Merge "Change include path and names to compile with new webrtc."
diff --git a/include/media/stagefright/SkipCutBuffer.h b/include/media/stagefright/SkipCutBuffer.h
index 098aa69..61f9949 100644
--- a/include/media/stagefright/SkipCutBuffer.h
+++ b/include/media/stagefright/SkipCutBuffer.h
@@ -29,9 +29,10 @@
*/
class SkipCutBuffer: public RefBase {
public:
- // 'skip' is the number of bytes to skip from the beginning
- // 'cut' is the number of bytes to cut from the end
- SkipCutBuffer(int32_t skip, int32_t cut);
+ // 'skip' is the number of frames to skip from the beginning
+ // 'cut' is the number of frames to cut from the end
+ // 'num16BitChannels' is the number of channels, which are assumed to be 16 bit wide each
+ SkipCutBuffer(size_t skip, size_t cut, size_t num16Channels);
// Submit one MediaBuffer for skipping and cutting. This may consume all or
// some of the data in the buffer, or it may add data to it.
diff --git a/media/libmedia/Android.mk b/media/libmedia/Android.mk
index a3c3d3c..be88aa0 100644
--- a/media/libmedia/Android.mk
+++ b/media/libmedia/Android.mk
@@ -89,6 +89,7 @@
LOCAL_CFLAGS += -Werror -Wno-error=deprecated-declarations -Wall
LOCAL_CLANG := true
+LOCAL_SANITIZE := unsigned-integer-overflow signed-integer-overflow
include $(BUILD_SHARED_LIBRARY)
diff --git a/media/libmedia/AudioTrackShared.cpp b/media/libmedia/AudioTrackShared.cpp
index a5b516c..5e45c85 100644
--- a/media/libmedia/AudioTrackShared.cpp
+++ b/media/libmedia/AudioTrackShared.cpp
@@ -38,7 +38,7 @@
// In general, this means (new_self) returned is max(self, other) + 1.
static uint32_t incrementSequence(uint32_t self, uint32_t other) {
- int32_t diff = (int32_t) self - other;
+ int32_t diff = (int32_t) self - (int32_t) other;
if (diff >= 0 && diff < INT32_MAX) {
return self + 1; // we're already ahead of other.
}
@@ -894,7 +894,7 @@
if (mObserver.poll(state)) {
StaticAudioTrackState trystate = mState;
bool result;
- const int32_t diffSeq = state.mLoopSequence - state.mPositionSequence;
+ const int32_t diffSeq = (int32_t) state.mLoopSequence - (int32_t) state.mPositionSequence;
if (diffSeq < 0) {
result = updateStateWithLoop(&trystate, state) == OK &&
diff --git a/media/libstagefright/ACodec.cpp b/media/libstagefright/ACodec.cpp
index 166600b..0b81b80 100644
--- a/media/libstagefright/ACodec.cpp
+++ b/media/libstagefright/ACodec.cpp
@@ -4438,16 +4438,13 @@
(mEncoderDelay || mEncoderPadding)) {
int32_t channelCount;
CHECK(notify->findInt32("channel-count", &channelCount));
- size_t frameSize = channelCount * sizeof(int16_t);
if (mSkipCutBuffer != NULL) {
size_t prevbufsize = mSkipCutBuffer->size();
if (prevbufsize != 0) {
ALOGW("Replacing SkipCutBuffer holding %zu bytes", prevbufsize);
}
}
- mSkipCutBuffer = new SkipCutBuffer(
- mEncoderDelay * frameSize,
- mEncoderPadding * frameSize);
+ mSkipCutBuffer = new SkipCutBuffer(mEncoderDelay, mEncoderPadding, channelCount);
}
notify->post();
diff --git a/media/libstagefright/MPEG4Extractor.cpp b/media/libstagefright/MPEG4Extractor.cpp
index a76334f..c0f4e6c 100755
--- a/media/libstagefright/MPEG4Extractor.cpp
+++ b/media/libstagefright/MPEG4Extractor.cpp
@@ -1776,13 +1776,13 @@
if (!isParsingMetaKeys) {
uint8_t buffer[4];
if (chunk_data_size < (off64_t)sizeof(buffer)) {
- *offset += chunk_size;
+ *offset = stop_offset;
return ERROR_MALFORMED;
}
if (mDataSource->readAt(
data_offset, buffer, 4) < 4) {
- *offset += chunk_size;
+ *offset = stop_offset;
return ERROR_IO;
}
@@ -1793,7 +1793,7 @@
// apparently malformed chunks that don't have flags
// and completely different semantics than what's
// in the MPEG4 specs and skip it.
- *offset += chunk_size;
+ *offset = stop_offset;
return OK;
}
*offset += sizeof(buffer);
diff --git a/media/libstagefright/OMXCodec.cpp b/media/libstagefright/OMXCodec.cpp
index 7ae24dd..4c39194 100644
--- a/media/libstagefright/OMXCodec.cpp
+++ b/media/libstagefright/OMXCodec.cpp
@@ -1751,14 +1751,13 @@
int32_t numchannels = 0;
if (delay + padding) {
if (mOutputFormat->findInt32(kKeyChannelCount, &numchannels)) {
- size_t frameSize = numchannels * sizeof(int16_t);
if (mSkipCutBuffer != NULL) {
size_t prevbuffersize = mSkipCutBuffer->size();
if (prevbuffersize != 0) {
ALOGW("Replacing SkipCutBuffer holding %zu bytes", prevbuffersize);
}
}
- mSkipCutBuffer = new SkipCutBuffer(delay * frameSize, padding * frameSize);
+ mSkipCutBuffer = new SkipCutBuffer(delay, padding, numchannels);
}
}
}
diff --git a/media/libstagefright/SampleTable.cpp b/media/libstagefright/SampleTable.cpp
index 97dff43..02b20c4 100644
--- a/media/libstagefright/SampleTable.cpp
+++ b/media/libstagefright/SampleTable.cpp
@@ -194,11 +194,11 @@
mNumChunkOffsets = U32_AT(&header[4]);
if (mChunkOffsetType == kChunkOffsetType32) {
- if (data_size < 8 + mNumChunkOffsets * 4) {
+ if ((data_size - 8) / 4 < mNumChunkOffsets) {
return ERROR_MALFORMED;
}
} else {
- if (data_size < 8 + mNumChunkOffsets * 8) {
+ if ((data_size - 8) / 8 < mNumChunkOffsets) {
return ERROR_MALFORMED;
}
}
@@ -231,7 +231,7 @@
mNumSampleToChunkOffsets = U32_AT(&header[4]);
- if (data_size < 8 + mNumSampleToChunkOffsets * 12) {
+ if ((data_size - 8) / 12 < mNumSampleToChunkOffsets) {
return ERROR_MALFORMED;
}
@@ -245,6 +245,11 @@
for (uint32_t i = 0; i < mNumSampleToChunkOffsets; ++i) {
uint8_t buffer[12];
+
+ if ((off64_t)((SIZE_MAX / 12) - 8 - i) < mSampleToChunkOffset) {
+ return ERROR_MALFORMED;
+ }
+
if (mDataSource->readAt(
mSampleToChunkOffset + 8 + i * 12, buffer, sizeof(buffer))
!= (ssize_t)sizeof(buffer)) {
@@ -386,7 +391,7 @@
size_t numEntries = U32_AT(&header[4]);
- if (data_size != (numEntries + 1) * 8) {
+ if (((SIZE_MAX / 8) - 1 < numEntries) || (data_size != (numEntries + 1) * 8)) {
return ERROR_MALFORMED;
}
diff --git a/media/libstagefright/SkipCutBuffer.cpp b/media/libstagefright/SkipCutBuffer.cpp
index 1da1e5e..d30be88 100644
--- a/media/libstagefright/SkipCutBuffer.cpp
+++ b/media/libstagefright/SkipCutBuffer.cpp
@@ -24,21 +24,32 @@
namespace android {
-SkipCutBuffer::SkipCutBuffer(int32_t skip, int32_t cut) {
+SkipCutBuffer::SkipCutBuffer(size_t skip, size_t cut, size_t num16BitChannels) {
- if (skip < 0 || cut < 0 || cut > 64 * 1024) {
- ALOGW("out of range skip/cut: %d/%d, using passthrough instead", skip, cut);
- skip = 0;
- cut = 0;
+ mWriteHead = 0;
+ mReadHead = 0;
+ mCapacity = 0;
+ mCutBuffer = NULL;
+
+ if (num16BitChannels == 0 || num16BitChannels > INT32_MAX / 2) {
+ ALOGW("# channels out of range: %zu, using passthrough instead", num16BitChannels);
+ return;
}
+ size_t frameSize = num16BitChannels * 2;
+ if (skip > INT32_MAX / frameSize || cut > INT32_MAX / frameSize
+ || cut * frameSize > INT32_MAX - 4096) {
+ ALOGW("out of range skip/cut: %zu/%zu, using passthrough instead",
+ skip, cut);
+ return;
+ }
+ skip *= frameSize;
+ cut *= frameSize;
mFrontPadding = mSkip = skip;
mBackPadding = cut;
- mWriteHead = 0;
- mReadHead = 0;
mCapacity = cut + 4096;
- mCutBuffer = new char[mCapacity];
- ALOGV("skipcutbuffer %d %d %d", skip, cut, mCapacity);
+ mCutBuffer = new (std::nothrow) char[mCapacity];
+ ALOGV("skipcutbuffer %zu %zu %d", skip, cut, mCapacity);
}
SkipCutBuffer::~SkipCutBuffer() {
@@ -46,6 +57,11 @@
}
void SkipCutBuffer::submit(MediaBuffer *buffer) {
+ if (mCutBuffer == NULL) {
+ // passthrough mode
+ return;
+ }
+
int32_t offset = buffer->range_offset();
int32_t buflen = buffer->range_length();
@@ -73,6 +89,11 @@
}
void SkipCutBuffer::submit(const sp<ABuffer>& buffer) {
+ if (mCutBuffer == NULL) {
+ // passthrough mode
+ return;
+ }
+
int32_t offset = buffer->offset();
int32_t buflen = buffer->size();
diff --git a/media/libstagefright/codecs/amrwbenc/src/c2t64fx.c b/media/libstagefright/codecs/amrwbenc/src/c2t64fx.c
index 18698e2..768abd4 100644
--- a/media/libstagefright/codecs/amrwbenc/src/c2t64fx.c
+++ b/media/libstagefright/codecs/amrwbenc/src/c2t64fx.c
@@ -44,6 +44,10 @@
* Each pulse can have 32 possible positions. *
**************************************************************************/
+// There are many integer overflows in this function, as none of them appear to
+// lead to memory accesses, and performing the appropriate checks will lead
+// to considerably larger code, mark this as ignore.
+__attribute__((no_sanitize("integer")))
void ACELP_2t64_fx(
Word16 dn[], /* (i) <12b : correlation between target x[] and H[] */
Word16 cn[], /* (i) <12b : residual after long term prediction */
diff --git a/media/libstagefright/httplive/PlaylistFetcher.cpp b/media/libstagefright/httplive/PlaylistFetcher.cpp
index fb11109..37847e3 100644
--- a/media/libstagefright/httplive/PlaylistFetcher.cpp
+++ b/media/libstagefright/httplive/PlaylistFetcher.cpp
@@ -1628,7 +1628,8 @@
if (mSegmentFirstPTS < 0ll) {
// get the smallest first PTS from all streams present in this parser
- for (size_t i = mPacketSources.size(); i-- > 0;) {
+ for (size_t i = mPacketSources.size(); i > 0;) {
+ i--;
const LiveSession::StreamType stream = mPacketSources.keyAt(i);
if (stream == LiveSession::STREAMTYPE_SUBTITLES) {
ALOGE("MPEG2 Transport streams do not contain subtitles.");
diff --git a/services/camera/libcameraservice/CameraFlashlight.cpp b/services/camera/libcameraservice/CameraFlashlight.cpp
index 280bb9d..e42c596 100644
--- a/services/camera/libcameraservice/CameraFlashlight.cpp
+++ b/services/camera/libcameraservice/CameraFlashlight.cpp
@@ -878,6 +878,7 @@
}
mDevice->setPreviewWindow(NULL);
mDevice->release();
+ mDevice = NULL;
return OK;
}
diff --git a/services/camera/libcameraservice/CameraService.cpp b/services/camera/libcameraservice/CameraService.cpp
index 43a8ec4..5736b9e 100644
--- a/services/camera/libcameraservice/CameraService.cpp
+++ b/services/camera/libcameraservice/CameraService.cpp
@@ -308,8 +308,10 @@
clientToDisconnect = removeClientLocked(id);
// Notify the client of disconnection
- clientToDisconnect->notifyError(ICameraDeviceCallbacks::ERROR_CAMERA_DISCONNECTED,
- CaptureResultExtras{});
+ if (clientToDisconnect != nullptr) {
+ clientToDisconnect->notifyError(ICameraDeviceCallbacks::ERROR_CAMERA_DISCONNECTED,
+ CaptureResultExtras{});
+ }
}
ALOGI("%s: Client for camera ID %s evicted due to device status change from HAL",
diff --git a/services/camera/libcameraservice/api1/client2/Parameters.cpp b/services/camera/libcameraservice/api1/client2/Parameters.cpp
index 442eb75..ea75679 100644
--- a/services/camera/libcameraservice/api1/client2/Parameters.cpp
+++ b/services/camera/libcameraservice/api1/client2/Parameters.cpp
@@ -1040,7 +1040,7 @@
ALOGE("%s: Camera %d: Scene mode override list is an "
"unexpected size: %zu (expected %zu)", __FUNCTION__,
cameraId, sceneModeOverrides.count,
- availableSceneModes.count);
+ availableSceneModes.count * kModesPerSceneMode);
return NO_INIT;
}
for (size_t i = 0; i < availableSceneModes.count; i++) {