DO NOT MERGE - IOMX: Add buffer range check to emptyBuffer Bug: 20634516 Change-Id: If351dbd573bb4aeb6968bfa33f6d407225bc752c

commit: 0e27e080c255b23b4b0e19cb3bc9519cc162b73f [log] [tgz]
author: Andy Hung <hunga@google.com> Tue May 26 11:14:36 2015 -0700
committer: Bart Sears <bsears@google.com> Wed May 27 01:22:14 2015 +0000
tree: e86188451668c87dae7866f45b076f4beba7d643
parent: dbe6c320b414d8139c46aaf880d5f154ef4f9af8 [diff]
diff --git a/media/libstagefright/omx/OMXNodeInstance.cpp b/media/libstagefright/omx/OMXNodeInstance.cpp
index 6c5c857..4fe41c9 100644
--- a/media/libstagefright/omx/OMXNodeInstance.cpp
+++ b/media/libstagefright/omx/OMXNodeInstance.cpp

@@ -797,6 +797,12 @@
     Mutex::Autolock autoLock(mLock);
 
     OMX_BUFFERHEADERTYPE *header = (OMX_BUFFERHEADERTYPE *)buffer;
+    // rangeLength and rangeOffset must be a subset of the allocated data in the buffer.
+    // corner case: we permit rangeOffset == end-of-buffer with rangeLength == 0.
+    if (rangeOffset > header->nAllocLen
+            || rangeLength > header->nAllocLen - rangeOffset) {
+        return BAD_VALUE;
+    }
     header->nFilledLen = rangeLength;
     header->nOffset = rangeOffset;
     header->nFlags = flags;
commit	0e27e080c255b23b4b0e19cb3bc9519cc162b73f	[log] [tgz]
author	Andy Hung <hunga@google.com>	Tue May 26 11:14:36 2015 -0700
committer	Bart Sears <bsears@google.com>	Wed May 27 01:22:14 2015 +0000
tree	e86188451668c87dae7866f45b076f4beba7d643
parent	dbe6c320b414d8139c46aaf880d5f154ef4f9af8 [diff]