Merge "Do not seek when switching to background playback" am: 3db1bb97a7
am: 48e2144d15
Change-Id: Ic48fc888b7733bc597f318ac375bd63e122d9feb
diff --git a/media/libstagefright/AMRExtractor.cpp b/media/libstagefright/AMRExtractor.cpp
index 0e98db8..2892520 100644
--- a/media/libstagefright/AMRExtractor.cpp
+++ b/media/libstagefright/AMRExtractor.cpp
@@ -259,7 +259,7 @@
int64_t seekTimeUs;
ReadOptions::SeekMode mode;
- if (options && options->getSeekTo(&seekTimeUs, &mode)) {
+ if (mOffsetTableLength > 0 && options && options->getSeekTo(&seekTimeUs, &mode)) {
size_t size;
int64_t seekFrame = seekTimeUs / 20000ll; // 20ms per frame.
mCurrentTimeUs = seekFrame * 20000ll;
diff --git a/media/libstagefright/HevcUtils.cpp b/media/libstagefright/HevcUtils.cpp
index 718710a..7d463a9 100644
--- a/media/libstagefright/HevcUtils.cpp
+++ b/media/libstagefright/HevcUtils.cpp
@@ -45,16 +45,32 @@
}
status_t HevcParameterSets::addNalUnit(const uint8_t* data, size_t size) {
+ if (size < 1) {
+ ALOGE("empty NAL b/35467107");
+ return ERROR_MALFORMED;
+ }
uint8_t nalUnitType = (data[0] >> 1) & 0x3f;
status_t err = OK;
switch (nalUnitType) {
case 32: // VPS
+ if (size < 2) {
+ ALOGE("invalid NAL/VPS size b/35467107");
+ return ERROR_MALFORMED;
+ }
err = parseVps(data + 2, size - 2);
break;
case 33: // SPS
+ if (size < 2) {
+ ALOGE("invalid NAL/SPS size b/35467107");
+ return ERROR_MALFORMED;
+ }
err = parseSps(data + 2, size - 2);
break;
case 34: // PPS
+ if (size < 2) {
+ ALOGE("invalid NAL/PPS size b/35467107");
+ return ERROR_MALFORMED;
+ }
err = parsePps(data + 2, size - 2);
break;
case 39: // Prefix SEI
diff --git a/media/libstagefright/NuMediaExtractor.cpp b/media/libstagefright/NuMediaExtractor.cpp
index 276d731..4558b3c 100644
--- a/media/libstagefright/NuMediaExtractor.cpp
+++ b/media/libstagefright/NuMediaExtractor.cpp
@@ -618,7 +618,7 @@
}
off64_t size;
- if (mDurationUs >= 0 && mDataSource->getSize(&size) == OK) {
+ if (mDurationUs > 0 && mDataSource->getSize(&size) == OK) {
*bitrate = size * 8000000ll / mDurationUs; // in bits/sec
return true;
}
diff --git a/media/libstagefright/codecs/aacenc/SoftAACEncoder2.cpp b/media/libstagefright/codecs/aacenc/SoftAACEncoder2.cpp
index 5f516cb..44415e2 100644
--- a/media/libstagefright/codecs/aacenc/SoftAACEncoder2.cpp
+++ b/media/libstagefright/codecs/aacenc/SoftAACEncoder2.cpp
@@ -16,6 +16,7 @@
//#define LOG_NDEBUG 0
#define LOG_TAG "SoftAACEncoder2"
+#include <log/log.h>
#include <utils/Log.h>
#include "SoftAACEncoder2.h"
@@ -61,6 +62,7 @@
mSentCodecSpecificData(false),
mInputSize(0),
mInputFrame(NULL),
+ mAllocatedFrameSize(0),
mInputTimeUs(-1ll),
mSawInputEOS(false),
mSignalledError(false) {
@@ -510,6 +512,15 @@
BufferInfo *outInfo = *outQueue.begin();
OMX_BUFFERHEADERTYPE *outHeader = outInfo->mHeader;
+
+ if (outHeader->nOffset + encInfo.confSize > outHeader->nAllocLen) {
+ ALOGE("b/34617444");
+ android_errorWriteLog(0x534e4554,"34617444");
+ notify(OMX_EventError, OMX_ErrorUndefined, 0, NULL);
+ mSignalledError = true;
+ return;
+ }
+
outHeader->nFilledLen = encInfo.confSize;
outHeader->nFlags = OMX_BUFFERFLAG_CODECCONFIG;
@@ -556,6 +567,15 @@
if (mInputFrame == NULL) {
mInputFrame = new int16_t[numBytesPerInputFrame / sizeof(int16_t)];
+ mAllocatedFrameSize = numBytesPerInputFrame;
+ } else if (mAllocatedFrameSize != numBytesPerInputFrame) {
+ ALOGE("b/34621073: changed size from %d to %d",
+ (int)mAllocatedFrameSize, (int)numBytesPerInputFrame);
+ android_errorWriteLog(0x534e4554,"34621073");
+ delete mInputFrame;
+ mInputFrame = new int16_t[numBytesPerInputFrame / sizeof(int16_t)];
+ mAllocatedFrameSize = numBytesPerInputFrame;
+
}
if (mInputSize == 0) {
@@ -706,6 +726,7 @@
delete[] mInputFrame;
mInputFrame = NULL;
mInputSize = 0;
+ mAllocatedFrameSize = 0;
mSentCodecSpecificData = false;
mInputTimeUs = -1ll;
diff --git a/media/libstagefright/codecs/aacenc/SoftAACEncoder2.h b/media/libstagefright/codecs/aacenc/SoftAACEncoder2.h
index f1b81e1..123fd25 100644
--- a/media/libstagefright/codecs/aacenc/SoftAACEncoder2.h
+++ b/media/libstagefright/codecs/aacenc/SoftAACEncoder2.h
@@ -62,6 +62,7 @@
bool mSentCodecSpecificData;
size_t mInputSize;
int16_t *mInputFrame;
+ size_t mAllocatedFrameSize;
int64_t mInputTimeUs;
bool mSawInputEOS;
diff --git a/media/libstagefright/codecs/m4v_h263/dec/src/mb_motion_comp.cpp b/media/libstagefright/codecs/m4v_h263/dec/src/mb_motion_comp.cpp
index fbc7be1..877723d 100644
--- a/media/libstagefright/codecs/m4v_h263/dec/src/mb_motion_comp.cpp
+++ b/media/libstagefright/codecs/m4v_h263/dec/src/mb_motion_comp.cpp
@@ -15,6 +15,10 @@
* and limitations under the License.
* -------------------------------------------------------------------
*/
+
+#define LOG_TAG "m4v_h263"
+#include <log/log.h>
+
/*
------------------------------------------------------------------------------
INPUT AND OUTPUT DEFINITIONS
@@ -236,6 +240,11 @@
/* Pointer to previous luminance frame */
c_prev = prev->yChan;
+ if (!c_prev) {
+ ALOGE("b/35269635");
+ android_errorWriteLog(0x534e4554, "35269635");
+ return;
+ }
pred_block = video->mblock->pred_block;
@@ -574,7 +583,14 @@
/* zero motion compensation for previous frame */
/*mby*width + mbx;*/
- c_prev = prev->yChan + offset;
+ c_prev = prev->yChan;
+ if (!c_prev) {
+ ALOGE("b/35269635");
+ android_errorWriteLog(0x534e4554, "35269635");
+ return;
+ }
+ c_prev += offset;
+
/*by*width_uv + bx;*/
cu_prev = prev->uChan + (offset >> 2) + (xpos >> 2);
/*by*width_uv + bx;*/
diff --git a/media/libstagefright/codecs/m4v_h263/dec/src/pvdec_api.cpp b/media/libstagefright/codecs/m4v_h263/dec/src/pvdec_api.cpp
index c1720c6..8d5d071 100644
--- a/media/libstagefright/codecs/m4v_h263/dec/src/pvdec_api.cpp
+++ b/media/libstagefright/codecs/m4v_h263/dec/src/pvdec_api.cpp
@@ -15,6 +15,8 @@
* and limitations under the License.
* -------------------------------------------------------------------
*/
+#define LOG_TAG "pvdec_api"
+#include <log/log.h>
#include "mp4dec_lib.h"
#include "vlc_decode.h"
#include "bitstream.h"
@@ -1335,6 +1337,11 @@
}
}
+ if (!video->prevVop->yChan) {
+ ALOGE("b/35269635");
+ android_errorWriteLog(0x534e4554, "35269635");
+ return PV_FALSE;
+ }
oscl_memcpy(currVop->yChan, video->prevVop->yChan, (decCtrl->size*3) / 2);
video->prevVop = prevVop;
diff --git a/media/libstagefright/id3/ID3.cpp b/media/libstagefright/id3/ID3.cpp
index a0eb630..40d2e2b 100644
--- a/media/libstagefright/id3/ID3.cpp
+++ b/media/libstagefright/id3/ID3.cpp
@@ -379,7 +379,7 @@
flags &= ~1;
}
- if (flags & 2) {
+ if ((flags & 2) && (dataSize >= 2)) {
// This file has "unsynchronization", so we have to replace occurrences
// of 0xff 0x00 with just 0xff in order to get the real data.
@@ -395,11 +395,15 @@
mData[writeOffset++] = mData[readOffset++];
}
// move the remaining data following this frame
- memmove(&mData[writeOffset], &mData[readOffset], oldSize - readOffset);
+ if (readOffset <= oldSize) {
+ memmove(&mData[writeOffset], &mData[readOffset], oldSize - readOffset);
+ } else {
+ ALOGE("b/34618607 (%zu %zu %zu %zu)", readOffset, writeOffset, oldSize, mSize);
+ android_errorWriteLog(0x534e4554, "34618607");
+ }
- flags &= ~2;
}
-
+ flags &= ~2;
if (flags != prevFlags || iTunesHack) {
WriteSyncsafeInteger(&mData[offset + 4], dataSize);
mData[offset + 8] = flags >> 8;
diff --git a/services/audioflinger/Tracks.cpp b/services/audioflinger/Tracks.cpp
index ba6e6e5..f18b88d 100644
--- a/services/audioflinger/Tracks.cpp
+++ b/services/audioflinger/Tracks.cpp
@@ -110,9 +110,24 @@
mUid = clientUid;
// ALOGD("Creating track with %d buffers @ %d bytes", bufferCount, bufferSize);
+
+ size_t bufferSize = buffer == NULL ? roundup(frameCount) : frameCount;
+ // check overflow when computing bufferSize due to multiplication by mFrameSize.
+ if (bufferSize < frameCount // roundup rounds down for values above UINT_MAX / 2
+ || mFrameSize == 0 // format needs to be correct
+ || bufferSize > SIZE_MAX / mFrameSize) {
+ android_errorWriteLog(0x534e4554, "34749571");
+ return;
+ }
+ bufferSize *= mFrameSize;
+
size_t size = sizeof(audio_track_cblk_t);
- size_t bufferSize = (buffer == NULL ? roundup(frameCount) : frameCount) * mFrameSize;
if (buffer == NULL && alloc == ALLOC_CBLK) {
+ // check overflow when computing allocation size for streaming tracks.
+ if (size > SIZE_MAX - bufferSize) {
+ android_errorWriteLog(0x534e4554, "34749571");
+ return;
+ }
size += bufferSize;
}