diff options
| author | Danny Baumann <dannybaumann@web.de> | 2011-11-07 09:08:51 +0100 |
|---|---|---|
| committer | Danny Baumann <dannybaumann@web.de> | 2012-05-04 13:06:51 +0200 |
| commit | 8ee9162536da5711e383dd1d89dca4fa1da107be (patch) | |
| tree | 47cd875c55c87b657fc912d5a0c4ab51623dc2fa /include | |
| parent | 75b2e6d76e1354c7f0279f8b3927d849f28ba80a (diff) | |
| download | frameworks_base-8ee9162536da5711e383dd1d89dca4fa1da107be.zip frameworks_base-8ee9162536da5711e383dd1d89dca4fa1da107be.tar.gz frameworks_base-8ee9162536da5711e383dd1d89dca4fa1da107be.tar.bz2 | |
Fix a couple of nasty heap corruption bugs.
- When replacing the buffer pointer with another one, the allocated
length wasn't updated. As the TI encoder relies of those being matched
up (it e.g. does a memset(pBuffer, 0, nAllocLen) at certain places), this
could lead to random memory being overwritten (or to a segfault when
reaching the end of the mapping)
- When replacing the buffer, the old buffer wasn't saved and restored
before calling freeBuffer. This led to a different address passed to
free() than was returned by malloc(), could lead to all kinds of weird,
undefined behaviour.
Diffstat (limited to 'include')
| -rwxr-xr-x | include/media/stagefright/OMXCodec.h | 2 |
1 files changed, 2 insertions, 0 deletions
diff --git a/include/media/stagefright/OMXCodec.h b/include/media/stagefright/OMXCodec.h index 32a3d19..69240f6 100755 --- a/include/media/stagefright/OMXCodec.h +++ b/include/media/stagefright/OMXCodec.h @@ -172,6 +172,8 @@ private: size_t mSize; void *mData; MediaBuffer *mMediaBuffer; + OMX_U8 *mAllocatedBuffer; + size_t mAllocatedSize; }; struct CodecSpecificData { |