + +void CameraSource::adjustOutgoingANWBuffer(IMemory* data) { + VideoNativeMetadata *payload = + reinterpret_cast(data->pointer()); + if (payload->eType == kMetadataBufferTypeANWBuffer) { + payload->pBuffer = (ANativeWindowBuffer*)(((uint8_t*)payload->pBuffer) - + ICameraRecordingProxy::getCommonBaseAddress()); + } +} + CameraSource::ProxyListener::ProxyListener(const sp& source) { mSource = source; } -- cgit v1.1 From 030001de8b26291b139a8c1d594f05130dafac1b Mon Sep 17 00:00:00 2001 From: Pawin Vongmasa Date: Tue, 21 Jun 2016 19:10:21 -0700 Subject: Impose a size bound for dynamically allocated tables in stbl. Impose a restriction of 200MiB for tables in stsc, stts, ctts and stss boxes. Also change mTimeToSample from Vector to array. Bug: 29367429 Change-Id: I953bea9fe0590268cf27376740f582dc88563d42 Merge conflict resolution of ag/1170200 to mnc-mr2-release --- media/libstagefright/SampleTable.cpp | 150 ++++++++++++++++++++++++----- media/libstagefright/include/SampleTable.h | 9 +- 2 files changed, 133 insertions(+), 26 deletions(-) (limited to 'media/libstagefright') diff --git a/media/libstagefright/SampleTable.cpp b/media/libstagefright/SampleTable.cpp index 8df9cb8..bc01a2d 100644 --- a/media/libstagefright/SampleTable.cpp +++ b/media/libstagefright/SampleTable.cpp @@ -123,7 +123,7 @@ SampleTable::SampleTable(const sp &source) mNumSampleSizes(0), mHasTimeToSample(false), mTimeToSampleCount(0), - mTimeToSample(), + mTimeToSample(NULL), mSampleTimeEntries(NULL), mCompositionTimeDeltaEntries(NULL), mNumCompositionTimeDeltaEntries(0), @@ -132,7 +132,8 @@ SampleTable::SampleTable(const sp &source) mNumSyncSamples(0), mSyncSamples(NULL), mLastSyncSampleIndex(0), - mSampleToChunkEntries(NULL) { + mSampleToChunkEntries(NULL), + mTotalSize(0) { mSampleIterator = new SampleIterator(this); } @@ -143,6 +144,9 @@ SampleTable::~SampleTable() { delete[] mSyncSamples; mSyncSamples = NULL; + delete[] mTimeToSample; + mTimeToSample = NULL; + delete mCompositionDeltaLookup; mCompositionDeltaLookup = NULL; @@ -233,13 +237,43 @@ status_t SampleTable::setSampleToChunkParams( return ERROR_MALFORMED; } - if (SIZE_MAX / sizeof(SampleToChunkEntry) <= (size_t)mNumSampleToChunkOffsets) + if ((uint64_t)SIZE_MAX / sizeof(SampleToChunkEntry) <= + (uint64_t)mNumSampleToChunkOffsets) { + ALOGE("Sample-to-chunk table size too large."); return ERROR_OUT_OF_RANGE; + } + + mTotalSize += (uint64_t)mNumSampleToChunkOffsets * + sizeof(SampleToChunkEntry); + if (mTotalSize > kMaxTotalSize) { + ALOGE("Sample-to-chunk table size would make sample table too large.\n" + " Requested sample-to-chunk table size = %llu\n" + " Eventual sample table size >= %llu\n" + " Allowed sample table size = %llu\n", + (unsigned long long)mNumSampleToChunkOffsets * + sizeof(SampleToChunkEntry), + (unsigned long long)mTotalSize, + (unsigned long long)kMaxTotalSize); + return ERROR_OUT_OF_RANGE; + } mSampleToChunkEntries = new (std::nothrow) SampleToChunkEntry[mNumSampleToChunkOffsets]; - if (!mSampleToChunkEntries) + if (!mSampleToChunkEntries) { + ALOGE("Cannot allocate sample-to-chunk table with %llu entries.", + (unsigned long long)mNumSampleToChunkOffsets); return ERROR_OUT_OF_RANGE; + } + + if (mNumSampleToChunkOffsets == 0) { + return OK; + } + + if ((off64_t)(SIZE_MAX - 8 - + ((mNumSampleToChunkOffsets - 1) * sizeof(SampleToChunkEntry))) + < mSampleToChunkOffset) { + return ERROR_MALFORMED; + } for (uint32_t i = 0; i < mNumSampleToChunkOffsets; ++i) { uint8_t buffer[12]; @@ -248,8 +282,11 @@ status_t SampleTable::setSampleToChunkParams( != (ssize_t)sizeof(buffer)) { return ERROR_IO; } - - CHECK(U32_AT(buffer) >= 1); // chunk index is 1 based in the spec. + // chunk index is 1 based in the spec. + if (U32_AT(buffer) < 1) { + ALOGE("b/23534160"); + return ERROR_OUT_OF_RANGE; + } // We want the chunk index to be 0-based. mSampleToChunkEntries[i].startChunk = U32_AT(buffer) - 1; @@ -349,21 +386,41 @@ status_t SampleTable::setTimeToSampleParams( // 2) mTimeToSampleCount is the number of entries of the time-to-sample // table. // 3) We hope that the table size does not exceed UINT32_MAX. - ALOGE(" Error: Time-to-sample table size too large."); - + ALOGE("Time-to-sample table size too large."); return ERROR_OUT_OF_RANGE; } // Note: At this point, we know that mTimeToSampleCount * 2 will not // overflow because of the above condition. - if (!mDataSource->getVector(data_offset + 8, &mTimeToSample, - mTimeToSampleCount * 2)) { - ALOGE(" Error: Incomplete data read for time-to-sample table."); + + uint64_t allocSize = (uint64_t)mTimeToSampleCount * 2 * sizeof(uint32_t); + mTotalSize += allocSize; + if (mTotalSize > kMaxTotalSize) { + ALOGE("Time-to-sample table size would make sample table too large.\n" + " Requested time-to-sample table size = %llu\n" + " Eventual sample table size >= %llu\n" + " Allowed sample table size = %llu\n", + (unsigned long long)allocSize, + (unsigned long long)mTotalSize, + (unsigned long long)kMaxTotalSize); + return ERROR_OUT_OF_RANGE; + } + + mTimeToSample = new (std::nothrow) uint32_t[mTimeToSampleCount * 2]; + if (!mTimeToSample) { + ALOGE("Cannot allocate time-to-sample table with %llu entries.", + (unsigned long long)mTimeToSampleCount); + return ERROR_OUT_OF_RANGE; + } + + if (mDataSource->readAt(data_offset + 8, mTimeToSample, + (size_t)allocSize) < (ssize_t)allocSize) { + ALOGE("Incomplete data read for time-to-sample table."); return ERROR_IO; } - for (size_t i = 0; i < mTimeToSample.size(); ++i) { - mTimeToSample.editItemAt(i) = ntohl(mTimeToSample[i]); + for (size_t i = 0; i < mTimeToSampleCount * 2; ++i) { + mTimeToSample[i] = ntohl(mTimeToSample[i]); } mHasTimeToSample = true; @@ -398,17 +455,32 @@ status_t SampleTable::setCompositionTimeToSampleParams( mNumCompositionTimeDeltaEntries = numEntries; uint64_t allocSize = (uint64_t)numEntries * 2 * sizeof(uint32_t); - if (allocSize > UINT32_MAX) { + if (allocSize > SIZE_MAX) { + ALOGE("Composition-time-to-sample table size too large."); + return ERROR_OUT_OF_RANGE; + } + + mTotalSize += allocSize; + if (mTotalSize > kMaxTotalSize) { + ALOGE("Composition-time-to-sample table would make sample table too large.\n" + " Requested composition-time-to-sample table size = %llu\n" + " Eventual sample table size >= %llu\n" + " Allowed sample table size = %llu\n", + (unsigned long long)allocSize, + (unsigned long long)mTotalSize, + (unsigned long long)kMaxTotalSize); return ERROR_OUT_OF_RANGE; } mCompositionTimeDeltaEntries = new (std::nothrow) uint32_t[2 * numEntries]; - if (!mCompositionTimeDeltaEntries) + if (!mCompositionTimeDeltaEntries) { + ALOGE("Cannot allocate composition-time-to-sample table with %llu " + "entries.", (unsigned long long)numEntries); return ERROR_OUT_OF_RANGE; + } - if (mDataSource->readAt( - data_offset + 8, mCompositionTimeDeltaEntries, numEntries * 8) - < (ssize_t)numEntries * 8) { + if (mDataSource->readAt(data_offset + 8, mCompositionTimeDeltaEntries, + (size_t)allocSize) < (ssize_t)allocSize) { delete[] mCompositionTimeDeltaEntries; mCompositionTimeDeltaEntries = NULL; @@ -449,18 +521,33 @@ status_t SampleTable::setSyncSampleParams(off64_t data_offset, size_t data_size) ALOGV("Table of sync samples is empty or has only a single entry!"); } - uint64_t allocSize = mNumSyncSamples * (uint64_t)sizeof(uint32_t); + uint64_t allocSize = (uint64_t)mNumSyncSamples * sizeof(uint32_t); if (allocSize > SIZE_MAX) { + ALOGE("Sync sample table size too large."); + return ERROR_OUT_OF_RANGE; + } + + mTotalSize += allocSize; + if (mTotalSize > kMaxTotalSize) { + ALOGE("Sync sample table size would make sample table too large.\n" + " Requested sync sample table size = %llu\n" + " Eventual sample table size >= %llu\n" + " Allowed sample table size = %llu\n", + (unsigned long long)allocSize, + (unsigned long long)mTotalSize, + (unsigned long long)kMaxTotalSize); return ERROR_OUT_OF_RANGE; } mSyncSamples = new (std::nothrow) uint32_t[mNumSyncSamples]; - if (!mSyncSamples) + if (!mSyncSamples) { + ALOGE("Cannot allocate sync sample table with %llu entries.", + (unsigned long long)mNumSyncSamples); return ERROR_OUT_OF_RANGE; + } - size_t size = mNumSyncSamples * sizeof(uint32_t); - if (mDataSource->readAt(mSyncSampleOffset + 8, mSyncSamples, size) - != (ssize_t)size) { + if (mDataSource->readAt(mSyncSampleOffset + 8, mSyncSamples, + (size_t)allocSize) != (ssize_t)allocSize) { return ERROR_IO; } @@ -525,9 +612,24 @@ void SampleTable::buildSampleEntriesTable() { return; } + mTotalSize += (uint64_t)mNumSampleSizes * sizeof(SampleTimeEntry); + if (mTotalSize > kMaxTotalSize) { + ALOGE("Sample entry table size would make sample table too large.\n" + " Requested sample entry table size = %llu\n" + " Eventual sample table size >= %llu\n" + " Allowed sample table size = %llu\n", + (unsigned long long)mNumSampleSizes * sizeof(SampleTimeEntry), + (unsigned long long)mTotalSize, + (unsigned long long)kMaxTotalSize); + return; + } + mSampleTimeEntries = new (std::nothrow) SampleTimeEntry[mNumSampleSizes]; - if (!mSampleTimeEntries) + if (!mSampleTimeEntries) { + ALOGE("Cannot allocate sample entry table with %llu entries.", + (unsigned long long)mNumSampleSizes); return; + } uint32_t sampleIndex = 0; uint32_t sampleTime = 0; diff --git a/media/libstagefright/include/SampleTable.h b/media/libstagefright/include/SampleTable.h index 465f37c..552eef7 100644 --- a/media/libstagefright/include/SampleTable.h +++ b/media/libstagefright/include/SampleTable.h @@ -24,7 +24,6 @@ #include #include #include -#include namespace android { @@ -96,6 +95,9 @@ private: static const uint32_t kSampleSizeType32; static const uint32_t kSampleSizeTypeCompact; + // Limit the total size of all internal tables to 200MiB. + static const size_t kMaxTotalSize = 200 * (1 << 20); + sp mDataSource; Mutex mLock; @@ -113,7 +115,7 @@ private: bool mHasTimeToSample; uint32_t mTimeToSampleCount; - Vector mTimeToSample; + uint32_t* mTimeToSample; struct SampleTimeEntry { uint32_t mSampleIndex; @@ -139,6 +141,9 @@ private: }; SampleToChunkEntry *mSampleToChunkEntries; + // Approximate size of all tables combined. + uint64_t mTotalSize; + friend struct SampleIterator; // normally we don't round -- cgit v1.1 From 9871fae25b351268e359682e6c149acbf47620c1 Mon Sep 17 00:00:00 2001 From: Robert Shih Date: Mon, 27 Jun 2016 13:55:14 -0700 Subject: SoftMP3: memset safely Bug: 29422022 Change-Id: I70c9e33269d16bf8c163815706ac24e18e34fe97 --- media/libstagefright/codecs/mp3dec/SoftMP3.cpp | 22 ++++++++++++++++++---- media/libstagefright/codecs/mp3dec/SoftMP3.h | 1 + 2 files changed, 19 insertions(+), 4 deletions(-) (limited to 'media/libstagefright') diff --git a/media/libstagefright/codecs/mp3dec/SoftMP3.cpp b/media/libstagefright/codecs/mp3dec/SoftMP3.cpp index aa946e6..daef471 100644 --- a/media/libstagefright/codecs/mp3dec/SoftMP3.cpp +++ b/media/libstagefright/codecs/mp3dec/SoftMP3.cpp @@ -120,6 +120,17 @@ void SoftMP3::initDecoder() { mIsFirst = true; } +void *SoftMP3::memsetSafe(OMX_BUFFERHEADERTYPE *outHeader, int c, size_t len) { + if (len > outHeader->nAllocLen) { + ALOGE("memset buffer too small: got %lu, expected %zu", outHeader->nAllocLen, len); + android_errorWriteLog(0x534e4554, "29422022"); + notify(OMX_EventError, OMX_ErrorUndefined, OUTPUT_BUFFER_TOO_SMALL, NULL); + mSignalledError = true; + return NULL; + } + return memset(outHeader->pBuffer, c, len); +} + OMX_ERRORTYPE SoftMP3::internalGetParameter( OMX_INDEXTYPE index, OMX_PTR params) { switch (index) { @@ -300,7 +311,10 @@ void SoftMP3::onQueueFilled(OMX_U32 /* portIndex */) { outHeader->nOffset = 0; outHeader->nFilledLen = kPVMP3DecoderDelay * mNumChannels * sizeof(int16_t); - memset(outHeader->pBuffer, 0, outHeader->nFilledLen); + if (!memsetSafe(outHeader, 0, outHeader->nFilledLen)) { + return; + } + } outHeader->nFlags = OMX_BUFFERFLAG_EOS; mSignalledOutputEos = true; @@ -312,9 +326,9 @@ void SoftMP3::onQueueFilled(OMX_U32 /* portIndex */) { // if mIsFirst is true as we may not have a valid // mConfig->samplingRate and mConfig->num_channels? ALOGV_IF(mIsFirst, "insufficient data for first frame, sending silence"); - memset(outHeader->pBuffer, - 0, - mConfig->outputFrameSize * sizeof(int16_t)); + if (!memsetSafe(outHeader, 0, mConfig->outputFrameSize * sizeof(int16_t))) { + return; + } if (inHeader) { mConfig->inputBufferUsedLength = inHeader->nFilledLen; diff --git a/media/libstagefright/codecs/mp3dec/SoftMP3.h b/media/libstagefright/codecs/mp3dec/SoftMP3.h index f9e7b53..3bfa6c7 100644 --- a/media/libstagefright/codecs/mp3dec/SoftMP3.h +++ b/media/libstagefright/codecs/mp3dec/SoftMP3.h @@ -72,6 +72,7 @@ private: void initPorts(); void initDecoder(); + void *memsetSafe(OMX_BUFFERHEADERTYPE *outHeader, int c, size_t len); DISALLOW_EVIL_CONSTRUCTORS(SoftMP3); }; -- cgit v1.1 From 49a847e0f6558849adef32d64d2a1093fc527c96 Mon Sep 17 00:00:00 2001 From: Wonsik Kim Date: Fri, 17 Jun 2016 01:24:30 +0900 Subject: DO NOT MERGE stagefright: fix possible stack overflow in AVCC reassemble Additionally, remove use of variable length array which is non-standard in C++. Bug: 29161888 Change-Id: Ifdc3e7435f2225214c053b13f3bfe71c7d0ff506 --- media/libstagefright/Utils.cpp | 28 +++++++++++++++++++--------- 1 file changed, 19 insertions(+), 9 deletions(-) (limited to 'media/libstagefright') diff --git a/media/libstagefright/Utils.cpp b/media/libstagefright/Utils.cpp index 17f0201..0d9dc3a 100644 --- a/media/libstagefright/Utils.cpp +++ b/media/libstagefright/Utils.cpp @@ -671,20 +671,30 @@ void convertMessageToMetaData(const sp &msg, sp &meta) { // reassemble the csd data into its original form sp csd0; if (msg->findBuffer("csd-0", &csd0)) { + int csd0size = csd0->size(); if (mime == MEDIA_MIMETYPE_VIDEO_AVC) { sp csd1; if (msg->findBuffer("csd-1", &csd1)) { - char avcc[1024]; // that oughta be enough, right? - size_t outsize = reassembleAVCC(csd0, csd1, avcc); - meta->setData(kKeyAVCC, kKeyAVCC, avcc, outsize); + Vector avcc; + int avccSize = csd0size + csd1->size() + 1024; + if (avcc.resize(avccSize) < 0) { + ALOGE("error allocating avcc (size %d); abort setting avcc.", avccSize); + } else { + size_t outsize = reassembleAVCC(csd0, csd1, avcc.editArray()); + meta->setData(kKeyAVCC, kKeyAVCC, avcc.array(), outsize); + } } } else if (mime == MEDIA_MIMETYPE_AUDIO_AAC || mime == MEDIA_MIMETYPE_VIDEO_MPEG4) { - int csd0size = csd0->size(); - char esds[csd0size + 31]; - // The written ESDS is actually for an audio stream, but it's enough - // for transporting the CSD to muxers. - reassembleESDS(csd0, esds); - meta->setData(kKeyESDS, kKeyESDS, esds, sizeof(esds)); + Vector esds; + int esdsSize = csd0size + 31; + if (esds.resize(esdsSize) < 0) { + ALOGE("error allocating esds (size %d); abort setting esds.", esdsSize); + } else { + // The written ESDS is actually for an audio stream, but it's enough + // for transporting the CSD to muxers. + reassembleESDS(csd0, esds.editArray()); + meta->setData(kKeyESDS, kKeyESDS, esds.array(), esds.size()); + } } } -- cgit v1.1 From f9391b39b1f0c98191ad3fff1a54b5f26e954421 Mon Sep 17 00:00:00 2001 From: Ray Essick Date: Wed, 6 Jul 2016 10:13:25 -0700 Subject: Fix corruption via buffer overflow in mediaserver change unbound sprintf() to snprintf() so network-provided values can't overflow the buffers. Applicable to all K/L/M/N branches. Bug: 25747670 Change-Id: Id6a5120c2d08a6fbbd47deffb680ecf82015f4f6 --- media/libstagefright/rtsp/ASessionDescription.cpp | 14 +++++++++----- 1 file changed, 9 insertions(+), 5 deletions(-) (limited to 'media/libstagefright') diff --git a/media/libstagefright/rtsp/ASessionDescription.cpp b/media/libstagefright/rtsp/ASessionDescription.cpp index 98498e9..47573c3 100644 --- a/media/libstagefright/rtsp/ASessionDescription.cpp +++ b/media/libstagefright/rtsp/ASessionDescription.cpp @@ -17,6 +17,7 @@ //#define LOG_NDEBUG 0 #define LOG_TAG "ASessionDescription" #include +#include #include "ASessionDescription.h" @@ -211,12 +212,12 @@ void ASessionDescription::getFormatType( *PT = x; - char key[20]; - sprintf(key, "a=rtpmap:%lu", x); + char key[32]; + snprintf(key, sizeof(key), "a=rtpmap:%lu", x); CHECK(findAttribute(index, key, desc)); - sprintf(key, "a=fmtp:%lu", x); + snprintf(key, sizeof(key), "a=fmtp:%lu", x); if (!findAttribute(index, key, params)) { params->clear(); } @@ -228,8 +229,11 @@ bool ASessionDescription::getDimensions( *width = 0; *height = 0; - char key[20]; - sprintf(key, "a=framesize:%lu", PT); + char key[33]; + snprintf(key, sizeof(key), "a=framesize:%lu", PT); + if (PT > 9999999) { + android_errorWriteLog(0x534e4554, "25747670"); + } AString value; if (!findAttribute(index, key, &value)) { return false; -- cgit v1.1 From 97837bb6cbac21ea679843a0037779d3834bed64 Mon Sep 17 00:00:00 2001 From: Robert Shih Date: Tue, 12 Jul 2016 18:00:53 -0700 Subject: OMXCodec: check IMemory::pointer() before using allocation Bug: 29421811 Change-Id: I0a73ba12bae4122f1d89fc92e5ea4f6a96cd1ed1 --- media/libstagefright/OMXCodec.cpp | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) (limited to 'media/libstagefright') diff --git a/media/libstagefright/OMXCodec.cpp b/media/libstagefright/OMXCodec.cpp index 4618e21..7e15e18 100644 --- a/media/libstagefright/OMXCodec.cpp +++ b/media/libstagefright/OMXCodec.cpp @@ -1622,7 +1622,9 @@ status_t OMXCodec::allocateBuffersOnPort(OMX_U32 portIndex) { for (OMX_U32 i = 0; i < def.nBufferCountActual; ++i) { sp mem = mDealer[portIndex]->allocate(def.nBufferSize); - CHECK(mem.get() != NULL); + if (mem == NULL || mem->pointer() == NULL) { + return NO_MEMORY; + } BufferInfo info; info.mData = NULL; -- cgit v1.1 From ee44d7cdbdea9a8a67e967b3bc05f0cd409ae2b1 Mon Sep 17 00:00:00 2001 From: Robert Shih Date: Fri, 24 Jun 2016 12:37:45 -0700 Subject: SoftVPX: fix nFilledLen overflow Bug: 29421675 Change-Id: I25d4cf54a5df22c2130c37e95c7c7f75063111f3 --- media/libstagefright/codecs/on2/dec/SoftVPX.cpp | 22 +++++++++++++++++++--- media/libstagefright/codecs/on2/dec/SoftVPX.h | 1 + 2 files changed, 20 insertions(+), 3 deletions(-) (limited to 'media/libstagefright') diff --git a/media/libstagefright/codecs/on2/dec/SoftVPX.cpp b/media/libstagefright/codecs/on2/dec/SoftVPX.cpp index 02e85a1..58a2660 100644 --- a/media/libstagefright/codecs/on2/dec/SoftVPX.cpp +++ b/media/libstagefright/codecs/on2/dec/SoftVPX.cpp @@ -149,7 +149,7 @@ bool SoftVPX::outputBuffers(bool flushDecoder, bool display, bool eos, bool *por outHeader->nFlags = 0; outHeader->nFilledLen = (outputBufferWidth() * outputBufferHeight() * 3) / 2; outHeader->nTimeStamp = *(OMX_TICKS *)mImg->user_priv; - if (outHeader->nAllocLen >= outHeader->nFilledLen) { + if (outputBufferSafe(outHeader)) { uint8_t *dst = outHeader->pBuffer; const uint8_t *srcY = (const uint8_t *)mImg->planes[VPX_PLANE_Y]; const uint8_t *srcU = (const uint8_t *)mImg->planes[VPX_PLANE_U]; @@ -159,8 +159,6 @@ bool SoftVPX::outputBuffers(bool flushDecoder, bool display, bool eos, bool *por size_t srcVStride = mImg->stride[VPX_PLANE_V]; copyYV12FrameToOutputBuffer(dst, srcY, srcU, srcV, srcYStride, srcUStride, srcVStride); } else { - ALOGE("b/27597103, buffer too small"); - android_errorWriteLog(0x534e4554, "27597103"); outHeader->nFilledLen = 0; } @@ -190,6 +188,24 @@ bool SoftVPX::outputBuffers(bool flushDecoder, bool display, bool eos, bool *por return true; } +bool SoftVPX::outputBufferSafe(OMX_BUFFERHEADERTYPE *outHeader) { + uint32_t width = outputBufferWidth(); + uint32_t height = outputBufferHeight(); + uint64_t nFilledLen = width; + nFilledLen *= height; + if (nFilledLen > UINT32_MAX / 3) { + ALOGE("b/29421675, nFilledLen overflow %llu w %u h %u", nFilledLen, width, height); + android_errorWriteLog(0x534e4554, "29421675"); + return false; + } else if (outHeader->nAllocLen < outHeader->nFilledLen) { + ALOGE("b/27597103, buffer too small"); + android_errorWriteLog(0x534e4554, "27597103"); + return false; + } + + return true; +} + void SoftVPX::onQueueFilled(OMX_U32 /* portIndex */) { if (mOutputPortSettingsChange != NONE || mEOSStatus == OUTPUT_FRAMES_FLUSHED) { return; diff --git a/media/libstagefright/codecs/on2/dec/SoftVPX.h b/media/libstagefright/codecs/on2/dec/SoftVPX.h index 8ccbae2..84cf79c 100644 --- a/media/libstagefright/codecs/on2/dec/SoftVPX.h +++ b/media/libstagefright/codecs/on2/dec/SoftVPX.h @@ -66,6 +66,7 @@ private: status_t initDecoder(); status_t destroyDecoder(); bool outputBuffers(bool flushDecoder, bool display, bool eos, bool *portWillReset); + bool outputBufferSafe(OMX_BUFFERHEADERTYPE *outHeader); DISALLOW_EVIL_CONSTRUCTORS(SoftVPX); }; -- cgit v1.1 From 50643aadeb8dfe53da7848a5d5e995d5486678e1 Mon Sep 17 00:00:00 2001 From: Lajos Molnar Date: Wed, 13 Jul 2016 20:27:32 -0700 Subject: fix build Change-Id: I9bb8c659d3fc97a8e748451d82d0f3448faa242b --- media/libstagefright/codecs/on2/dec/SoftVPX.cpp | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) (limited to 'media/libstagefright') diff --git a/media/libstagefright/codecs/on2/dec/SoftVPX.cpp b/media/libstagefright/codecs/on2/dec/SoftVPX.cpp index 58a2660..912fac2 100644 --- a/media/libstagefright/codecs/on2/dec/SoftVPX.cpp +++ b/media/libstagefright/codecs/on2/dec/SoftVPX.cpp @@ -194,7 +194,8 @@ bool SoftVPX::outputBufferSafe(OMX_BUFFERHEADERTYPE *outHeader) { uint64_t nFilledLen = width; nFilledLen *= height; if (nFilledLen > UINT32_MAX / 3) { - ALOGE("b/29421675, nFilledLen overflow %llu w %u h %u", nFilledLen, width, height); + ALOGE("b/29421675, nFilledLen overflow %llu w %u h %u", + (unsigned long long)nFilledLen, width, height); android_errorWriteLog(0x534e4554, "29421675"); return false; } else if (outHeader->nAllocLen < outHeader->nFilledLen) { -- cgit v1.1 From ae1810fab90cd6ec19d4f0386b80aa0391882fba Mon Sep 17 00:00:00 2001 From: Robert Shih Date: Thu, 14 Jul 2016 12:37:52 -0700 Subject: Fix build Change-Id: I96a9c437eec53a285ac96794cc1ad0c8954b27e0 --- media/libstagefright/codecs/mp3dec/SoftMP3.cpp | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'media/libstagefright') diff --git a/media/libstagefright/codecs/mp3dec/SoftMP3.cpp b/media/libstagefright/codecs/mp3dec/SoftMP3.cpp index daef471..54fe622 100644 --- a/media/libstagefright/codecs/mp3dec/SoftMP3.cpp +++ b/media/libstagefright/codecs/mp3dec/SoftMP3.cpp @@ -122,7 +122,7 @@ void SoftMP3::initDecoder() { void *SoftMP3::memsetSafe(OMX_BUFFERHEADERTYPE *outHeader, int c, size_t len) { if (len > outHeader->nAllocLen) { - ALOGE("memset buffer too small: got %lu, expected %zu", outHeader->nAllocLen, len); + ALOGE("memset buffer too small: got %lu, expected %zu", (unsigned long)outHeader->nAllocLen, len); android_errorWriteLog(0x534e4554, "29422022"); notify(OMX_EventError, OMX_ErrorUndefined, OUTPUT_BUFFER_TOO_SMALL, NULL); mSignalledError = true; -- cgit v1.1 From d67bab69a322990aa386dad608ad2a823ef21578 Mon Sep 17 00:00:00 2001 From: Robert Shih Date: Thu, 14 Jul 2016 13:50:32 -0700 Subject: Fix build Change-Id: I48ba34b3df9c9a896d4b18c3f48e41744b7dab54 --- media/libstagefright/codecs/mp3dec/SoftMP3.cpp | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'media/libstagefright') diff --git a/media/libstagefright/codecs/mp3dec/SoftMP3.cpp b/media/libstagefright/codecs/mp3dec/SoftMP3.cpp index 54fe622..9f7dd59 100644 --- a/media/libstagefright/codecs/mp3dec/SoftMP3.cpp +++ b/media/libstagefright/codecs/mp3dec/SoftMP3.cpp @@ -122,7 +122,7 @@ void SoftMP3::initDecoder() { void *SoftMP3::memsetSafe(OMX_BUFFERHEADERTYPE *outHeader, int c, size_t len) { if (len > outHeader->nAllocLen) { - ALOGE("memset buffer too small: got %lu, expected %zu", (unsigned long)outHeader->nAllocLen, len); + ALOGE("memset buffer too small: got %u, expected %zu", outHeader->nAllocLen, len); android_errorWriteLog(0x534e4554, "29422022"); notify(OMX_EventError, OMX_ErrorUndefined, OUTPUT_BUFFER_TOO_SMALL, NULL); mSignalledError = true; -- cgit v1.1 From c174665ec2f19904550daeb65d08f4959654d9a4 Mon Sep 17 00:00:00 2001 From: Wonsik Kim Date: Thu, 7 Jul 2016 12:57:02 +0900 Subject: omx: prevent input port enable/disable for software codecs Bug: 29421804 Change-Id: Iba1011e9af942a6dff7f659af769a51e3f5ba66f --- media/libstagefright/omx/SimpleSoftOMXComponent.cpp | 7 +++++++ 1 file changed, 7 insertions(+) (limited to 'media/libstagefright') diff --git a/media/libstagefright/omx/SimpleSoftOMXComponent.cpp b/media/libstagefright/omx/SimpleSoftOMXComponent.cpp index 60c1e2e..13afd45 100644 --- a/media/libstagefright/omx/SimpleSoftOMXComponent.cpp +++ b/media/libstagefright/omx/SimpleSoftOMXComponent.cpp @@ -469,6 +469,13 @@ void SimpleSoftOMXComponent::onPortEnable(OMX_U32 portIndex, bool enable) { CHECK_EQ((int)port->mTransition, (int)PortInfo::NONE); CHECK(port->mDef.bEnabled == !enable); + if (port->mDef.eDir != OMX_DirOutput) { + ALOGE("Port enable/disable allowed only on output ports."); + notify(OMX_EventError, OMX_ErrorUndefined, 0, NULL); + android_errorWriteLog(0x534e4554, "29421804"); + return; + } + if (!enable) { port->mDef.bEnabled = OMX_FALSE; port->mTransition = PortInfo::DISABLING; -- cgit v1.1 From 6679b5088f36693f5708dcaedd0c9ab7c66df27c Mon Sep 17 00:00:00 2001 From: Wonsik Kim Date: Thu, 21 Jul 2016 14:43:38 +0900 Subject: DO NOT MERGE - stagefright: fix integer overflow error Bug: 30103394 Change-Id: If449d3e30a0bf2ebea5317f41813bfed094f7408 (cherry picked from commit 2c74a3cd5d1d66b9a35424b9c4443dafa6db5bef) --- media/libstagefright/SampleTable.cpp | 29 +++++++++++++++-------------- 1 file changed, 15 insertions(+), 14 deletions(-) (limited to 'media/libstagefright') diff --git a/media/libstagefright/SampleTable.cpp b/media/libstagefright/SampleTable.cpp index bc01a2d..72e30f1 100644 --- a/media/libstagefright/SampleTable.cpp +++ b/media/libstagefright/SampleTable.cpp @@ -18,6 +18,8 @@ //#define LOG_NDEBUG 0 #include +#include + #include "include/SampleTable.h" #include "include/SampleIterator.h" @@ -27,11 +29,6 @@ #include #include -/* TODO: remove after being merged into other branches */ -#ifndef UINT32_MAX -#define UINT32_MAX (4294967295U) -#endif - namespace android { // static @@ -45,6 +42,8 @@ const uint32_t SampleTable::kSampleSizeTypeCompact = FOURCC('s', 't', 'z', '2'); //////////////////////////////////////////////////////////////////////////////// +const off64_t kMaxOffset = std::numeric_limits::max(); + struct SampleTable::CompositionDeltaLookup { CompositionDeltaLookup(); @@ -233,11 +232,11 @@ status_t SampleTable::setSampleToChunkParams( mNumSampleToChunkOffsets = U32_AT(&header[4]); - if (data_size < 8 + mNumSampleToChunkOffsets * 12) { + if ((data_size - 8) / sizeof(SampleToChunkEntry) < mNumSampleToChunkOffsets) { return ERROR_MALFORMED; } - if ((uint64_t)SIZE_MAX / sizeof(SampleToChunkEntry) <= + if ((uint64_t)kMaxTotalSize / sizeof(SampleToChunkEntry) <= (uint64_t)mNumSampleToChunkOffsets) { ALOGE("Sample-to-chunk table size too large."); return ERROR_OUT_OF_RANGE; @@ -269,16 +268,19 @@ status_t SampleTable::setSampleToChunkParams( return OK; } - if ((off64_t)(SIZE_MAX - 8 - + if ((off64_t)(kMaxOffset - 8 - ((mNumSampleToChunkOffsets - 1) * sizeof(SampleToChunkEntry))) < mSampleToChunkOffset) { return ERROR_MALFORMED; } for (uint32_t i = 0; i < mNumSampleToChunkOffsets; ++i) { - uint8_t buffer[12]; + uint8_t buffer[sizeof(SampleToChunkEntry)]; + if (mDataSource->readAt( - mSampleToChunkOffset + 8 + i * 12, buffer, sizeof(buffer)) + mSampleToChunkOffset + 8 + i * sizeof(SampleToChunkEntry), + buffer, + sizeof(buffer)) != (ssize_t)sizeof(buffer)) { return ERROR_IO; } @@ -378,8 +380,7 @@ status_t SampleTable::setTimeToSampleParams( } mTimeToSampleCount = U32_AT(&header[4]); - if ((uint64_t)mTimeToSampleCount > - (uint64_t)UINT32_MAX / (2 * sizeof(uint32_t))) { + if (mTimeToSampleCount > UINT32_MAX / (2 * sizeof(uint32_t))) { // Choose this bound because // 1) 2 * sizeof(uint32_t) is the amount of memory needed for one // time-to-sample entry in the time-to-sample table. @@ -455,7 +456,7 @@ status_t SampleTable::setCompositionTimeToSampleParams( mNumCompositionTimeDeltaEntries = numEntries; uint64_t allocSize = (uint64_t)numEntries * 2 * sizeof(uint32_t); - if (allocSize > SIZE_MAX) { + if (allocSize > kMaxTotalSize) { ALOGE("Composition-time-to-sample table size too large."); return ERROR_OUT_OF_RANGE; } @@ -522,7 +523,7 @@ status_t SampleTable::setSyncSampleParams(off64_t data_offset, size_t data_size) } uint64_t allocSize = (uint64_t)mNumSyncSamples * sizeof(uint32_t); - if (allocSize > SIZE_MAX) { + if (allocSize > kMaxTotalSize) { ALOGE("Sync sample table size too large."); return ERROR_OUT_OF_RANGE; } -- cgit v1.1 From 2071f20583103d1ccf6102f84b2eedd6bb1214ba Mon Sep 17 00:00:00 2001 From: Ricardo Cerqueira Date: Wed, 10 Aug 2016 13:55:18 +0100 Subject: stagefright: Remove the HAL3 limitation from the video reference clock selection Usage of boot-time as the timestamp reference isn't necessarily limited to HAL3. A single property check for media.camera.ts.monotonic is enough to cover all cases. Change-Id: Ic56dbcc6ba32c25bccde6dd0bbf07d4c918af43e --- media/libstagefright/CameraSource.cpp | 3 +-- media/libstagefright/MediaCodecSource.cpp | 3 +-- 2 files changed, 2 insertions(+), 4 deletions(-) (limited to 'media/libstagefright') diff --git a/media/libstagefright/CameraSource.cpp b/media/libstagefright/CameraSource.cpp index 4caee78..f6b4741 100644 --- a/media/libstagefright/CameraSource.cpp +++ b/media/libstagefright/CameraSource.cpp @@ -705,8 +705,7 @@ status_t CameraSource::start(MetaData *meta) { int64_t startTimeUs; auto key = kKeyTime; - if (property_get_bool("persist.camera.HAL3.enabled", true) && - !property_get_bool("media.camera.ts.monotonic", true)) { + if (!property_get_bool("media.camera.ts.monotonic", true)) { key = kKeyTimeBoot; } diff --git a/media/libstagefright/MediaCodecSource.cpp b/media/libstagefright/MediaCodecSource.cpp index 94427ef..14a3c0d 100644 --- a/media/libstagefright/MediaCodecSource.cpp +++ b/media/libstagefright/MediaCodecSource.cpp @@ -665,8 +665,7 @@ status_t MediaCodecSource::onStart(MetaData *params) { if (mFlags & FLAG_USE_SURFACE_INPUT) { auto key = kKeyTime; - if (property_get_bool("persist.camera.HAL3.enabled", true) && - !property_get_bool("media.camera.ts.monotonic", true)) { + if (!property_get_bool("media.camera.ts.monotonic", true)) { key = kKeyTimeBoot; } -- cgit v1.1 From 8d41a10e57903142b9daba6a31a47f101757130c Mon Sep 17 00:00:00 2001 From: Danny Baumann Date: Tue, 9 Aug 2016 09:51:51 +0200 Subject: mediascanner: Accept .opus file extension. Apparently there are a number of people and/or tools that name their opus coded audio in ogg containers *.opus. Reflect that fact. Change-Id: I0617a6d93fe793cdef06ffd4e334001e5f9b054e --- media/libstagefright/StagefrightMediaScanner.cpp | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'media/libstagefright') diff --git a/media/libstagefright/StagefrightMediaScanner.cpp b/media/libstagefright/StagefrightMediaScanner.cpp index 8d3392e..d5ef1a6 100644 --- a/media/libstagefright/StagefrightMediaScanner.cpp +++ b/media/libstagefright/StagefrightMediaScanner.cpp @@ -46,7 +46,7 @@ static bool FileHasAcceptableExtension(const char *extension) { ".mov", ".ra", ".rm", ".rmvb", ".ac3", ".ape", ".dts", ".mp1", ".mp2", ".f4v", "hlv", "nrg", "m2v", ".swf", ".avi", ".mpg", ".mpeg", ".awb", ".vc1", ".vob", ".divx", - ".mpga", ".mov", ".qcp", ".ec3" + ".mpga", ".mov", ".qcp", ".ec3", ".opus" }; static const size_t kNumValidExtensions = sizeof(kValidExtensions) / sizeof(kValidExtensions[0]); -- cgit v1.1 From 10db5e094e4d7501ec277622dc29e714927dc588 Mon Sep 17 00:00:00 2001 From: Robert Shih Date: Mon, 27 Jun 2016 13:55:14 -0700 Subject: SoftMP3: memset safely Bug: 29422022 Change-Id: I70c9e33269d16bf8c163815706ac24e18e34fe97 --- media/libstagefright/codecs/mp3dec/SoftMP3.cpp | 22 ++++++++++++++++++---- media/libstagefright/codecs/mp3dec/SoftMP3.h | 1 + 2 files changed, 19 insertions(+), 4 deletions(-) (limited to 'media/libstagefright') diff --git a/media/libstagefright/codecs/mp3dec/SoftMP3.cpp b/media/libstagefright/codecs/mp3dec/SoftMP3.cpp index aa946e6..daef471 100644 --- a/media/libstagefright/codecs/mp3dec/SoftMP3.cpp +++ b/media/libstagefright/codecs/mp3dec/SoftMP3.cpp @@ -120,6 +120,17 @@ void SoftMP3::initDecoder() { mIsFirst = true; } +void *SoftMP3::memsetSafe(OMX_BUFFERHEADERTYPE *outHeader, int c, size_t len) { + if (len > outHeader->nAllocLen) { + ALOGE("memset buffer too small: got %lu, expected %zu", outHeader->nAllocLen, len); + android_errorWriteLog(0x534e4554, "29422022"); + notify(OMX_EventError, OMX_ErrorUndefined, OUTPUT_BUFFER_TOO_SMALL, NULL); + mSignalledError = true; + return NULL; + } + return memset(outHeader->pBuffer, c, len); +} + OMX_ERRORTYPE SoftMP3::internalGetParameter( OMX_INDEXTYPE index, OMX_PTR params) { switch (index) { @@ -300,7 +311,10 @@ void SoftMP3::onQueueFilled(OMX_U32 /* portIndex */) { outHeader->nOffset = 0; outHeader->nFilledLen = kPVMP3DecoderDelay * mNumChannels * sizeof(int16_t); - memset(outHeader->pBuffer, 0, outHeader->nFilledLen); + if (!memsetSafe(outHeader, 0, outHeader->nFilledLen)) { + return; + } + } outHeader->nFlags = OMX_BUFFERFLAG_EOS; mSignalledOutputEos = true; @@ -312,9 +326,9 @@ void SoftMP3::onQueueFilled(OMX_U32 /* portIndex */) { // if mIsFirst is true as we may not have a valid // mConfig->samplingRate and mConfig->num_channels? ALOGV_IF(mIsFirst, "insufficient data for first frame, sending silence"); - memset(outHeader->pBuffer, - 0, - mConfig->outputFrameSize * sizeof(int16_t)); + if (!memsetSafe(outHeader, 0, mConfig->outputFrameSize * sizeof(int16_t))) { + return; + } if (inHeader) { mConfig->inputBufferUsedLength = inHeader->nFilledLen; diff --git a/media/libstagefright/codecs/mp3dec/SoftMP3.h b/media/libstagefright/codecs/mp3dec/SoftMP3.h index f9e7b53..3bfa6c7 100644 --- a/media/libstagefright/codecs/mp3dec/SoftMP3.h +++ b/media/libstagefright/codecs/mp3dec/SoftMP3.h @@ -72,6 +72,7 @@ private: void initPorts(); void initDecoder(); + void *memsetSafe(OMX_BUFFERHEADERTYPE *outHeader, int c, size_t len); DISALLOW_EVIL_CONSTRUCTORS(SoftMP3); }; -- cgit v1.1 From e441275efea14a98d5a059328e660d9a08b13932 Mon Sep 17 00:00:00 2001 From: Wonsik Kim Date: Fri, 17 Jun 2016 01:24:30 +0900 Subject: DO NOT MERGE stagefright: fix possible stack overflow in AVCC reassemble Additionally, remove use of variable length array which is non-standard in C++. Bug: 29161888 Change-Id: Ifdc3e7435f2225214c053b13f3bfe71c7d0ff506 --- media/libstagefright/Utils.cpp | 28 +++++++++++++++++++--------- 1 file changed, 19 insertions(+), 9 deletions(-) (limited to 'media/libstagefright') diff --git a/media/libstagefright/Utils.cpp b/media/libstagefright/Utils.cpp index 17f0201..0d9dc3a 100644 --- a/media/libstagefright/Utils.cpp +++ b/media/libstagefright/Utils.cpp @@ -671,20 +671,30 @@ void convertMessageToMetaData(const sp &msg, sp &meta) { // reassemble the csd data into its original form sp csd0; if (msg->findBuffer("csd-0", &csd0)) { + int csd0size = csd0->size(); if (mime == MEDIA_MIMETYPE_VIDEO_AVC) { sp csd1; if (msg->findBuffer("csd-1", &csd1)) { - char avcc[1024]; // that oughta be enough, right? - size_t outsize = reassembleAVCC(csd0, csd1, avcc); - meta->setData(kKeyAVCC, kKeyAVCC, avcc, outsize); + Vector avcc; + int avccSize = csd0size + csd1->size() + 1024; + if (avcc.resize(avccSize) < 0) { + ALOGE("error allocating avcc (size %d); abort setting avcc.", avccSize); + } else { + size_t outsize = reassembleAVCC(csd0, csd1, avcc.editArray()); + meta->setData(kKeyAVCC, kKeyAVCC, avcc.array(), outsize); + } } } else if (mime == MEDIA_MIMETYPE_AUDIO_AAC || mime == MEDIA_MIMETYPE_VIDEO_MPEG4) { - int csd0size = csd0->size(); - char esds[csd0size + 31]; - // The written ESDS is actually for an audio stream, but it's enough - // for transporting the CSD to muxers. - reassembleESDS(csd0, esds); - meta->setData(kKeyESDS, kKeyESDS, esds, sizeof(esds)); + Vector esds; + int esdsSize = csd0size + 31; + if (esds.resize(esdsSize) < 0) { + ALOGE("error allocating esds (size %d); abort setting esds.", esdsSize); + } else { + // The written ESDS is actually for an audio stream, but it's enough + // for transporting the CSD to muxers. + reassembleESDS(csd0, esds.editArray()); + meta->setData(kKeyESDS, kKeyESDS, esds.array(), esds.size()); + } } } -- cgit v1.1 From e9ef8505a1a33667ef97b752f77190c24b468015 Mon Sep 17 00:00:00 2001 From: Ray Essick Date: Wed, 6 Jul 2016 10:13:25 -0700 Subject: Fix corruption via buffer overflow in mediaserver change unbound sprintf() to snprintf() so network-provided values can't overflow the buffers. Applicable to all K/L/M/N branches. Bug: 25747670 Change-Id: Id6a5120c2d08a6fbbd47deffb680ecf82015f4f6 --- media/libstagefright/rtsp/ASessionDescription.cpp | 14 +++++++++----- 1 file changed, 9 insertions(+), 5 deletions(-) (limited to 'media/libstagefright') diff --git a/media/libstagefright/rtsp/ASessionDescription.cpp b/media/libstagefright/rtsp/ASessionDescription.cpp index 98498e9..47573c3 100644 --- a/media/libstagefright/rtsp/ASessionDescription.cpp +++ b/media/libstagefright/rtsp/ASessionDescription.cpp @@ -17,6 +17,7 @@ //#define LOG_NDEBUG 0 #define LOG_TAG "ASessionDescription" #include +#include #include "ASessionDescription.h" @@ -211,12 +212,12 @@ void ASessionDescription::getFormatType( *PT = x; - char key[20]; - sprintf(key, "a=rtpmap:%lu", x); + char key[32]; + snprintf(key, sizeof(key), "a=rtpmap:%lu", x); CHECK(findAttribute(index, key, desc)); - sprintf(key, "a=fmtp:%lu", x); + snprintf(key, sizeof(key), "a=fmtp:%lu", x); if (!findAttribute(index, key, params)) { params->clear(); } @@ -228,8 +229,11 @@ bool ASessionDescription::getDimensions( *width = 0; *height = 0; - char key[20]; - sprintf(key, "a=framesize:%lu", PT); + char key[33]; + snprintf(key, sizeof(key), "a=framesize:%lu", PT); + if (PT > 9999999) { + android_errorWriteLog(0x534e4554, "25747670"); + } AString value; if (!findAttribute(index, key, &value)) { return false; -- cgit v1.1 From ed4f365e8b158934937ad0a2e14ede566923bc33 Mon Sep 17 00:00:00 2001 From: Robert Shih Date: Tue, 12 Jul 2016 18:00:53 -0700 Subject: OMXCodec: check IMemory::pointer() before using allocation Bug: 29421811 Change-Id: I0a73ba12bae4122f1d89fc92e5ea4f6a96cd1ed1 --- media/libstagefright/OMXCodec.cpp | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) (limited to 'media/libstagefright') diff --git a/media/libstagefright/OMXCodec.cpp b/media/libstagefright/OMXCodec.cpp index 4618e21..7e15e18 100644 --- a/media/libstagefright/OMXCodec.cpp +++ b/media/libstagefright/OMXCodec.cpp @@ -1622,7 +1622,9 @@ status_t OMXCodec::allocateBuffersOnPort(OMX_U32 portIndex) { for (OMX_U32 i = 0; i < def.nBufferCountActual; ++i) { sp mem = mDealer[portIndex]->allocate(def.nBufferSize); - CHECK(mem.get() != NULL); + if (mem == NULL || mem->pointer() == NULL) { + return NO_MEMORY; + } BufferInfo info; info.mData = NULL; -- cgit v1.1 From 356f1ded898c5708ea95fe22ece052c3a094950d Mon Sep 17 00:00:00 2001 From: Robert Shih Date: Fri, 24 Jun 2016 12:37:45 -0700 Subject: SoftVPX: fix nFilledLen overflow Bug: 29421675 Change-Id: I25d4cf54a5df22c2130c37e95c7c7f75063111f3 --- media/libstagefright/codecs/on2/dec/SoftVPX.cpp | 22 +++++++++++++++++++--- media/libstagefright/codecs/on2/dec/SoftVPX.h | 1 + 2 files changed, 20 insertions(+), 3 deletions(-) (limited to 'media/libstagefright') diff --git a/media/libstagefright/codecs/on2/dec/SoftVPX.cpp b/media/libstagefright/codecs/on2/dec/SoftVPX.cpp index 02e85a1..58a2660 100644 --- a/media/libstagefright/codecs/on2/dec/SoftVPX.cpp +++ b/media/libstagefright/codecs/on2/dec/SoftVPX.cpp @@ -149,7 +149,7 @@ bool SoftVPX::outputBuffers(bool flushDecoder, bool display, bool eos, bool *por outHeader->nFlags = 0; outHeader->nFilledLen = (outputBufferWidth() * outputBufferHeight() * 3) / 2; outHeader->nTimeStamp = *(OMX_TICKS *)mImg->user_priv; - if (outHeader->nAllocLen >= outHeader->nFilledLen) { + if (outputBufferSafe(outHeader)) { uint8_t *dst = outHeader->pBuffer; const uint8_t *srcY = (const uint8_t *)mImg->planes[VPX_PLANE_Y]; const uint8_t *srcU = (const uint8_t *)mImg->planes[VPX_PLANE_U]; @@ -159,8 +159,6 @@ bool SoftVPX::outputBuffers(bool flushDecoder, bool display, bool eos, bool *por size_t srcVStride = mImg->stride[VPX_PLANE_V]; copyYV12FrameToOutputBuffer(dst, srcY, srcU, srcV, srcYStride, srcUStride, srcVStride); } else { - ALOGE("b/27597103, buffer too small"); - android_errorWriteLog(0x534e4554, "27597103"); outHeader->nFilledLen = 0; } @@ -190,6 +188,24 @@ bool SoftVPX::outputBuffers(bool flushDecoder, bool display, bool eos, bool *por return true; } +bool SoftVPX::outputBufferSafe(OMX_BUFFERHEADERTYPE *outHeader) { + uint32_t width = outputBufferWidth(); + uint32_t height = outputBufferHeight(); + uint64_t nFilledLen = width; + nFilledLen *= height; + if (nFilledLen > UINT32_MAX / 3) { + ALOGE("b/29421675, nFilledLen overflow %llu w %u h %u", nFilledLen, width, height); + android_errorWriteLog(0x534e4554, "29421675"); + return false; + } else if (outHeader->nAllocLen < outHeader->nFilledLen) { + ALOGE("b/27597103, buffer too small"); + android_errorWriteLog(0x534e4554, "27597103"); + return false; + } + + return true; +} + void SoftVPX::onQueueFilled(OMX_U32 /* portIndex */) { if (mOutputPortSettingsChange != NONE || mEOSStatus == OUTPUT_FRAMES_FLUSHED) { return; diff --git a/media/libstagefright/codecs/on2/dec/SoftVPX.h b/media/libstagefright/codecs/on2/dec/SoftVPX.h index 8ccbae2..84cf79c 100644 --- a/media/libstagefright/codecs/on2/dec/SoftVPX.h +++ b/media/libstagefright/codecs/on2/dec/SoftVPX.h @@ -66,6 +66,7 @@ private: status_t initDecoder(); status_t destroyDecoder(); bool outputBuffers(bool flushDecoder, bool display, bool eos, bool *portWillReset); + bool outputBufferSafe(OMX_BUFFERHEADERTYPE *outHeader); DISALLOW_EVIL_CONSTRUCTORS(SoftVPX); }; -- cgit v1.1 From 2a1a0fd88e84fc845cd6bce3a161672d80c1df39 Mon Sep 17 00:00:00 2001 From: Lajos Molnar Date: Wed, 13 Jul 2016 20:27:32 -0700 Subject: fix build Change-Id: I9bb8c659d3fc97a8e748451d82d0f3448faa242b --- media/libstagefright/codecs/on2/dec/SoftVPX.cpp | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) (limited to 'media/libstagefright') diff --git a/media/libstagefright/codecs/on2/dec/SoftVPX.cpp b/media/libstagefright/codecs/on2/dec/SoftVPX.cpp index 58a2660..912fac2 100644 --- a/media/libstagefright/codecs/on2/dec/SoftVPX.cpp +++ b/media/libstagefright/codecs/on2/dec/SoftVPX.cpp @@ -194,7 +194,8 @@ bool SoftVPX::outputBufferSafe(OMX_BUFFERHEADERTYPE *outHeader) { uint64_t nFilledLen = width; nFilledLen *= height; if (nFilledLen > UINT32_MAX / 3) { - ALOGE("b/29421675, nFilledLen overflow %llu w %u h %u", nFilledLen, width, height); + ALOGE("b/29421675, nFilledLen overflow %llu w %u h %u", + (unsigned long long)nFilledLen, width, height); android_errorWriteLog(0x534e4554, "29421675"); return false; } else if (outHeader->nAllocLen < outHeader->nFilledLen) { -- cgit v1.1 From 361db9e07657a6de075b5f23b5cfcecfd5a73fd3 Mon Sep 17 00:00:00 2001 From: Robert Shih Date: Thu, 14 Jul 2016 12:37:52 -0700 Subject: Fix build Change-Id: I96a9c437eec53a285ac96794cc1ad0c8954b27e0 --- media/libstagefright/codecs/mp3dec/SoftMP3.cpp | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'media/libstagefright') diff --git a/media/libstagefright/codecs/mp3dec/SoftMP3.cpp b/media/libstagefright/codecs/mp3dec/SoftMP3.cpp index daef471..54fe622 100644 --- a/media/libstagefright/codecs/mp3dec/SoftMP3.cpp +++ b/media/libstagefright/codecs/mp3dec/SoftMP3.cpp @@ -122,7 +122,7 @@ void SoftMP3::initDecoder() { void *SoftMP3::memsetSafe(OMX_BUFFERHEADERTYPE *outHeader, int c, size_t len) { if (len > outHeader->nAllocLen) { - ALOGE("memset buffer too small: got %lu, expected %zu", outHeader->nAllocLen, len); + ALOGE("memset buffer too small: got %lu, expected %zu", (unsigned long)outHeader->nAllocLen, len); android_errorWriteLog(0x534e4554, "29422022"); notify(OMX_EventError, OMX_ErrorUndefined, OUTPUT_BUFFER_TOO_SMALL, NULL); mSignalledError = true; -- cgit v1.1 From 05713f1d239566bff957177f1a7aaba380fbc978 Mon Sep 17 00:00:00 2001 From: Robert Shih Date: Thu, 14 Jul 2016 13:50:32 -0700 Subject: Fix build Change-Id: I48ba34b3df9c9a896d4b18c3f48e41744b7dab54 --- media/libstagefright/codecs/mp3dec/SoftMP3.cpp | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'media/libstagefright') diff --git a/media/libstagefright/codecs/mp3dec/SoftMP3.cpp b/media/libstagefright/codecs/mp3dec/SoftMP3.cpp index 54fe622..9f7dd59 100644 --- a/media/libstagefright/codecs/mp3dec/SoftMP3.cpp +++ b/media/libstagefright/codecs/mp3dec/SoftMP3.cpp @@ -122,7 +122,7 @@ void SoftMP3::initDecoder() { void *SoftMP3::memsetSafe(OMX_BUFFERHEADERTYPE *outHeader, int c, size_t len) { if (len > outHeader->nAllocLen) { - ALOGE("memset buffer too small: got %lu, expected %zu", (unsigned long)outHeader->nAllocLen, len); + ALOGE("memset buffer too small: got %u, expected %zu", outHeader->nAllocLen, len); android_errorWriteLog(0x534e4554, "29422022"); notify(OMX_EventError, OMX_ErrorUndefined, OUTPUT_BUFFER_TOO_SMALL, NULL); mSignalledError = true; -- cgit v1.1 From 9d32255b7302922bac4141bf557277d87bc81388 Mon Sep 17 00:00:00 2001 From: Wonsik Kim Date: Thu, 7 Jul 2016 12:57:02 +0900 Subject: omx: prevent input port enable/disable for software codecs Bug: 29421804 Change-Id: Iba1011e9af942a6dff7f659af769a51e3f5ba66f --- media/libstagefright/omx/SimpleSoftOMXComponent.cpp | 7 +++++++ 1 file changed, 7 insertions(+) (limited to 'media/libstagefright') diff --git a/media/libstagefright/omx/SimpleSoftOMXComponent.cpp b/media/libstagefright/omx/SimpleSoftOMXComponent.cpp index 60c1e2e..13afd45 100644 --- a/media/libstagefright/omx/SimpleSoftOMXComponent.cpp +++ b/media/libstagefright/omx/SimpleSoftOMXComponent.cpp @@ -469,6 +469,13 @@ void SimpleSoftOMXComponent::onPortEnable(OMX_U32 portIndex, bool enable) { CHECK_EQ((int)port->mTransition, (int)PortInfo::NONE); CHECK(port->mDef.bEnabled == !enable); + if (port->mDef.eDir != OMX_DirOutput) { + ALOGE("Port enable/disable allowed only on output ports."); + notify(OMX_EventError, OMX_ErrorUndefined, 0, NULL); + android_errorWriteLog(0x534e4554, "29421804"); + return; + } + if (!enable) { port->mDef.bEnabled = OMX_FALSE; port->mTransition = PortInfo::DISABLING; -- cgit v1.1 From 2bef075f91e203e96130c88320b7d13eddc17d89 Mon Sep 17 00:00:00 2001 From: Pawin Vongmasa Date: Tue, 21 Jun 2016 19:10:21 -0700 Subject: Impose a size bound for dynamically allocated tables in stbl. Impose a restriction of 200MiB for tables in stsc, stts, ctts and stss boxes. Also change mTimeToSample from Vector to array. Bug: 29367429 Change-Id: I953bea9fe0590268cf27376740f582dc88563d42 Merge conflict resolution of ag/1170200 to mnc-mr2-release --- media/libstagefright/SampleTable.cpp | 150 ++++++++++++++++++++++++----- media/libstagefright/include/SampleTable.h | 9 +- 2 files changed, 133 insertions(+), 26 deletions(-) (limited to 'media/libstagefright') diff --git a/media/libstagefright/SampleTable.cpp b/media/libstagefright/SampleTable.cpp index 8df9cb8..bc01a2d 100644 --- a/media/libstagefright/SampleTable.cpp +++ b/media/libstagefright/SampleTable.cpp @@ -123,7 +123,7 @@ SampleTable::SampleTable(const sp &source) mNumSampleSizes(0), mHasTimeToSample(false), mTimeToSampleCount(0), - mTimeToSample(), + mTimeToSample(NULL), mSampleTimeEntries(NULL), mCompositionTimeDeltaEntries(NULL), mNumCompositionTimeDeltaEntries(0), @@ -132,7 +132,8 @@ SampleTable::SampleTable(const sp &source) mNumSyncSamples(0), mSyncSamples(NULL), mLastSyncSampleIndex(0), - mSampleToChunkEntries(NULL) { + mSampleToChunkEntries(NULL), + mTotalSize(0) { mSampleIterator = new SampleIterator(this); } @@ -143,6 +144,9 @@ SampleTable::~SampleTable() { delete[] mSyncSamples; mSyncSamples = NULL; + delete[] mTimeToSample; + mTimeToSample = NULL; + delete mCompositionDeltaLookup; mCompositionDeltaLookup = NULL; @@ -233,13 +237,43 @@ status_t SampleTable::setSampleToChunkParams( return ERROR_MALFORMED; } - if (SIZE_MAX / sizeof(SampleToChunkEntry) <= (size_t)mNumSampleToChunkOffsets) + if ((uint64_t)SIZE_MAX / sizeof(SampleToChunkEntry) <= + (uint64_t)mNumSampleToChunkOffsets) { + ALOGE("Sample-to-chunk table size too large."); return ERROR_OUT_OF_RANGE; + } + + mTotalSize += (uint64_t)mNumSampleToChunkOffsets * + sizeof(SampleToChunkEntry); + if (mTotalSize > kMaxTotalSize) { + ALOGE("Sample-to-chunk table size would make sample table too large.\n" + " Requested sample-to-chunk table size = %llu\n" + " Eventual sample table size >= %llu\n" + " Allowed sample table size = %llu\n", + (unsigned long long)mNumSampleToChunkOffsets * + sizeof(SampleToChunkEntry), + (unsigned long long)mTotalSize, + (unsigned long long)kMaxTotalSize); + return ERROR_OUT_OF_RANGE; + } mSampleToChunkEntries = new (std::nothrow) SampleToChunkEntry[mNumSampleToChunkOffsets]; - if (!mSampleToChunkEntries) + if (!mSampleToChunkEntries) { + ALOGE("Cannot allocate sample-to-chunk table with %llu entries.", + (unsigned long long)mNumSampleToChunkOffsets); return ERROR_OUT_OF_RANGE; + } + + if (mNumSampleToChunkOffsets == 0) { + return OK; + } + + if ((off64_t)(SIZE_MAX - 8 - + ((mNumSampleToChunkOffsets - 1) * sizeof(SampleToChunkEntry))) + < mSampleToChunkOffset) { + return ERROR_MALFORMED; + } for (uint32_t i = 0; i < mNumSampleToChunkOffsets; ++i) { uint8_t buffer[12]; @@ -248,8 +282,11 @@ status_t SampleTable::setSampleToChunkParams( != (ssize_t)sizeof(buffer)) { return ERROR_IO; } - - CHECK(U32_AT(buffer) >= 1); // chunk index is 1 based in the spec. + // chunk index is 1 based in the spec. + if (U32_AT(buffer) < 1) { + ALOGE("b/23534160"); + return ERROR_OUT_OF_RANGE; + } // We want the chunk index to be 0-based. mSampleToChunkEntries[i].startChunk = U32_AT(buffer) - 1; @@ -349,21 +386,41 @@ status_t SampleTable::setTimeToSampleParams( // 2) mTimeToSampleCount is the number of entries of the time-to-sample // table. // 3) We hope that the table size does not exceed UINT32_MAX. - ALOGE(" Error: Time-to-sample table size too large."); - + ALOGE("Time-to-sample table size too large."); return ERROR_OUT_OF_RANGE; } // Note: At this point, we know that mTimeToSampleCount * 2 will not // overflow because of the above condition. - if (!mDataSource->getVector(data_offset + 8, &mTimeToSample, - mTimeToSampleCount * 2)) { - ALOGE(" Error: Incomplete data read for time-to-sample table."); + + uint64_t allocSize = (uint64_t)mTimeToSampleCount * 2 * sizeof(uint32_t); + mTotalSize += allocSize; + if (mTotalSize > kMaxTotalSize) { + ALOGE("Time-to-sample table size would make sample table too large.\n" + " Requested time-to-sample table size = %llu\n" + " Eventual sample table size >= %llu\n" + " Allowed sample table size = %llu\n", + (unsigned long long)allocSize, + (unsigned long long)mTotalSize, + (unsigned long long)kMaxTotalSize); + return ERROR_OUT_OF_RANGE; + } + + mTimeToSample = new (std::nothrow) uint32_t[mTimeToSampleCount * 2]; + if (!mTimeToSample) { + ALOGE("Cannot allocate time-to-sample table with %llu entries.", + (unsigned long long)mTimeToSampleCount); + return ERROR_OUT_OF_RANGE; + } + + if (mDataSource->readAt(data_offset + 8, mTimeToSample, + (size_t)allocSize) < (ssize_t)allocSize) { + ALOGE("Incomplete data read for time-to-sample table."); return ERROR_IO; } - for (size_t i = 0; i < mTimeToSample.size(); ++i) { - mTimeToSample.editItemAt(i) = ntohl(mTimeToSample[i]); + for (size_t i = 0; i < mTimeToSampleCount * 2; ++i) { + mTimeToSample[i] = ntohl(mTimeToSample[i]); } mHasTimeToSample = true; @@ -398,17 +455,32 @@ status_t SampleTable::setCompositionTimeToSampleParams( mNumCompositionTimeDeltaEntries = numEntries; uint64_t allocSize = (uint64_t)numEntries * 2 * sizeof(uint32_t); - if (allocSize > UINT32_MAX) { + if (allocSize > SIZE_MAX) { + ALOGE("Composition-time-to-sample table size too large."); + return ERROR_OUT_OF_RANGE; + } + + mTotalSize += allocSize; + if (mTotalSize > kMaxTotalSize) { + ALOGE("Composition-time-to-sample table would make sample table too large.\n" + " Requested composition-time-to-sample table size = %llu\n" + " Eventual sample table size >= %llu\n" + " Allowed sample table size = %llu\n", + (unsigned long long)allocSize, + (unsigned long long)mTotalSize, + (unsigned long long)kMaxTotalSize); return ERROR_OUT_OF_RANGE; } mCompositionTimeDeltaEntries = new (std::nothrow) uint32_t[2 * numEntries]; - if (!mCompositionTimeDeltaEntries) + if (!mCompositionTimeDeltaEntries) { + ALOGE("Cannot allocate composition-time-to-sample table with %llu " + "entries.", (unsigned long long)numEntries); return ERROR_OUT_OF_RANGE; + } - if (mDataSource->readAt( - data_offset + 8, mCompositionTimeDeltaEntries, numEntries * 8) - < (ssize_t)numEntries * 8) { + if (mDataSource->readAt(data_offset + 8, mCompositionTimeDeltaEntries, + (size_t)allocSize) < (ssize_t)allocSize) { delete[] mCompositionTimeDeltaEntries; mCompositionTimeDeltaEntries = NULL; @@ -449,18 +521,33 @@ status_t SampleTable::setSyncSampleParams(off64_t data_offset, size_t data_size) ALOGV("Table of sync samples is empty or has only a single entry!"); } - uint64_t allocSize = mNumSyncSamples * (uint64_t)sizeof(uint32_t); + uint64_t allocSize = (uint64_t)mNumSyncSamples * sizeof(uint32_t); if (allocSize > SIZE_MAX) { + ALOGE("Sync sample table size too large."); + return ERROR_OUT_OF_RANGE; + } + + mTotalSize += allocSize; + if (mTotalSize > kMaxTotalSize) { + ALOGE("Sync sample table size would make sample table too large.\n" + " Requested sync sample table size = %llu\n" + " Eventual sample table size >= %llu\n" + " Allowed sample table size = %llu\n", + (unsigned long long)allocSize, + (unsigned long long)mTotalSize, + (unsigned long long)kMaxTotalSize); return ERROR_OUT_OF_RANGE; } mSyncSamples = new (std::nothrow) uint32_t[mNumSyncSamples]; - if (!mSyncSamples) + if (!mSyncSamples) { + ALOGE("Cannot allocate sync sample table with %llu entries.", + (unsigned long long)mNumSyncSamples); return ERROR_OUT_OF_RANGE; + } - size_t size = mNumSyncSamples * sizeof(uint32_t); - if (mDataSource->readAt(mSyncSampleOffset + 8, mSyncSamples, size) - != (ssize_t)size) { + if (mDataSource->readAt(mSyncSampleOffset + 8, mSyncSamples, + (size_t)allocSize) != (ssize_t)allocSize) { return ERROR_IO; } @@ -525,9 +612,24 @@ void SampleTable::buildSampleEntriesTable() { return; } + mTotalSize += (uint64_t)mNumSampleSizes * sizeof(SampleTimeEntry); + if (mTotalSize > kMaxTotalSize) { + ALOGE("Sample entry table size would make sample table too large.\n" + " Requested sample entry table size = %llu\n" + " Eventual sample table size >= %llu\n" + " Allowed sample table size = %llu\n", + (unsigned long long)mNumSampleSizes * sizeof(SampleTimeEntry), + (unsigned long long)mTotalSize, + (unsigned long long)kMaxTotalSize); + return; + } + mSampleTimeEntries = new (std::nothrow) SampleTimeEntry[mNumSampleSizes]; - if (!mSampleTimeEntries) + if (!mSampleTimeEntries) { + ALOGE("Cannot allocate sample entry table with %llu entries.", + (unsigned long long)mNumSampleSizes); return; + } uint32_t sampleIndex = 0; uint32_t sampleTime = 0; diff --git a/media/libstagefright/include/SampleTable.h b/media/libstagefright/include/SampleTable.h index 465f37c..552eef7 100644 --- a/media/libstagefright/include/SampleTable.h +++ b/media/libstagefright/include/SampleTable.h @@ -24,7 +24,6 @@ #include #include #include -#include namespace android { @@ -96,6 +95,9 @@ private: static const uint32_t kSampleSizeType32; static const uint32_t kSampleSizeTypeCompact; + // Limit the total size of all internal tables to 200MiB. + static const size_t kMaxTotalSize = 200 * (1 << 20); + sp mDataSource; Mutex mLock; @@ -113,7 +115,7 @@ private: bool mHasTimeToSample; uint32_t mTimeToSampleCount; - Vector mTimeToSample; + uint32_t* mTimeToSample; struct SampleTimeEntry { uint32_t mSampleIndex; @@ -139,6 +141,9 @@ private: }; SampleToChunkEntry *mSampleToChunkEntries; + // Approximate size of all tables combined. + uint64_t mTotalSize; + friend struct SampleIterator; // normally we don't round -- cgit v1.1 From eb11f3a9e6638805c4473c3bf448584893bae519 Mon Sep 17 00:00:00 2001 From: Wonsik Kim Date: Thu, 21 Jul 2016 14:43:38 +0900 Subject: DO NOT MERGE - stagefright: fix integer overflow error Bug: 30103394 Change-Id: If449d3e30a0bf2ebea5317f41813bfed094f7408 (cherry picked from commit 2c74a3cd5d1d66b9a35424b9c4443dafa6db5bef) --- media/libstagefright/SampleTable.cpp | 29 +++++++++++++++-------------- 1 file changed, 15 insertions(+), 14 deletions(-) (limited to 'media/libstagefright') diff --git a/media/libstagefright/SampleTable.cpp b/media/libstagefright/SampleTable.cpp index bc01a2d..72e30f1 100644 --- a/media/libstagefright/SampleTable.cpp +++ b/media/libstagefright/SampleTable.cpp @@ -18,6 +18,8 @@ //#define LOG_NDEBUG 0 #include +#include + #include "include/SampleTable.h" #include "include/SampleIterator.h" @@ -27,11 +29,6 @@ #include #include -/* TODO: remove after being merged into other branches */ -#ifndef UINT32_MAX -#define UINT32_MAX (4294967295U) -#endif - namespace android { // static @@ -45,6 +42,8 @@ const uint32_t SampleTable::kSampleSizeTypeCompact = FOURCC('s', 't', 'z', '2'); //////////////////////////////////////////////////////////////////////////////// +const off64_t kMaxOffset = std::numeric_limits::max(); + struct SampleTable::CompositionDeltaLookup { CompositionDeltaLookup(); @@ -233,11 +232,11 @@ status_t SampleTable::setSampleToChunkParams( mNumSampleToChunkOffsets = U32_AT(&header[4]); - if (data_size < 8 + mNumSampleToChunkOffsets * 12) { + if ((data_size - 8) / sizeof(SampleToChunkEntry) < mNumSampleToChunkOffsets) { return ERROR_MALFORMED; } - if ((uint64_t)SIZE_MAX / sizeof(SampleToChunkEntry) <= + if ((uint64_t)kMaxTotalSize / sizeof(SampleToChunkEntry) <= (uint64_t)mNumSampleToChunkOffsets) { ALOGE("Sample-to-chunk table size too large."); return ERROR_OUT_OF_RANGE; @@ -269,16 +268,19 @@ status_t SampleTable::setSampleToChunkParams( return OK; } - if ((off64_t)(SIZE_MAX - 8 - + if ((off64_t)(kMaxOffset - 8 - ((mNumSampleToChunkOffsets - 1) * sizeof(SampleToChunkEntry))) < mSampleToChunkOffset) { return ERROR_MALFORMED; } for (uint32_t i = 0; i < mNumSampleToChunkOffsets; ++i) { - uint8_t buffer[12]; + uint8_t buffer[sizeof(SampleToChunkEntry)]; + if (mDataSource->readAt( - mSampleToChunkOffset + 8 + i * 12, buffer, sizeof(buffer)) + mSampleToChunkOffset + 8 + i * sizeof(SampleToChunkEntry), + buffer, + sizeof(buffer)) != (ssize_t)sizeof(buffer)) { return ERROR_IO; } @@ -378,8 +380,7 @@ status_t SampleTable::setTimeToSampleParams( } mTimeToSampleCount = U32_AT(&header[4]); - if ((uint64_t)mTimeToSampleCount > - (uint64_t)UINT32_MAX / (2 * sizeof(uint32_t))) { + if (mTimeToSampleCount > UINT32_MAX / (2 * sizeof(uint32_t))) { // Choose this bound because // 1) 2 * sizeof(uint32_t) is the amount of memory needed for one // time-to-sample entry in the time-to-sample table. @@ -455,7 +456,7 @@ status_t SampleTable::setCompositionTimeToSampleParams( mNumCompositionTimeDeltaEntries = numEntries; uint64_t allocSize = (uint64_t)numEntries * 2 * sizeof(uint32_t); - if (allocSize > SIZE_MAX) { + if (allocSize > kMaxTotalSize) { ALOGE("Composition-time-to-sample table size too large."); return ERROR_OUT_OF_RANGE; } @@ -522,7 +523,7 @@ status_t SampleTable::setSyncSampleParams(off64_t data_offset, size_t data_size) } uint64_t allocSize = (uint64_t)mNumSyncSamples * sizeof(uint32_t); - if (allocSize > SIZE_MAX) { + if (allocSize > kMaxTotalSize) { ALOGE("Sync sample table size too large."); return ERROR_OUT_OF_RANGE; } -- cgit v1.1 From 16d14e178003b193db1422c11c95bc0b1d44b690 Mon Sep 17 00:00:00 2001 From: Steve Kondik Date: Fri, 19 Aug 2016 17:41:21 -0700 Subject: stagefright: Disable thumbnail mode for 8996-class devices * The hardware is freezing when used for certain media types. Disable it until the issue is understood. Change-Id: Iaec2420b4f8d3ceacf2c6f72ab14db424092c96b --- media/libstagefright/FFMPEGSoftCodec.cpp | 8 +++++++- 1 file changed, 7 insertions(+), 1 deletion(-) (limited to 'media/libstagefright') diff --git a/media/libstagefright/FFMPEGSoftCodec.cpp b/media/libstagefright/FFMPEGSoftCodec.cpp index 7233162..0d5802b 100644 --- a/media/libstagefright/FFMPEGSoftCodec.cpp +++ b/media/libstagefright/FFMPEGSoftCodec.cpp @@ -35,6 +35,8 @@ #include #include +#include + #include #include #include @@ -394,9 +396,13 @@ status_t FFMPEGSoftCodec::setVideoFormat( } // Enable Sync-frame decode mode for thumbnails + char board[PROPERTY_VALUE_MAX]; + property_get("ro.board.platform", board, NULL); int32_t thumbnailMode = 0; if (msg->findInt32("thumbnail-mode", &thumbnailMode) && - thumbnailMode > 0) { + thumbnailMode > 0 && + !(!strcmp(board, "msm8996") || !strcmp(board, "msm8937") || + !strcmp(board, "msm8953") || !strcmp(board, "msm8976"))) { ALOGV("Enabling thumbnail mode."); QOMX_ENABLETYPE enableType; OMX_INDEXTYPE indexType; -- cgit v1.1 From b52c75787d068a92c961d29f973e975b7651abe5 Mon Sep 17 00:00:00 2001 From: Pawin Vongmasa Date: Mon, 18 Jul 2016 20:12:02 -0700 Subject: SoftMPEG4: Check the buffer size before writing the reference frame. Also prevent overflow in SoftMPEG4 and division by zero in SoftMPEG4Encoder. Bug: 30033990 Change-Id: I7701f5fc54c2670587d122330e5dc851f64ed3c2 (cherry picked from commit 695123195034402ca76169b195069c28c30342d3) --- .../codecs/m4v_h263/dec/SoftMPEG4.cpp | 22 ++++++++++++++++++++-- .../codecs/m4v_h263/enc/SoftMPEG4Encoder.cpp | 4 ++++ 2 files changed, 24 insertions(+), 2 deletions(-) (limited to 'media/libstagefright') diff --git a/media/libstagefright/codecs/m4v_h263/dec/SoftMPEG4.cpp b/media/libstagefright/codecs/m4v_h263/dec/SoftMPEG4.cpp index bb59ae4..e1cfc06 100644 --- a/media/libstagefright/codecs/m4v_h263/dec/SoftMPEG4.cpp +++ b/media/libstagefright/codecs/m4v_h263/dec/SoftMPEG4.cpp @@ -210,8 +210,17 @@ void SoftMPEG4::onQueueFilled(OMX_U32 /* portIndex */) { PortInfo *port = editPortInfo(1); OMX_BUFFERHEADERTYPE *outHeader = port->mBuffers.editItemAt(1).mHeader; + OMX_U32 yFrameSize = sizeof(uint8) * mHandle->size; + if ((outHeader->nAllocLen < yFrameSize) || + (outHeader->nAllocLen - yFrameSize < yFrameSize / 2)) { + ALOGE("Too small output buffer for reference frame: %zu bytes", + outHeader->nAllocLen); + android_errorWriteLog(0x534e4554, "30033990"); + notify(OMX_EventError, OMX_ErrorUndefined, 0, NULL); + mSignalledError = true; + return; + } PVSetReferenceYUV(mHandle, outHeader->pBuffer); - mFramesConfigured = true; } @@ -229,7 +238,16 @@ void SoftMPEG4::onQueueFilled(OMX_U32 /* portIndex */) { int32_t bufferSize = inHeader->nFilledLen; int32_t tmp = bufferSize; - OMX_U32 frameSize = (mWidth * mHeight * 3) / 2; + OMX_U32 frameSize; + OMX_U64 yFrameSize = (OMX_U64)mWidth * (OMX_U64)mHeight; + if (yFrameSize > ((OMX_U64)UINT32_MAX / 3) * 2) { + ALOGE("Frame size too large"); + notify(OMX_EventError, OMX_ErrorUndefined, 0, NULL); + mSignalledError = true; + return; + } + frameSize = (OMX_U32)(yFrameSize + (yFrameSize / 2)); + if (outHeader->nAllocLen < frameSize) { android_errorWriteLog(0x534e4554, "27833616"); ALOGE("Insufficient output buffer size"); diff --git a/media/libstagefright/codecs/m4v_h263/enc/SoftMPEG4Encoder.cpp b/media/libstagefright/codecs/m4v_h263/enc/SoftMPEG4Encoder.cpp index 7638bb7..2eb51c9 100644 --- a/media/libstagefright/codecs/m4v_h263/enc/SoftMPEG4Encoder.cpp +++ b/media/libstagefright/codecs/m4v_h263/enc/SoftMPEG4Encoder.cpp @@ -116,6 +116,10 @@ OMX_ERRORTYPE SoftMPEG4Encoder::initEncParams() { ALOGE("Failed to get default encoding parameters"); return OMX_ErrorUndefined; } + if (mFramerate == 0) { + ALOGE("Framerate should not be 0"); + return OMX_ErrorUndefined; + } mEncParams->encMode = mEncodeMode; mEncParams->encWidth[0] = mWidth; mEncParams->encHeight[0] = mHeight; -- cgit v1.1 From 173e6eb58c8df2b934a5602732fe0b0aac1cd03f Mon Sep 17 00:00:00 2001 From: Ray Essick Date: Tue, 16 Aug 2016 14:24:43 -0700 Subject: better validation lengths of strings in ID3 tags Validate lengths on strings in ID3 tags, particularly around 0. Also added code to handle cases when we can't get memory for copies of strings we want to extract from these tags. Affects L/M/N/master, same patch for all of them. Bug: 30744884 Change-Id: I2675a817a39f0927ec1f7e9f9c09f2e61020311e Test: play mp3 file which caused a <0 length. (cherry picked from commit d23c01546c4f82840a01a380def76ab6cae5d43f) --- media/libstagefright/id3/ID3.cpp | 57 +++++++++++++++++++++++++++++----------- 1 file changed, 42 insertions(+), 15 deletions(-) (limited to 'media/libstagefright') diff --git a/media/libstagefright/id3/ID3.cpp b/media/libstagefright/id3/ID3.cpp index 4410579..6e14197 100644 --- a/media/libstagefright/id3/ID3.cpp +++ b/media/libstagefright/id3/ID3.cpp @@ -77,7 +77,10 @@ ID3::ID3(const uint8_t *data, size_t size, bool ignoreV1) mFirstFrameOffset(0), mVersion(ID3_UNKNOWN), mRawSize(0) { - sp source = new MemorySource(data, size); + sp source = new (std::nothrow) MemorySource(data, size); + + if (source == NULL) + return; mIsValid = parseV2(source, 0); @@ -542,6 +545,10 @@ void ID3::Iterator::getstring(String8 *id, bool otherdata) const { n -= skipped; } + if (n <= 0) { + return; + } + if (encoding == 0x00) { // supposedly ISO 8859-1 id->setTo((const char*)frameData + 1, n); @@ -555,11 +562,16 @@ void ID3::Iterator::getstring(String8 *id, bool otherdata) const { const char16_t *framedata = (const char16_t *) (frameData + 1); char16_t *framedatacopy = NULL; #if BYTE_ORDER == LITTLE_ENDIAN - framedatacopy = new char16_t[len]; - for (int i = 0; i < len; i++) { - framedatacopy[i] = bswap_16(framedata[i]); + if (len > 0) { + framedatacopy = new (std::nothrow) char16_t[len]; + if (framedatacopy == NULL) { + return; + } + for (int i = 0; i < len; i++) { + framedatacopy[i] = bswap_16(framedata[i]); + } + framedata = framedatacopy; } - framedata = framedatacopy; #endif id->setTo(framedata, len); if (framedatacopy != NULL) { @@ -572,15 +584,26 @@ void ID3::Iterator::getstring(String8 *id, bool otherdata) const { const char16_t *framedata = (const char16_t *) (frameData + 1); char16_t *framedatacopy = NULL; if (*framedata == 0xfffe) { - // endianness marker doesn't match host endianness, convert - framedatacopy = new char16_t[len]; + // endianness marker != host endianness, convert & skip + if (len <= 1) { + return; // nothing after the marker + } + framedatacopy = new (std::nothrow) char16_t[len]; + if (framedatacopy == NULL) { + return; + } for (int i = 0; i < len; i++) { framedatacopy[i] = bswap_16(framedata[i]); } framedata = framedatacopy; - } - // If the string starts with an endianness marker, skip it - if (*framedata == 0xfeff) { + // and skip over the marker + framedata++; + len--; + } else if (*framedata == 0xfeff) { + // endianness marker == host endianness, skip it + if (len <= 1) { + return; // nothing after the marker + } framedata++; len--; } @@ -595,12 +618,16 @@ void ID3::Iterator::getstring(String8 *id, bool otherdata) const { } if (eightBit) { // collapse to 8 bit, then let the media scanner client figure out the real encoding - char *frame8 = new char[len]; - for (int i = 0; i < len; i++) { - frame8[i] = framedata[i]; + char *frame8 = new (std::nothrow) char[len]; + if (frame8 != NULL) { + for (int i = 0; i < len; i++) { + frame8[i] = framedata[i]; + } + id->setTo(frame8, len); + delete [] frame8; + } else { + id->setTo(framedata, len); } - id->setTo(frame8, len); - delete [] frame8; } else { id->setTo(framedata, len); } -- cgit v1.1 From 45f500ac36958b36afa649c8d68490cd38442252 Mon Sep 17 00:00:00 2001 From: Pawin Vongmasa Date: Fri, 19 Aug 2016 02:07:33 -0700 Subject: Fix build breakage caused by commit 940829f69b52d6038db66a9c727534636ecc456d. Change-Id: I4776db4a26fb3c31bb994d48788373fe569c812a (cherry picked from commit baa9146401e28c5acf54dea21ddd197f0d3a8fcd) --- media/libstagefright/codecs/m4v_h263/dec/SoftMPEG4.cpp | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) (limited to 'media/libstagefright') diff --git a/media/libstagefright/codecs/m4v_h263/dec/SoftMPEG4.cpp b/media/libstagefright/codecs/m4v_h263/dec/SoftMPEG4.cpp index e1cfc06..1dd631a 100644 --- a/media/libstagefright/codecs/m4v_h263/dec/SoftMPEG4.cpp +++ b/media/libstagefright/codecs/m4v_h263/dec/SoftMPEG4.cpp @@ -213,8 +213,8 @@ void SoftMPEG4::onQueueFilled(OMX_U32 /* portIndex */) { OMX_U32 yFrameSize = sizeof(uint8) * mHandle->size; if ((outHeader->nAllocLen < yFrameSize) || (outHeader->nAllocLen - yFrameSize < yFrameSize / 2)) { - ALOGE("Too small output buffer for reference frame: %zu bytes", - outHeader->nAllocLen); + ALOGE("Too small output buffer for reference frame: %lu bytes", + (unsigned long)outHeader->nAllocLen); android_errorWriteLog(0x534e4554, "30033990"); notify(OMX_EventError, OMX_ErrorUndefined, 0, NULL); mSignalledError = true; -- cgit v1.1 From b569311fe413fef4f35114f00485340cc6e322ee Mon Sep 17 00:00:00 2001 From: Pawin Vongmasa Date: Mon, 18 Jul 2016 20:12:02 -0700 Subject: SoftMPEG4: Check the buffer size before writing the reference frame. Also prevent overflow in SoftMPEG4 and division by zero in SoftMPEG4Encoder. Bug: 30033990 Change-Id: I7701f5fc54c2670587d122330e5dc851f64ed3c2 (cherry picked from commit 695123195034402ca76169b195069c28c30342d3) --- .../codecs/m4v_h263/dec/SoftMPEG4.cpp | 22 ++++++++++++++++++++-- .../codecs/m4v_h263/enc/SoftMPEG4Encoder.cpp | 4 ++++ 2 files changed, 24 insertions(+), 2 deletions(-) (limited to 'media/libstagefright') diff --git a/media/libstagefright/codecs/m4v_h263/dec/SoftMPEG4.cpp b/media/libstagefright/codecs/m4v_h263/dec/SoftMPEG4.cpp index bb59ae4..e1cfc06 100644 --- a/media/libstagefright/codecs/m4v_h263/dec/SoftMPEG4.cpp +++ b/media/libstagefright/codecs/m4v_h263/dec/SoftMPEG4.cpp @@ -210,8 +210,17 @@ void SoftMPEG4::onQueueFilled(OMX_U32 /* portIndex */) { PortInfo *port = editPortInfo(1); OMX_BUFFERHEADERTYPE *outHeader = port->mBuffers.editItemAt(1).mHeader; + OMX_U32 yFrameSize = sizeof(uint8) * mHandle->size; + if ((outHeader->nAllocLen < yFrameSize) || + (outHeader->nAllocLen - yFrameSize < yFrameSize / 2)) { + ALOGE("Too small output buffer for reference frame: %zu bytes", + outHeader->nAllocLen); + android_errorWriteLog(0x534e4554, "30033990"); + notify(OMX_EventError, OMX_ErrorUndefined, 0, NULL); + mSignalledError = true; + return; + } PVSetReferenceYUV(mHandle, outHeader->pBuffer); - mFramesConfigured = true; } @@ -229,7 +238,16 @@ void SoftMPEG4::onQueueFilled(OMX_U32 /* portIndex */) { int32_t bufferSize = inHeader->nFilledLen; int32_t tmp = bufferSize; - OMX_U32 frameSize = (mWidth * mHeight * 3) / 2; + OMX_U32 frameSize; + OMX_U64 yFrameSize = (OMX_U64)mWidth * (OMX_U64)mHeight; + if (yFrameSize > ((OMX_U64)UINT32_MAX / 3) * 2) { + ALOGE("Frame size too large"); + notify(OMX_EventError, OMX_ErrorUndefined, 0, NULL); + mSignalledError = true; + return; + } + frameSize = (OMX_U32)(yFrameSize + (yFrameSize / 2)); + if (outHeader->nAllocLen < frameSize) { android_errorWriteLog(0x534e4554, "27833616"); ALOGE("Insufficient output buffer size"); diff --git a/media/libstagefright/codecs/m4v_h263/enc/SoftMPEG4Encoder.cpp b/media/libstagefright/codecs/m4v_h263/enc/SoftMPEG4Encoder.cpp index 7638bb7..2eb51c9 100644 --- a/media/libstagefright/codecs/m4v_h263/enc/SoftMPEG4Encoder.cpp +++ b/media/libstagefright/codecs/m4v_h263/enc/SoftMPEG4Encoder.cpp @@ -116,6 +116,10 @@ OMX_ERRORTYPE SoftMPEG4Encoder::initEncParams() { ALOGE("Failed to get default encoding parameters"); return OMX_ErrorUndefined; } + if (mFramerate == 0) { + ALOGE("Framerate should not be 0"); + return OMX_ErrorUndefined; + } mEncParams->encMode = mEncodeMode; mEncParams->encWidth[0] = mWidth; mEncParams->encHeight[0] = mHeight; -- cgit v1.1 From dda9d703d7dd2129ff6242fae84ca156caa38632 Mon Sep 17 00:00:00 2001 From: Ray Essick Date: Tue, 16 Aug 2016 14:24:43 -0700 Subject: better validation lengths of strings in ID3 tags Validate lengths on strings in ID3 tags, particularly around 0. Also added code to handle cases when we can't get memory for copies of strings we want to extract from these tags. Affects L/M/N/master, same patch for all of them. Bug: 30744884 Change-Id: I2675a817a39f0927ec1f7e9f9c09f2e61020311e Test: play mp3 file which caused a <0 length. (cherry picked from commit d23c01546c4f82840a01a380def76ab6cae5d43f) --- media/libstagefright/id3/ID3.cpp | 57 +++++++++++++++++++++++++++++----------- 1 file changed, 42 insertions(+), 15 deletions(-) (limited to 'media/libstagefright') diff --git a/media/libstagefright/id3/ID3.cpp b/media/libstagefright/id3/ID3.cpp index 4410579..6e14197 100644 --- a/media/libstagefright/id3/ID3.cpp +++ b/media/libstagefright/id3/ID3.cpp @@ -77,7 +77,10 @@ ID3::ID3(const uint8_t *data, size_t size, bool ignoreV1) mFirstFrameOffset(0), mVersion(ID3_UNKNOWN), mRawSize(0) { - sp source = new MemorySource(data, size); + sp source = new (std::nothrow) MemorySource(data, size); + + if (source == NULL) + return; mIsValid = parseV2(source, 0); @@ -542,6 +545,10 @@ void ID3::Iterator::getstring(String8 *id, bool otherdata) const { n -= skipped; } + if (n <= 0) { + return; + } + if (encoding == 0x00) { // supposedly ISO 8859-1 id->setTo((const char*)frameData + 1, n); @@ -555,11 +562,16 @@ void ID3::Iterator::getstring(String8 *id, bool otherdata) const { const char16_t *framedata = (const char16_t *) (frameData + 1); char16_t *framedatacopy = NULL; #if BYTE_ORDER == LITTLE_ENDIAN - framedatacopy = new char16_t[len]; - for (int i = 0; i < len; i++) { - framedatacopy[i] = bswap_16(framedata[i]); + if (len > 0) { + framedatacopy = new (std::nothrow) char16_t[len]; + if (framedatacopy == NULL) { + return; + } + for (int i = 0; i < len; i++) { + framedatacopy[i] = bswap_16(framedata[i]); + } + framedata = framedatacopy; } - framedata = framedatacopy; #endif id->setTo(framedata, len); if (framedatacopy != NULL) { @@ -572,15 +584,26 @@ void ID3::Iterator::getstring(String8 *id, bool otherdata) const { const char16_t *framedata = (const char16_t *) (frameData + 1); char16_t *framedatacopy = NULL; if (*framedata == 0xfffe) { - // endianness marker doesn't match host endianness, convert - framedatacopy = new char16_t[len]; + // endianness marker != host endianness, convert & skip + if (len <= 1) { + return; // nothing after the marker + } + framedatacopy = new (std::nothrow) char16_t[len]; + if (framedatacopy == NULL) { + return; + } for (int i = 0; i < len; i++) { framedatacopy[i] = bswap_16(framedata[i]); } framedata = framedatacopy; - } - // If the string starts with an endianness marker, skip it - if (*framedata == 0xfeff) { + // and skip over the marker + framedata++; + len--; + } else if (*framedata == 0xfeff) { + // endianness marker == host endianness, skip it + if (len <= 1) { + return; // nothing after the marker + } framedata++; len--; } @@ -595,12 +618,16 @@ void ID3::Iterator::getstring(String8 *id, bool otherdata) const { } if (eightBit) { // collapse to 8 bit, then let the media scanner client figure out the real encoding - char *frame8 = new char[len]; - for (int i = 0; i < len; i++) { - frame8[i] = framedata[i]; + char *frame8 = new (std::nothrow) char[len]; + if (frame8 != NULL) { + for (int i = 0; i < len; i++) { + frame8[i] = framedata[i]; + } + id->setTo(frame8, len); + delete [] frame8; + } else { + id->setTo(framedata, len); } - id->setTo(frame8, len); - delete [] frame8; } else { id->setTo(framedata, len); } -- cgit v1.1 From 089104004f5aeb2634764c56b948ef83318a9f95 Mon Sep 17 00:00:00 2001 From: Pawin Vongmasa Date: Fri, 19 Aug 2016 02:07:33 -0700 Subject: Fix build breakage caused by commit 940829f69b52d6038db66a9c727534636ecc456d. Change-Id: I4776db4a26fb3c31bb994d48788373fe569c812a (cherry picked from commit baa9146401e28c5acf54dea21ddd197f0d3a8fcd) --- media/libstagefright/codecs/m4v_h263/dec/SoftMPEG4.cpp | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) (limited to 'media/libstagefright') diff --git a/media/libstagefright/codecs/m4v_h263/dec/SoftMPEG4.cpp b/media/libstagefright/codecs/m4v_h263/dec/SoftMPEG4.cpp index e1cfc06..1dd631a 100644 --- a/media/libstagefright/codecs/m4v_h263/dec/SoftMPEG4.cpp +++ b/media/libstagefright/codecs/m4v_h263/dec/SoftMPEG4.cpp @@ -213,8 +213,8 @@ void SoftMPEG4::onQueueFilled(OMX_U32 /* portIndex */) { OMX_U32 yFrameSize = sizeof(uint8) * mHandle->size; if ((outHeader->nAllocLen < yFrameSize) || (outHeader->nAllocLen - yFrameSize < yFrameSize / 2)) { - ALOGE("Too small output buffer for reference frame: %zu bytes", - outHeader->nAllocLen); + ALOGE("Too small output buffer for reference frame: %lu bytes", + (unsigned long)outHeader->nAllocLen); android_errorWriteLog(0x534e4554, "30033990"); notify(OMX_EventError, OMX_ErrorUndefined, 0, NULL); mSignalledError = true; -- cgit v1.1 From bdb54da9baf8349a1f030064c3af4ff7318f4771 Mon Sep 17 00:00:00 2001 From: Diogo Ferreira Date: Tue, 30 Aug 2016 11:41:42 +0100 Subject: libstagefright: mtk: Use vendor extensions to check if we should fixup cropping For mediatek video codecs, validate that the current cropped rectangle is valid and use the full frame size otherwise. This fixes a bug where format changes in the same native window would preserve the previous cropping and cause most of the image to be off-screen. Change-Id: If56ca11453f5d2e04a4138b2efe28203f30ba569 Ticket: PORRIDGE-440 --- media/libstagefright/ACodec.cpp | 10 ++++++++++ 1 file changed, 10 insertions(+) (limited to 'media/libstagefright') diff --git a/media/libstagefright/ACodec.cpp b/media/libstagefright/ACodec.cpp index 427728f..e00e673 100644 --- a/media/libstagefright/ACodec.cpp +++ b/media/libstagefright/ACodec.cpp @@ -4209,6 +4209,16 @@ status_t ACodec::getPortFormat(OMX_U32 portIndex, sp ¬ify) { rect.nWidth = videoDef->nFrameWidth; rect.nHeight = videoDef->nFrameHeight; } +#ifdef MTK_HARDWARE + if (!strncmp(mComponentName.c_str(), "OMX.MTK.", 8) && mOMX->getConfig( + mNode, (OMX_INDEXTYPE) 0x7f00001c /* OMX_IndexVendorMtkOmxVdecGetCropInfo */, + &rect, sizeof(rect)) != OK) { + rect.nLeft = 0; + rect.nTop = 0; + rect.nWidth = videoDef->nFrameWidth; + rect.nHeight = videoDef->nFrameHeight; + } +#endif if (rect.nLeft < 0 || rect.nTop < 0 || -- cgit v1.1 From bc8a45f506a8be33250c523d71fab637a5fdaf81 Mon Sep 17 00:00:00 2001 From: Lajos Molnar Date: Tue, 2 Aug 2016 07:07:05 -0700 Subject: IOMX: work against metadata buffer spoofing - Prohibit direct set/getParam/Settings for extensions meant for OMXNodeInstance alone. This disallows enabling metadata mode without the knowledge of OMXNodeInstance. - Do not share metadata mode buffers cross process. - Disallow setting up metadata mode/tunneling/input surface after first sendCommand. - Disallow store-meta for input cross process. - Disallow emptyBuffer for surface input (via IOMX). - Fix checking for input surface. Bug: 29422020 Change-Id: I801c77b80e703903f62e42d76fd2e76a34e4bc8e (cherry picked from commit f8a4cb410115045278f534e54b41ac78d6bf6c07) --- media/libstagefright/OMXClient.cpp | 13 +- media/libstagefright/include/OMX.h | 4 +- media/libstagefright/include/OMXNodeInstance.h | 10 +- media/libstagefright/omx/OMX.cpp | 8 +- media/libstagefright/omx/OMXNodeInstance.cpp | 184 ++++++++++++++++++++++--- 5 files changed, 185 insertions(+), 34 deletions(-) (limited to 'media/libstagefright') diff --git a/media/libstagefright/OMXClient.cpp b/media/libstagefright/OMXClient.cpp index e69890d..d252cb6 100644 --- a/media/libstagefright/OMXClient.cpp +++ b/media/libstagefright/OMXClient.cpp @@ -90,7 +90,7 @@ struct MuxOMX : public IOMX { virtual status_t useBuffer( node_id node, OMX_U32 port_index, const sp ¶ms, - buffer_id *buffer, OMX_U32 allottedSize); + buffer_id *buffer, OMX_U32 allottedSize, OMX_BOOL crossProcess); virtual status_t useGraphicBuffer( node_id node, OMX_U32 port_index, @@ -120,7 +120,7 @@ struct MuxOMX : public IOMX { virtual status_t allocateBufferWithBackup( node_id node, OMX_U32 port_index, const sp ¶ms, - buffer_id *buffer, OMX_U32 allottedSize); + buffer_id *buffer, OMX_U32 allottedSize, OMX_BOOL crossProcess); virtual status_t freeBuffer( node_id node, OMX_U32 port_index, buffer_id buffer); @@ -322,8 +322,9 @@ status_t MuxOMX::getGraphicBufferUsage( status_t MuxOMX::useBuffer( node_id node, OMX_U32 port_index, const sp ¶ms, - buffer_id *buffer, OMX_U32 allottedSize) { - return getOMX(node)->useBuffer(node, port_index, params, buffer, allottedSize); + buffer_id *buffer, OMX_U32 allottedSize, OMX_BOOL /* crossProcess */) { + return getOMX(node)->useBuffer( + node, port_index, params, buffer, allottedSize, OMX_FALSE /* crossProcess */); } status_t MuxOMX::useGraphicBuffer( @@ -375,9 +376,9 @@ status_t MuxOMX::allocateBuffer( status_t MuxOMX::allocateBufferWithBackup( node_id node, OMX_U32 port_index, const sp ¶ms, - buffer_id *buffer, OMX_U32 allottedSize) { + buffer_id *buffer, OMX_U32 allottedSize, OMX_BOOL /* crossProcess */) { return getOMX(node)->allocateBufferWithBackup( - node, port_index, params, buffer, allottedSize); + node, port_index, params, buffer, allottedSize, OMX_FALSE /* crossProcess */); } status_t MuxOMX::freeBuffer( diff --git a/media/libstagefright/include/OMX.h b/media/libstagefright/include/OMX.h index e7c4f6d..b20b2ea 100644 --- a/media/libstagefright/include/OMX.h +++ b/media/libstagefright/include/OMX.h @@ -81,7 +81,7 @@ public: virtual status_t useBuffer( node_id node, OMX_U32 port_index, const sp ¶ms, - buffer_id *buffer, OMX_U32 allottedSize); + buffer_id *buffer, OMX_U32 allottedSize, OMX_BOOL crossProcess); virtual status_t useGraphicBuffer( node_id node, OMX_U32 port_index, @@ -113,7 +113,7 @@ public: virtual status_t allocateBufferWithBackup( node_id node, OMX_U32 port_index, const sp ¶ms, - buffer_id *buffer, OMX_U32 allottedSize); + buffer_id *buffer, OMX_U32 allottedSize, OMX_BOOL crossProcess); virtual status_t freeBuffer( node_id node, OMX_U32 port_index, buffer_id buffer); diff --git a/media/libstagefright/include/OMXNodeInstance.h b/media/libstagefright/include/OMXNodeInstance.h index babf5b7..bd33ab7 100644 --- a/media/libstagefright/include/OMXNodeInstance.h +++ b/media/libstagefright/include/OMXNodeInstance.h @@ -21,6 +21,7 @@ #include "OMX.h" #include +#include #include namespace android { @@ -71,7 +72,7 @@ struct OMXNodeInstance { status_t useBuffer( OMX_U32 portIndex, const sp ¶ms, - OMX::buffer_id *buffer, OMX_U32 allottedSize); + OMX::buffer_id *buffer, OMX_U32 allottedSize, OMX_BOOL crossProcess); status_t useGraphicBuffer( OMX_U32 portIndex, const sp &graphicBuffer, @@ -101,7 +102,7 @@ struct OMXNodeInstance { status_t allocateBufferWithBackup( OMX_U32 portIndex, const sp ¶ms, - OMX::buffer_id *buffer, OMX_U32 allottedSize); + OMX::buffer_id *buffer, OMX_U32 allottedSize, OMX_BOOL crossProcess); status_t freeBuffer(OMX_U32 portIndex, OMX::buffer_id buffer); @@ -146,6 +147,9 @@ private: OMX_HANDLETYPE mHandle; sp mObserver; bool mDying; + bool mSailed; // configuration is set (no more meta-mode changes) + bool mQueriedProhibitedExtensions; + SortedVector mProhibitedExtensions; bool mIsSecure; // Lock only covers mGraphicBufferSource. We can't always use mLock @@ -191,6 +195,8 @@ private: OMX::buffer_id findBufferID(OMX_BUFFERHEADERTYPE *bufferHeader); void invalidateBufferID(OMX::buffer_id buffer); + bool isProhibitedIndex_l(OMX_INDEXTYPE index); + status_t useGraphicBuffer2_l( OMX_U32 portIndex, const sp &graphicBuffer, OMX::buffer_id *buffer); diff --git a/media/libstagefright/omx/OMX.cpp b/media/libstagefright/omx/OMX.cpp index 56b6055..5898b4e 100644 --- a/media/libstagefright/omx/OMX.cpp +++ b/media/libstagefright/omx/OMX.cpp @@ -368,9 +368,9 @@ status_t OMX::configureVideoTunnelMode( status_t OMX::useBuffer( node_id node, OMX_U32 port_index, const sp ¶ms, - buffer_id *buffer, OMX_U32 allottedSize) { + buffer_id *buffer, OMX_U32 allottedSize, OMX_BOOL crossProcess) { return findInstance(node)->useBuffer( - port_index, params, buffer, allottedSize); + port_index, params, buffer, allottedSize, crossProcess); } status_t OMX::useGraphicBuffer( @@ -421,9 +421,9 @@ status_t OMX::allocateBuffer( status_t OMX::allocateBufferWithBackup( node_id node, OMX_U32 port_index, const sp ¶ms, - buffer_id *buffer, OMX_U32 allottedSize) { + buffer_id *buffer, OMX_U32 allottedSize, OMX_BOOL crossProcess) { return findInstance(node)->allocateBufferWithBackup( - port_index, params, buffer, allottedSize); + port_index, params, buffer, allottedSize, crossProcess); } status_t OMX::freeBuffer(node_id node, OMX_U32 port_index, buffer_id buffer) { diff --git a/media/libstagefright/omx/OMXNodeInstance.cpp b/media/libstagefright/omx/OMXNodeInstance.cpp index 7f534b5..a0dc2ec 100644 --- a/media/libstagefright/omx/OMXNodeInstance.cpp +++ b/media/libstagefright/omx/OMXNodeInstance.cpp @@ -101,26 +101,34 @@ static void InitOMXParams(T *params) { namespace android { struct BufferMeta { - BufferMeta(const sp &mem, OMX_U32 portIndex, bool is_backup = false) + BufferMeta( + const sp &mem, OMX_U32 portIndex, bool copyToOmx, + bool copyFromOmx, OMX_U8 *backup) : mMem(mem), - mIsBackup(is_backup), - mPortIndex(portIndex) { + mCopyFromOmx(copyFromOmx), + mCopyToOmx(copyToOmx), + mPortIndex(portIndex), + mBackup(backup) { } BufferMeta(size_t size, OMX_U32 portIndex) : mSize(size), - mIsBackup(false), - mPortIndex(portIndex) { + mCopyFromOmx(false), + mCopyToOmx(false), + mPortIndex(portIndex), + mBackup(NULL) { } BufferMeta(const sp &graphicBuffer, OMX_U32 portIndex) : mGraphicBuffer(graphicBuffer), - mIsBackup(false), - mPortIndex(portIndex) { + mCopyFromOmx(false), + mCopyToOmx(false), + mPortIndex(portIndex), + mBackup(NULL) { } void CopyFromOMX(const OMX_BUFFERHEADERTYPE *header) { - if (!mIsBackup) { + if (!mCopyFromOmx) { return; } @@ -131,7 +139,7 @@ struct BufferMeta { } void CopyToOMX(const OMX_BUFFERHEADERTYPE *header) { - if (!mIsBackup) { + if (!mCopyToOmx) { return; } @@ -167,12 +175,18 @@ struct BufferMeta { return mPortIndex; } + ~BufferMeta() { + delete[] mBackup; + } + private: sp mGraphicBuffer; sp mMem; size_t mSize; - bool mIsBackup; + bool mCopyFromOmx; + bool mCopyToOmx; OMX_U32 mPortIndex; + OMX_U8 *mBackup; BufferMeta(const BufferMeta &); BufferMeta &operator=(const BufferMeta &); @@ -199,6 +213,8 @@ OMXNodeInstance::OMXNodeInstance( mHandle(NULL), mObserver(observer), mDying(false), + mSailed(false), + mQueriedProhibitedExtensions(false), mBufferIDCount(0) { mName = ADebug::GetDebugName(name); @@ -370,7 +386,12 @@ status_t OMXNodeInstance::freeNode(OMXMaster *master) { status_t OMXNodeInstance::sendCommand( OMX_COMMANDTYPE cmd, OMX_S32 param) { - const sp& bufferSource(getGraphicBufferSource()); + if (cmd == OMX_CommandStateSet) { + // We do not support returning from unloaded state, so there are no configurations past + // first StateSet command. + mSailed = true; + } + const sp bufferSource(getGraphicBufferSource()); if (bufferSource != NULL && cmd == OMX_CommandStateSet) { if (param == OMX_StateIdle) { // Initiating transition from Executing -> Idle @@ -403,10 +424,57 @@ status_t OMXNodeInstance::sendCommand( return StatusFromOMXError(err); } +bool OMXNodeInstance::isProhibitedIndex_l(OMX_INDEXTYPE index) { + // these extensions can only be used from OMXNodeInstance, not by clients directly. + static const char *restricted_extensions[] = { + "OMX.google.android.index.storeMetaDataInBuffers", + "OMX.google.android.index.storeANWBufferInMetadata", + "OMX.google.android.index.prepareForAdaptivePlayback", + "OMX.google.android.index.configureVideoTunnelMode", + "OMX.google.android.index.useAndroidNativeBuffer2", + "OMX.google.android.index.useAndroidNativeBuffer", + "OMX.google.android.index.enableAndroidNativeBuffers", + "OMX.google.android.index.allocateNativeHandle", + "OMX.google.android.index.getAndroidNativeBufferUsage", + }; + + if ((index > OMX_IndexComponentStartUnused && index <= OMX_IndexParamStandardComponentRole) + || (index > OMX_IndexPortStartUnused && index <= OMX_IndexParamCompBufferSupplier) + || (index > OMX_IndexAudioStartUnused && index <= OMX_IndexConfigAudioChannelVolume) + || (index > OMX_IndexVideoStartUnused && index <= OMX_IndexConfigVideoNalSize) + || (index > OMX_IndexCommonStartUnused + && index <= OMX_IndexConfigCommonTransitionEffect) + || (index > (OMX_INDEXTYPE)OMX_IndexExtAudioStartUnused + && index <= (OMX_INDEXTYPE)OMX_IndexParamAudioAndroidEac3) + || (index > (OMX_INDEXTYPE)OMX_IndexExtVideoStartUnused + && index <= (OMX_INDEXTYPE)OMX_IndexParamSliceSegments) + || (index > (OMX_INDEXTYPE)OMX_IndexExtOtherStartUnused + && index <= (OMX_INDEXTYPE)OMX_IndexParamConsumerUsageBits)) { + return false; + } + + if (!mQueriedProhibitedExtensions) { + for (size_t i = 0; i < NELEM(restricted_extensions); ++i) { + OMX_INDEXTYPE ext; + if (OMX_GetExtensionIndex(mHandle, (OMX_STRING)restricted_extensions[i], &ext) == OMX_ErrorNone) { + mProhibitedExtensions.add(ext); + } + } + mQueriedProhibitedExtensions = true; + } + + return mProhibitedExtensions.indexOf(index) >= 0; +} + status_t OMXNodeInstance::getParameter( OMX_INDEXTYPE index, void *params, size_t /* size */) { Mutex::Autolock autoLock(mLock); + if (isProhibitedIndex_l(index)) { + android_errorWriteLog(0x534e4554, "29422020"); + return BAD_INDEX; + } + OMX_ERRORTYPE err = OMX_GetParameter(mHandle, index, params); OMX_INDEXEXTTYPE extIndex = (OMX_INDEXEXTTYPE)index; // some errors are expected for getParameter @@ -422,6 +490,11 @@ status_t OMXNodeInstance::setParameter( OMX_INDEXEXTTYPE extIndex = (OMX_INDEXEXTTYPE)index; CLOG_CONFIG(setParameter, "%s(%#x), %zu@%p)", asString(extIndex), index, size, params); + if (isProhibitedIndex_l(index)) { + android_errorWriteLog(0x534e4554, "29422020"); + return BAD_INDEX; + } + OMX_ERRORTYPE err = OMX_SetParameter( mHandle, index, const_cast(params)); CLOG_IF_ERROR(setParameter, err, "%s(%#x)", asString(extIndex), index); @@ -432,6 +505,11 @@ status_t OMXNodeInstance::getConfig( OMX_INDEXTYPE index, void *params, size_t /* size */) { Mutex::Autolock autoLock(mLock); + if (isProhibitedIndex_l(index)) { + android_errorWriteLog(0x534e4554, "29422020"); + return BAD_INDEX; + } + OMX_ERRORTYPE err = OMX_GetConfig(mHandle, index, params); OMX_INDEXEXTTYPE extIndex = (OMX_INDEXEXTTYPE)index; // some errors are expected for getConfig @@ -447,6 +525,11 @@ status_t OMXNodeInstance::setConfig( OMX_INDEXEXTTYPE extIndex = (OMX_INDEXEXTTYPE)index; CLOG_CONFIG(setConfig, "%s(%#x), %zu@%p)", asString(extIndex), index, size, params); + if (isProhibitedIndex_l(index)) { + android_errorWriteLog(0x534e4554, "29422020"); + return BAD_INDEX; + } + OMX_ERRORTYPE err = OMX_SetConfig( mHandle, index, const_cast(params)); CLOG_IF_ERROR(setConfig, err, "%s(%#x)", asString(extIndex), index); @@ -526,6 +609,10 @@ status_t OMXNodeInstance::storeMetaDataInBuffers( status_t OMXNodeInstance::storeMetaDataInBuffers_l( OMX_U32 portIndex, OMX_BOOL enable, MetadataBufferType *type) { + if (mSailed) { + android_errorWriteLog(0x534e4554, "29422020"); + return INVALID_OPERATION; + } if (portIndex != kPortIndexInput && portIndex != kPortIndexOutput) { android_errorWriteLog(0x534e4554, "26324358"); return BAD_VALUE; @@ -593,6 +680,10 @@ status_t OMXNodeInstance::prepareForAdaptivePlayback( OMX_U32 portIndex, OMX_BOOL enable, OMX_U32 maxFrameWidth, OMX_U32 maxFrameHeight) { Mutex::Autolock autolock(mLock); + if (mSailed) { + android_errorWriteLog(0x534e4554, "29422020"); + return INVALID_OPERATION; + } CLOG_CONFIG(prepareForAdaptivePlayback, "%s:%u en=%d max=%ux%u", portString(portIndex), portIndex, enable, maxFrameWidth, maxFrameHeight); @@ -623,6 +714,10 @@ status_t OMXNodeInstance::configureVideoTunnelMode( OMX_U32 portIndex, OMX_BOOL tunneled, OMX_U32 audioHwSync, native_handle_t **sidebandHandle) { Mutex::Autolock autolock(mLock); + if (mSailed) { + android_errorWriteLog(0x534e4554, "29422020"); + return INVALID_OPERATION; + } CLOG_CONFIG(configureVideoTunnelMode, "%s:%u tun=%d sync=%u", portString(portIndex), portIndex, tunneled, audioHwSync); @@ -663,23 +758,48 @@ status_t OMXNodeInstance::configureVideoTunnelMode( status_t OMXNodeInstance::useBuffer( OMX_U32 portIndex, const sp ¶ms, - OMX::buffer_id *buffer, OMX_U32 allottedSize) { + OMX::buffer_id *buffer, OMX_U32 allottedSize, OMX_BOOL crossProcess) { Mutex::Autolock autoLock(mLock); - if (allottedSize > params->size()) { + if (allottedSize > params->size() || portIndex >= NELEM(mNumPortBuffers)) { return BAD_VALUE; } - BufferMeta *buffer_meta = new BufferMeta(params, portIndex); + // metadata buffers are not connected cross process + BufferMeta *buffer_meta; + bool isMeta = mMetadataType[portIndex] != kMetadataBufferTypeInvalid; + bool useBackup = crossProcess && isMeta; // use a backup buffer instead of the actual buffer + OMX_U8 *data = static_cast(params->pointer()); + // allocate backup buffer + if (useBackup) { + data = new (std::nothrow) OMX_U8[allottedSize]; + if (data == NULL) { + return NO_MEMORY; + } + memset(data, 0, allottedSize); + + // if we are not connecting the buffers, the sizes must match + if (allottedSize != params->size()) { + CLOG_ERROR(useBuffer, BAD_VALUE, SIMPLE_BUFFER(portIndex, (size_t)allottedSize, data)); + delete[] data; + return BAD_VALUE; + } + + buffer_meta = new BufferMeta( + params, portIndex, false /* copyToOmx */, false /* copyFromOmx */, data); + } else { + buffer_meta = new BufferMeta( + params, portIndex, false /* copyFromOmx */, false /* copyToOmx */, NULL); + } OMX_BUFFERHEADERTYPE *header; OMX_ERRORTYPE err = OMX_UseBuffer( mHandle, &header, portIndex, buffer_meta, - allottedSize, static_cast(params->pointer())); + allottedSize, data); if (err != OMX_ErrorNone) { CLOG_ERROR(useBuffer, err, SIMPLE_BUFFER( - portIndex, (size_t)allottedSize, params->pointer())); + portIndex, (size_t)allottedSize, data)); delete buffer_meta; buffer_meta = NULL; @@ -864,7 +984,16 @@ status_t OMXNodeInstance::createGraphicBufferSource( OMX_U32 portIndex, sp bufferConsumer, MetadataBufferType *type) { status_t err; - const sp& surfaceCheck = getGraphicBufferSource(); + // only allow graphic source on input port, when there are no allocated buffers yet + if (portIndex != kPortIndexInput) { + android_errorWriteLog(0x534e4554, "29422020"); + return BAD_VALUE; + } else if (mNumPortBuffers[portIndex] > 0) { + android_errorWriteLog(0x534e4554, "29422020"); + return INVALID_OPERATION; + } + + const sp surfaceCheck = getGraphicBufferSource(); if (surfaceCheck != NULL) { if (portIndex < NELEM(mMetadataType) && type != NULL) { *type = mMetadataType[portIndex]; @@ -1020,13 +1149,21 @@ status_t OMXNodeInstance::allocateBuffer( status_t OMXNodeInstance::allocateBufferWithBackup( OMX_U32 portIndex, const sp ¶ms, - OMX::buffer_id *buffer, OMX_U32 allottedSize) { + OMX::buffer_id *buffer, OMX_U32 allottedSize, OMX_BOOL crossProcess) { Mutex::Autolock autoLock(mLock); - if (allottedSize > params->size()) { + if (allottedSize > params->size() || portIndex >= NELEM(mNumPortBuffers)) { return BAD_VALUE; } - BufferMeta *buffer_meta = new BufferMeta(params, portIndex, true); + // metadata buffers are not connected cross process + bool isMeta = mMetadataType[portIndex] != kMetadataBufferTypeInvalid; + bool copy = !(crossProcess && isMeta); + + BufferMeta *buffer_meta = new BufferMeta( + params, portIndex, + (portIndex == kPortIndexInput) && copy /* copyToOmx */, + (portIndex == kPortIndexOutput) && copy /* copyFromOmx */, + NULL /* data */); OMX_BUFFERHEADERTYPE *header; @@ -1044,6 +1181,7 @@ status_t OMXNodeInstance::allocateBufferWithBackup( } CHECK_EQ(header->pAppPrivate, buffer_meta); + memset(header->pBuffer, 0, header->nAllocLen); *buffer = makeBufferID(header); @@ -1122,6 +1260,12 @@ status_t OMXNodeInstance::emptyBuffer( OMX_U32 flags, OMX_TICKS timestamp, int fenceFd) { Mutex::Autolock autoLock(mLock); + // no emptybuffer if using input surface + if (getGraphicBufferSource() != NULL) { + android_errorWriteLog(0x534e4554, "29422020"); + return INVALID_OPERATION; + } + OMX_BUFFERHEADERTYPE *header = findBufferHeader(buffer, kPortIndexInput); if (header == NULL) { return BAD_VALUE; -- cgit v1.1 From 2af81c25f462ba958507bfe6ba43200e3c2e2a0e Mon Sep 17 00:00:00 2001 From: Robert Shih Date: Tue, 20 Sep 2016 17:37:55 -0700 Subject: SampleIterator: clear members on seekTo error Bug: 31091777 Change-Id: Iddf99d0011961d0fd3d755e57db4365b6a6a1193 (cherry picked from commit 03237ce0f9584c98ccda76c2474a4ae84c763f5b) --- media/libstagefright/SampleIterator.cpp | 7 ++++--- 1 file changed, 4 insertions(+), 3 deletions(-) (limited to 'media/libstagefright') diff --git a/media/libstagefright/SampleIterator.cpp b/media/libstagefright/SampleIterator.cpp index c5f359e..335bd5d 100644 --- a/media/libstagefright/SampleIterator.cpp +++ b/media/libstagefright/SampleIterator.cpp @@ -94,8 +94,6 @@ status_t SampleIterator::seekTo(uint32_t sampleIndex) { + mFirstChunk; if (!mInitialized || chunk != mCurrentChunkIndex) { - mCurrentChunkIndex = chunk; - status_t err; if ((err = getChunkOffset(chunk, &mCurrentChunkOffset)) != OK) { ALOGE("getChunkOffset return error"); @@ -106,18 +104,21 @@ status_t SampleIterator::seekTo(uint32_t sampleIndex) { uint32_t firstChunkSampleIndex = mFirstChunkSampleIndex - + mSamplesPerChunk * (mCurrentChunkIndex - mFirstChunk); + + mSamplesPerChunk * (chunk - mFirstChunk); for (uint32_t i = 0; i < mSamplesPerChunk; ++i) { size_t sampleSize; if ((err = getSampleSizeDirect( firstChunkSampleIndex + i, &sampleSize)) != OK) { ALOGE("getSampleSizeDirect return error"); + mCurrentChunkSampleSizes.clear(); return err; } mCurrentChunkSampleSizes.push(sampleSize); } + + mCurrentChunkIndex = chunk; } uint32_t chunkRelativeSampleIndex = -- cgit v1.1 From b5203aba00dc60bee526d78e5851f0a34c4b5bd7 Mon Sep 17 00:00:00 2001 From: Marco Nelissen Date: Mon, 19 Sep 2016 16:22:56 -0700 Subject: Limit mp4 atom size to something reasonable Bug: 28615448 Change-Id: I5916f6839b4a9bbee4388a106e7373bcd4154f5a (cherry picked from commit cb898dca47ac03738db91ddc371207435d2a1526) --- media/libstagefright/MPEG4Extractor.cpp | 13 +++++++++++++ 1 file changed, 13 insertions(+) (limited to 'media/libstagefright') diff --git a/media/libstagefright/MPEG4Extractor.cpp b/media/libstagefright/MPEG4Extractor.cpp index 4c10cc9..9e7f298 100755 --- a/media/libstagefright/MPEG4Extractor.cpp +++ b/media/libstagefright/MPEG4Extractor.cpp @@ -50,6 +50,12 @@ namespace android { +enum { + // maximum size of an atom. Some atoms can be bigger according to the spec, + // but we only allow up to this size. + kMaxAtomSize = 64 * 1024 * 1024, +}; + class MPEG4Source : public MediaSource { public: // Caller retains ownership of both "dataSource" and "sampleTable". @@ -836,6 +842,13 @@ status_t MPEG4Extractor::parseChunk(off64_t *offset, int depth) { PathAdder autoAdder(&mPath, chunk_type); off64_t chunk_data_size = *offset + chunk_size - data_offset; + if (chunk_type != FOURCC('m', 'd', 'a', 't') && chunk_data_size > kMaxAtomSize) { + char errMsg[100]; + sprintf(errMsg, "%s atom has size %" PRId64, chunk, chunk_data_size); + ALOGE("%s (b/28615448)", errMsg); + android_errorWriteWithInfoLog(0x534e4554, "28615448", -1, errMsg, strlen(errMsg)); + return ERROR_MALFORMED; + } if (chunk_type != FOURCC('c', 'p', 'r', 't') && chunk_type != FOURCC('c', 'o', 'v', 'r') -- cgit v1.1 From b1463a7e50d22414c62cb9872ef9078f5a962923 Mon Sep 17 00:00:00 2001 From: Lajos Molnar Date: Mon, 12 Sep 2016 14:40:47 -0700 Subject: IOMX: restrict conversion of ANWB to gralloc source in emptyBuffer This is only allowed in-process (if backup and codec buffers are connected.) Bug: 29422020 Bug: 31412859 Change-Id: If48e3e0b6f1af99a459fdc3f6f03744bbf0dc375 (cherry picked from commit 087ff38490016f4a0b6a1e717ae8af781d9b750c) --- media/libstagefright/omx/OMXNodeInstance.cpp | 9 +++++++-- 1 file changed, 7 insertions(+), 2 deletions(-) (limited to 'media/libstagefright') diff --git a/media/libstagefright/omx/OMXNodeInstance.cpp b/media/libstagefright/omx/OMXNodeInstance.cpp index a0dc2ec..13b7cbb 100644 --- a/media/libstagefright/omx/OMXNodeInstance.cpp +++ b/media/libstagefright/omx/OMXNodeInstance.cpp @@ -167,6 +167,10 @@ struct BufferMeta { return buf; } + bool copyToOmx() const { + return mCopyToOmx; + } + void setGraphicBuffer(const sp &graphicBuffer) { mGraphicBuffer = graphicBuffer; } @@ -788,7 +792,7 @@ status_t OMXNodeInstance::useBuffer( params, portIndex, false /* copyToOmx */, false /* copyFromOmx */, data); } else { buffer_meta = new BufferMeta( - params, portIndex, false /* copyFromOmx */, false /* copyToOmx */, NULL); + params, portIndex, false /* copyToOmx */, false /* copyFromOmx */, NULL); } OMX_BUFFERHEADERTYPE *header; @@ -1277,7 +1281,8 @@ status_t OMXNodeInstance::emptyBuffer( // convert incoming ANW meta buffers if component is configured for gralloc metadata mode // ignore rangeOffset in this case - if (mMetadataType[kPortIndexInput] == kMetadataBufferTypeGrallocSource + if (buffer_meta->copyToOmx() + && mMetadataType[kPortIndexInput] == kMetadataBufferTypeGrallocSource && backup->capacity() >= sizeof(VideoNativeMetadata) && codec->capacity() >= sizeof(VideoGrallocMetadata) && ((VideoNativeMetadata *)backup->base())->eType -- cgit v1.1 From 8cbd1c5cb14e771982965a530b34282effc39b8c Mon Sep 17 00:00:00 2001 From: Lajos Molnar Date: Wed, 14 Sep 2016 10:01:37 -0700 Subject: IOMX: allow configuration after going to loaded state This was disallowed recently but we still use it as MediaCodcec.stop only goes to loaded state, and does not free component. Bug: 31450460 Change-Id: I72e092e4e55c9f23b1baee3e950d76e84a5ef28d (cherry picked from commit e03b22839d78c841ce0a1a0a1ee1960932188b0b) --- media/libstagefright/omx/OMXNodeInstance.cpp | 10 ++++++++-- 1 file changed, 8 insertions(+), 2 deletions(-) (limited to 'media/libstagefright') diff --git a/media/libstagefright/omx/OMXNodeInstance.cpp b/media/libstagefright/omx/OMXNodeInstance.cpp index 13b7cbb..b86611f 100644 --- a/media/libstagefright/omx/OMXNodeInstance.cpp +++ b/media/libstagefright/omx/OMXNodeInstance.cpp @@ -391,8 +391,7 @@ status_t OMXNodeInstance::freeNode(OMXMaster *master) { status_t OMXNodeInstance::sendCommand( OMX_COMMANDTYPE cmd, OMX_S32 param) { if (cmd == OMX_CommandStateSet) { - // We do not support returning from unloaded state, so there are no configurations past - // first StateSet command. + // There are no configurations past first StateSet command. mSailed = true; } const sp bufferSource(getGraphicBufferSource()); @@ -1689,6 +1688,13 @@ void OMXNodeInstance::onEvent( && arg2 == OMX_StateExecuting) { bufferSource->omxExecuting(); } + + // allow configuration if we return to the loaded state + if (event == OMX_EventCmdComplete + && arg1 == OMX_CommandStateSet + && arg2 == OMX_StateLoaded) { + mSailed = false; + } } // static -- cgit v1.1 From c2a27ba1c949d1409f75bfef5cc052b7d88e4610 Mon Sep 17 00:00:00 2001 From: Chong Zhang Date: Mon, 19 Sep 2016 15:29:04 -0700 Subject: IOMX: do not clear buffer if it's allocated by component The component might depends on their buffers to be initialized in certain ways to work. Don't clear unless we're allocating it. bug: 31586647 Change-Id: Ia0a125797e414998ef0cd8ce03672f5b1e0bbf7a (cherry picked from commit ea76573aa276f51950007217a97903c4fe64f685) --- media/libstagefright/omx/OMXNodeInstance.cpp | 1 - 1 file changed, 1 deletion(-) (limited to 'media/libstagefright') diff --git a/media/libstagefright/omx/OMXNodeInstance.cpp b/media/libstagefright/omx/OMXNodeInstance.cpp index b86611f..1e76e01 100644 --- a/media/libstagefright/omx/OMXNodeInstance.cpp +++ b/media/libstagefright/omx/OMXNodeInstance.cpp @@ -1184,7 +1184,6 @@ status_t OMXNodeInstance::allocateBufferWithBackup( } CHECK_EQ(header->pAppPrivate, buffer_meta); - memset(header->pBuffer, 0, header->nAllocLen); *buffer = makeBufferID(header); -- cgit v1.1 From c13a507aa0badeb5f8482c25e2845780ba021ce7 Mon Sep 17 00:00:00 2001 From: Lajos Molnar Date: Tue, 11 Oct 2016 08:41:51 -0700 Subject: stagefright: don't fail MediaCodec.configure if clients use store-meta key Even though storing metadata is not supported in MediaCodec.configure and is only meant to be used by Stagefright recorder, don't fail configure. Bug: 31986922 Change-Id: Id9f083be6e857e7a0d8d4a74159be5b8894e28be (cherry picked from commit ae52fd383a43ac239f459078fd003ce8ac2efb55) --- media/libstagefright/ACodec.cpp | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) (limited to 'media/libstagefright') diff --git a/media/libstagefright/ACodec.cpp b/media/libstagefright/ACodec.cpp index 6399b79..cd2408b 100644 --- a/media/libstagefright/ACodec.cpp +++ b/media/libstagefright/ACodec.cpp @@ -1655,7 +1655,10 @@ status_t ACodec::configureCodec( ALOGE("[%s] storeMetaDataInBuffers (input) failed w/ err %d", mComponentName.c_str(), err); - return err; + if (mOMX->livesLocally(mNode, getpid())) { + return err; + } + ALOGI("ignoring failure to use internal MediaCodec key."); } // For this specific case we could be using camera source even if storeMetaDataInBuffers // returns Gralloc source. Pretend that we are; this will force us to use nBufferSize. -- cgit v1.1 From 2e39b85cae7025786fade45ba90583c1729ffe42 Mon Sep 17 00:00:00 2001 From: Ziyan Date: Tue, 21 Apr 2015 15:07:13 +0200 Subject: libstagefright: wfd: don't use intra macroblock refresh mode on omap4 Most, if not all OMAP4 Ducatis doesn't support intra macroblock refresh mode, causing the encoder to fail initializing. This patch disables intra macroblock refresh mode for wifi display on omap4. Note: Ideally, the decoder shouldn't fail if intra macroblock refresh mode can't be configured. However, that would trick higher layers into thinking that it's on, because they set that parameter. As of now, this mode seems to only ever be used for wifi display. Change-Id: I9696af8f22db82cc436a351e4d93bf7323588f43 --- media/libstagefright/wifi-display/Android.mk | 4 ++++ media/libstagefright/wifi-display/source/Converter.cpp | 2 ++ 2 files changed, 6 insertions(+) (limited to 'media/libstagefright') diff --git a/media/libstagefright/wifi-display/Android.mk b/media/libstagefright/wifi-display/Android.mk index fb28624..6f17747 100644 --- a/media/libstagefright/wifi-display/Android.mk +++ b/media/libstagefright/wifi-display/Android.mk @@ -33,6 +33,10 @@ LOCAL_SHARED_LIBRARIES:= \ LOCAL_CFLAGS += -Wno-multichar -Werror -Wall LOCAL_CLANG := true +ifeq ($(BOARD_NO_INTRA_MACROBLOCK_MODE_SUPPORT),true) +LOCAL_CFLAGS += -DBOARD_NO_INTRA_MACROBLOCK_MODE_SUPPORT +endif + LOCAL_MODULE:= libstagefright_wfd LOCAL_MODULE_TAGS:= optional diff --git a/media/libstagefright/wifi-display/source/Converter.cpp b/media/libstagefright/wifi-display/source/Converter.cpp index 471152e..9a2d08a 100644 --- a/media/libstagefright/wifi-display/source/Converter.cpp +++ b/media/libstagefright/wifi-display/source/Converter.cpp @@ -173,8 +173,10 @@ status_t Converter::initEncoder() { mOutputFormat->setInt32("frame-rate", 30); mOutputFormat->setInt32("i-frame-interval", 15); // Iframes every 15 secs +#ifndef BOARD_NO_INTRA_MACROBLOCK_MODE_SUPPORT // Configure encoder to use intra macroblock refresh mode mOutputFormat->setInt32("intra-refresh-mode", OMX_VIDEO_IntraRefreshCyclic); +#endif int width, height, mbs; if (!mOutputFormat->findInt32("width", &width) -- cgit v1.1 From 1c6e16c0b4082c0edaca4fcc0838f33bf14ffac8 Mon Sep 17 00:00:00 2001 From: Andreas Blaesius Date: Tue, 8 Nov 2016 03:24:23 -0700 Subject: Allow to use baseline profile for AVC recording - some encoder seem to crash using higher h264 profiles Change-Id: I2beb881e76519f872e3e99957f8b981eeaa53b56 --- media/libstagefright/ACodec.cpp | 2 +- media/libstagefright/Android.mk | 4 ++++ 2 files changed, 5 insertions(+), 1 deletion(-) (limited to 'media/libstagefright') diff --git a/media/libstagefright/ACodec.cpp b/media/libstagefright/ACodec.cpp index e00e673..d2389f6 100644 --- a/media/libstagefright/ACodec.cpp +++ b/media/libstagefright/ACodec.cpp @@ -3568,7 +3568,7 @@ status_t ACodec::setupAVCEncoderParameters(const sp &msg) { // XXX // Allow higher profiles to be set since the encoder seems to support -#if 0 +#ifdef USE_AVC_BASELINE_PROFILE if (h264type.eProfile != OMX_VIDEO_AVCProfileBaseline) { ALOGW("Use baseline profile instead of %d for AVC recording", h264type.eProfile); diff --git a/media/libstagefright/Android.mk b/media/libstagefright/Android.mk index 29fb418..792c139 100644 --- a/media/libstagefright/Android.mk +++ b/media/libstagefright/Android.mk @@ -173,6 +173,10 @@ ifeq ($(TARGET_BOARD_PLATFORM),omap4) LOCAL_CFLAGS += -DBOARD_CANT_REALLOCATE_OMX_BUFFERS endif +ifeq ($(TARGET_USE_AVC_BASELINE_PROFILE), true) +LOCAL_CFLAGS += -DUSE_AVC_BASELINE_PROFILE +endif + ifeq ($(call is-vendor-board-platform,QCOM),true) LOCAL_C_INCLUDES += $(TARGET_OUT_HEADERS)/mm-audio ifeq ($(strip $(AUDIO_FEATURE_ENABLED_EXTN_FLAC_DECODER)),true) -- cgit v1.1