diff options
| author | Lajos Molnar <lajos@google.com> | 2014-03-24 15:57:51 -0700 |
|---|---|---|
| committer | Lajos Molnar <lajos@google.com> | 2014-03-25 07:26:09 -0700 |
| commit | 7ac4f560dfe754eb4fe0d279fa03c1d9b3a7a5af (patch) | |
| tree | 75d45283646c32b31f43fa05a61168abda4c44b6 /media/jni | |
| parent | 9bec0f5cc13c2f41cf09e409e134bab537a67e87 (diff) | |
| download | frameworks_base-7ac4f560dfe754eb4fe0d279fa03c1d9b3a7a5af.zip frameworks_base-7ac4f560dfe754eb4fe0d279fa03c1d9b3a7a5af.tar.gz frameworks_base-7ac4f560dfe754eb4fe0d279fa03c1d9b3a7a5af.tar.bz2 | |
MediaCodec: avoid silent array overflow in queueSecureInputBuffer()
Bug: 13006907
Change-Id: I7e1a1e37a677f8b2cf500e1cc52f4c2ff40fa470
Diffstat (limited to 'media/jni')
| -rw-r--r-- | media/jni/android_media_MediaCodec.cpp | 6 |
1 files changed, 6 insertions, 0 deletions
diff --git a/media/jni/android_media_MediaCodec.cpp b/media/jni/android_media_MediaCodec.cpp index b2fb2df..d04b1f8 100644 --- a/media/jni/android_media_MediaCodec.cpp +++ b/media/jni/android_media_MediaCodec.cpp @@ -27,6 +27,8 @@ #include "jni.h" #include "JNIHelp.h" +#include <cutils/compiler.h> + #include <gui/Surface.h> #include <media/ICrypto.h> @@ -738,6 +740,10 @@ static void android_media_MediaCodec_queueSecureInputBuffer( } else if (numBytesOfClearDataObj != NULL && env->GetArrayLength(numBytesOfClearDataObj) < numSubSamples) { err = -ERANGE; + // subSamples array may silently overflow if number of samples are too large. Use + // INT32_MAX as maximum allocation size may be less than SIZE_MAX on some platforms + } else if ( CC_UNLIKELY(numSubSamples >= INT32_MAX / sizeof(*subSamples)) ) { + err = -EINVAL; } else { jboolean isCopy; |