diff options
| author | Danny Baumann <dannybaumann@web.de> | 2011-11-07 09:08:51 +0100 |
|---|---|---|
| committer | Steve Kondik <shade@chemlab.org> | 2011-11-13 20:04:23 -0800 |
| commit | 818068f74feeb8e7dfb966b6f983fbf754232777 (patch) | |
| tree | 0e56de8692d1cf19799168789da1b0f447b438d9 /include | |
| parent | d3935fb90d5787664921dc3940bed1a63a209359 (diff) | |
| download | frameworks_base-818068f74feeb8e7dfb966b6f983fbf754232777.zip frameworks_base-818068f74feeb8e7dfb966b6f983fbf754232777.tar.gz frameworks_base-818068f74feeb8e7dfb966b6f983fbf754232777.tar.bz2 | |
Fix a couple of nasty heap corruption bugs.
- When replacing the buffer pointer with another one, the allocated
length wasn't updated. As the TI encoder relies of those being matched
up (it e.g. does a memset(pBuffer, 0, nAllocLen) at certain places), this
could lead to random memory being overwritten (or to a segfault when
reaching the end of the mapping)
- When replacing the buffer, the old buffer wasn't saved and restored
before calling freeBuffer. This led to a different address passed to
free() than was returned by malloc(), could lead to all kinds of weird,
undefined behaviour.
Change-Id: I5e37c66d9c9405e209e5d8df3ea52d378cf44490
Diffstat (limited to 'include')
| -rw-r--r-- | include/media/stagefright/OMXCodec.h | 4 |
1 files changed, 4 insertions, 0 deletions
diff --git a/include/media/stagefright/OMXCodec.h b/include/media/stagefright/OMXCodec.h index 3213275..d82792b 100644 --- a/include/media/stagefright/OMXCodec.h +++ b/include/media/stagefright/OMXCodec.h @@ -159,6 +159,8 @@ private: size_t mSize; void *mData; MediaBuffer *mMediaBuffer; + OMX_U8 *mAllocatedBuffer; + size_t mAllocatedSize; }; struct CodecSpecificData { @@ -268,6 +270,8 @@ private: status_t allocateBuffers(); status_t allocateBuffersOnPort(OMX_U32 portIndex); + status_t freeBuffer( + OMX_U32 portIndex, BufferInfo *info); status_t freeBuffersOnPort( OMX_U32 portIndex, bool onlyThoseWeOwn = false); |