Gitiles
Code Review Sign In
gerrit.omnirom.org / android_frameworks_av / 6dc5a7bce1fdb89aae91967fc984da521e6ca2b2^1..6dc5a7bce1fdb89aae91967fc984da521e6ca2b2 / .
commit6dc5a7bce1fdb89aae91967fc984da521e6ca2b2[log] [tgz]
authorMarco Nelissen <marcone@google.com>Wed Sep 16 20:52:38 2015 +0000
committerAndroid (Google) Code Review <android-gerrit@google.com>Wed Sep 16 20:52:38 2015 +0000
treee769f7f5967a6689122e99004a0b27a2f2c29ab7
parent00652d2aa67a3eae054113d9c0d5b78953aecbe6 [diff]
parent34e63e9ffe6496d9180c825dc119c1fd1020ef8b [diff]
Merge "Validate resolution and stride"
diff --git a/media/libstagefright/ACodec.cpp b/media/libstagefright/ACodec.cpp
index 166600b..19c4aa1 100644
--- a/media/libstagefright/ACodec.cpp
+++ b/media/libstagefright/ACodec.cpp

@@ -808,6 +808,10 @@
                     def.nBufferCountActual, bufSize, allottedSize, def.nBufferSize, asString(type),
                     portIndex == kPortIndexInput ? "input" : "output");
 
+            if (bufSize == 0 || def.nBufferCountActual > SIZE_MAX / bufSize) {
+                ALOGE("b/22885421");
+                return NO_MEMORY;
+            }
             size_t totalSize = def.nBufferCountActual * bufSize;
             mDealer[portIndex] = new MemoryDealer(totalSize, "ACodec");
 
@@ -3852,8 +3856,11 @@
         params.nSliceHeight = params.nFrameHeight;
     }
 
-    // we need stride and slice-height to be non-zero
-    if (params.nStride == 0 || params.nSliceHeight == 0) {
+    // we need stride and slice-height to be non-zero and sensible. These values were chosen to
+    // prevent integer overflows further down the line, and do not indicate support for
+    // 32kx32k video.
+    if (params.nStride == 0 || params.nSliceHeight == 0
+            || params.nStride > 32768 || params.nSliceHeight > 32768) {
         ALOGW("cannot describe color format 0x%x = %d with stride=%u and sliceHeight=%u",
                 fmt, fmt, params.nStride, params.nSliceHeight);
         return false;

diff --git a/media/libstagefright/omx/SoftVideoDecoderOMXComponent.cpp b/media/libstagefright/omx/SoftVideoDecoderOMXComponent.cpp
index 4ce165b..e1f4125 100644
--- a/media/libstagefright/omx/SoftVideoDecoderOMXComponent.cpp
+++ b/media/libstagefright/omx/SoftVideoDecoderOMXComponent.cpp

@@ -388,6 +388,14 @@
             uint32_t oldHeight = def->format.video.nFrameHeight;
             uint32_t newWidth = video_def->nFrameWidth;
             uint32_t newHeight = video_def->nFrameHeight;
+            // We need width, height, stride and slice-height to be non-zero and sensible.
+            // These values were chosen to prevent integer overflows further down the line, and do
+            // not indicate support for 32kx32k video.
+            if (newWidth > 32768 || newHeight > 32768
+                    || video_def->nStride > 32768 || video_def->nSliceHeight > 32768) {
+                ALOGE("b/22885421");
+                return OMX_ErrorBadParameter;
+            }
             if (newWidth != oldWidth || newHeight != oldHeight) {
                 bool outputPort = (newParams->nPortIndex == kOutputPortIndex);
                 if (outputPort) {