DO NOT MERGE: IOMX: work against metadata buffer spoofing
- Prohibit direct set/getParam/Settings for extensions meant for
OMXNodeInstance alone. This disallows enabling metadata mode
without the knowledge of OMXNodeInstance.
- Do not share metadata mode buffers cross process.
- Disallow setting up metadata mode/input surface
after first sendCommand (except to Idle for OMXCodec quirk).
- Disallow store-meta for input cross process.
- Disallow emptyBuffer for surface input (via IOMX).
- Fix checking for input surface.
[backported from L]
Bug: 29422020
Change-Id: I801c77b80e703903f62e42d76fd2e76a34e4bc8e
diff --git a/include/media/IOMX.h b/include/media/IOMX.h
index d7be06f..86a44a9 100644
--- a/include/media/IOMX.h
+++ b/include/media/IOMX.h
@@ -95,7 +95,7 @@
virtual status_t useBuffer(
node_id node, OMX_U32 port_index, const sp<IMemory> ¶ms,
- buffer_id *buffer) = 0;
+ buffer_id *buffer, OMX_BOOL crossProcess = OMX_FALSE) = 0;
virtual status_t useGraphicBuffer(
node_id node, OMX_U32 port_index,
@@ -121,7 +121,7 @@
virtual status_t allocateBufferWithBackup(
node_id node, OMX_U32 port_index, const sp<IMemory> ¶ms,
- buffer_id *buffer) = 0;
+ buffer_id *buffer, OMX_BOOL crossProcess = OMX_FALSE) = 0;
virtual status_t freeBuffer(
node_id node, OMX_U32 port_index, buffer_id buffer) = 0;
diff --git a/media/libmedia/IOMX.cpp b/media/libmedia/IOMX.cpp
index 1b7381d..8d8fe6a 100644
--- a/media/libmedia/IOMX.cpp
+++ b/media/libmedia/IOMX.cpp
@@ -244,7 +244,7 @@
virtual status_t useBuffer(
node_id node, OMX_U32 port_index, const sp<IMemory> ¶ms,
- buffer_id *buffer) {
+ buffer_id *buffer, OMX_BOOL /* crossProcess */) {
Parcel data, reply;
data.writeInterfaceToken(IOMX::getInterfaceDescriptor());
data.writeIntPtr((intptr_t)node);
@@ -395,7 +395,7 @@
virtual status_t allocateBufferWithBackup(
node_id node, OMX_U32 port_index, const sp<IMemory> ¶ms,
- buffer_id *buffer) {
+ buffer_id *buffer, OMX_BOOL /* crossProcess */) {
Parcel data, reply;
data.writeInterfaceToken(IOMX::getInterfaceDescriptor());
data.writeIntPtr((intptr_t)node);
@@ -737,7 +737,8 @@
interface_cast<IMemory>(data.readStrongBinder());
buffer_id buffer;
- status_t err = useBuffer(node, port_index, params, &buffer);
+ status_t err = useBuffer(
+ node, port_index, params, &buffer, OMX_TRUE /* crossProcess */);
reply->writeInt32(err);
if (err == OK) {
@@ -825,7 +826,10 @@
OMX_U32 port_index = data.readInt32();
OMX_BOOL enable = (OMX_BOOL)data.readInt32();
- status_t err = storeMetaDataInBuffers(node, port_index, enable);
+ status_t err =
+ // only control output metadata via Binder
+ port_index != 1 /* kOutputPortIndex */ ? BAD_VALUE :
+ storeMetaDataInBuffers(node, port_index, enable);
reply->writeInt32(err);
return NO_ERROR;
@@ -887,7 +891,7 @@
buffer_id buffer;
status_t err = allocateBufferWithBackup(
- node, port_index, params, &buffer);
+ node, port_index, params, &buffer, OMX_TRUE /* crossProcess */);
reply->writeInt32(err);
diff --git a/media/libstagefright/ACodec.cpp b/media/libstagefright/ACodec.cpp
index 718e6c7..7a64c20 100644
--- a/media/libstagefright/ACodec.cpp
+++ b/media/libstagefright/ACodec.cpp
@@ -866,7 +866,8 @@
VideoDecoderOutputMetaData *metaData =
reinterpret_cast<VideoDecoderOutputMetaData *>(
oldest->mData->base());
- CHECK_EQ(metaData->eType, kMetadataBufferTypeGrallocSource);
+ // metaData is only readable if codec is in the same process
+ //CHECK_EQ(metaData->eType, kMetadataBufferTypeGrallocSource);
ALOGV("replaced oldest buffer #%u with age %u (%p/%p stored in %p)",
oldest - &mBuffers[kPortIndexOutput][0],
diff --git a/media/libstagefright/OMXClient.cpp b/media/libstagefright/OMXClient.cpp
index 9f9352d..4eb8654 100644
--- a/media/libstagefright/OMXClient.cpp
+++ b/media/libstagefright/OMXClient.cpp
@@ -81,7 +81,7 @@
virtual status_t useBuffer(
node_id node, OMX_U32 port_index, const sp<IMemory> ¶ms,
- buffer_id *buffer);
+ buffer_id *buffer, OMX_BOOL crossProcess);
virtual status_t useGraphicBuffer(
node_id node, OMX_U32 port_index,
@@ -103,7 +103,7 @@
virtual status_t allocateBufferWithBackup(
node_id node, OMX_U32 port_index, const sp<IMemory> ¶ms,
- buffer_id *buffer);
+ buffer_id *buffer, OMX_BOOL crossProcess);
virtual status_t freeBuffer(
node_id node, OMX_U32 port_index, buffer_id buffer);
@@ -291,8 +291,9 @@
status_t MuxOMX::useBuffer(
node_id node, OMX_U32 port_index, const sp<IMemory> ¶ms,
- buffer_id *buffer) {
- return getOMX(node)->useBuffer(node, port_index, params, buffer);
+ buffer_id *buffer, OMX_BOOL /* crossProcess */) {
+ return getOMX(node)->useBuffer(
+ node, port_index, params, buffer, OMX_FALSE /* crossProcess */);
}
status_t MuxOMX::useGraphicBuffer(
@@ -330,9 +331,9 @@
status_t MuxOMX::allocateBufferWithBackup(
node_id node, OMX_U32 port_index, const sp<IMemory> ¶ms,
- buffer_id *buffer) {
+ buffer_id *buffer, OMX_BOOL /* crossProcess */) {
return getOMX(node)->allocateBufferWithBackup(
- node, port_index, params, buffer);
+ node, port_index, params, buffer, OMX_FALSE /* crossProcess */);
}
status_t MuxOMX::freeBuffer(
diff --git a/media/libstagefright/include/OMX.h b/media/libstagefright/include/OMX.h
index 2bc3759..748d184 100644
--- a/media/libstagefright/include/OMX.h
+++ b/media/libstagefright/include/OMX.h
@@ -77,7 +77,7 @@
virtual status_t useBuffer(
node_id node, OMX_U32 port_index, const sp<IMemory> ¶ms,
- buffer_id *buffer);
+ buffer_id *buffer, OMX_BOOL crossProcess);
virtual status_t useGraphicBuffer(
node_id node, OMX_U32 port_index,
@@ -99,7 +99,7 @@
virtual status_t allocateBufferWithBackup(
node_id node, OMX_U32 port_index, const sp<IMemory> ¶ms,
- buffer_id *buffer);
+ buffer_id *buffer, OMX_BOOL crossProcess);
virtual status_t freeBuffer(
node_id node, OMX_U32 port_index, buffer_id buffer);
diff --git a/media/libstagefright/include/OMXNodeInstance.h b/media/libstagefright/include/OMXNodeInstance.h
index 30d9584..1625f07 100644
--- a/media/libstagefright/include/OMXNodeInstance.h
+++ b/media/libstagefright/include/OMXNodeInstance.h
@@ -21,6 +21,7 @@
#include "OMX.h"
#include <utils/RefBase.h>
+#include <utils/SortedVector.h>
#include <utils/threads.h>
namespace android {
@@ -64,7 +65,7 @@
status_t useBuffer(
OMX_U32 portIndex, const sp<IMemory> ¶ms,
- OMX::buffer_id *buffer);
+ OMX::buffer_id *buffer, OMX_BOOL crossProcess);
status_t useGraphicBuffer(
OMX_U32 portIndex, const sp<GraphicBuffer> &graphicBuffer,
@@ -85,7 +86,7 @@
status_t allocateBufferWithBackup(
OMX_U32 portIndex, const sp<IMemory> ¶ms,
- OMX::buffer_id *buffer);
+ OMX::buffer_id *buffer, OMX_BOOL crossProcess);
status_t freeBuffer(OMX_U32 portIndex, OMX::buffer_id buffer);
@@ -129,6 +130,9 @@
OMX_HANDLETYPE mHandle;
sp<IOMXObserver> mObserver;
bool mDying;
+ bool mSailed; // configuration is set (no more meta-mode changes)
+ bool mQueriedProhibitedExtensions;
+ SortedVector<OMX_INDEXTYPE> mProhibitedExtensions;
bool mIsSecure;
// Lock only covers mGraphicBufferSource. We can't always use mLock
@@ -144,11 +148,17 @@
};
Vector<ActiveBuffer> mActiveBuffers;
+ // metadata mode tracking
+ bool mUsingMetadata[2];
+
~OMXNodeInstance();
void addActiveBuffer(OMX_U32 portIndex, OMX::buffer_id id);
void removeActiveBuffer(OMX_U32 portIndex, OMX::buffer_id id);
void freeActiveBuffers();
+
+ bool isProhibitedIndex_l(OMX_INDEXTYPE index);
+
status_t useGraphicBuffer2_l(
OMX_U32 portIndex, const sp<GraphicBuffer> &graphicBuffer,
OMX::buffer_id *buffer);
diff --git a/media/libstagefright/omx/OMX.cpp b/media/libstagefright/omx/OMX.cpp
index 1ddf356..c52d184 100644
--- a/media/libstagefright/omx/OMX.cpp
+++ b/media/libstagefright/omx/OMX.cpp
@@ -350,9 +350,9 @@
status_t OMX::useBuffer(
node_id node, OMX_U32 port_index, const sp<IMemory> ¶ms,
- buffer_id *buffer) {
+ buffer_id *buffer, OMX_BOOL crossProcess) {
return findInstance(node)->useBuffer(
- port_index, params, buffer);
+ port_index, params, buffer, crossProcess);
}
status_t OMX::useGraphicBuffer(
@@ -389,9 +389,9 @@
status_t OMX::allocateBufferWithBackup(
node_id node, OMX_U32 port_index, const sp<IMemory> ¶ms,
- buffer_id *buffer) {
+ buffer_id *buffer, OMX_BOOL crossProcess) {
return findInstance(node)->allocateBufferWithBackup(
- port_index, params, buffer);
+ port_index, params, buffer, crossProcess);
}
status_t OMX::freeBuffer(node_id node, OMX_U32 port_index, buffer_id buffer) {
diff --git a/media/libstagefright/omx/OMXNodeInstance.cpp b/media/libstagefright/omx/OMXNodeInstance.cpp
index 9fc2b6e..457b03b 100644
--- a/media/libstagefright/omx/OMXNodeInstance.cpp
+++ b/media/libstagefright/omx/OMXNodeInstance.cpp
@@ -23,9 +23,11 @@
#include "GraphicBufferSource.h"
#include <OMX_Component.h>
+#include <OMX_IndexExt.h>
#include <binder/IMemory.h>
#include <gui/BufferQueue.h>
+#include <utils/misc.h>
#include <HardwareAPI.h>
#include <media/stagefright/foundation/ADebug.h>
#include <media/stagefright/MediaErrors.h>
@@ -36,26 +38,34 @@
namespace android {
struct BufferMeta {
- BufferMeta(const sp<IMemory> &mem, OMX_U32 portIndex, bool is_backup = false)
+ BufferMeta(
+ const sp<IMemory> &mem, OMX_U32 portIndex, bool copyToOmx,
+ bool copyFromOmx, OMX_U8 *backup)
: mMem(mem),
- mIsBackup(is_backup),
- mPortIndex(portIndex) {
+ mCopyFromOmx(copyFromOmx),
+ mCopyToOmx(copyToOmx),
+ mPortIndex(portIndex),
+ mBackup(backup) {
}
BufferMeta(size_t size, OMX_U32 portIndex)
: mSize(size),
- mIsBackup(false),
- mPortIndex(portIndex) {
+ mCopyFromOmx(false),
+ mCopyToOmx(false),
+ mPortIndex(portIndex),
+ mBackup(NULL) {
}
BufferMeta(const sp<GraphicBuffer> &graphicBuffer, OMX_U32 portIndex)
: mGraphicBuffer(graphicBuffer),
- mIsBackup(false),
- mPortIndex(portIndex) {
+ mCopyFromOmx(false),
+ mCopyToOmx(false),
+ mPortIndex(portIndex),
+ mBackup(NULL) {
}
void CopyFromOMX(const OMX_BUFFERHEADERTYPE *header) {
- if (!mIsBackup) {
+ if (!mCopyFromOmx) {
return;
}
@@ -65,7 +75,7 @@
}
void CopyToOMX(const OMX_BUFFERHEADERTYPE *header) {
- if (!mIsBackup) {
+ if (!mCopyToOmx) {
return;
}
@@ -82,12 +92,18 @@
return mPortIndex;
}
+ ~BufferMeta() {
+ delete[] mBackup;
+ }
+
private:
sp<GraphicBuffer> mGraphicBuffer;
sp<IMemory> mMem;
size_t mSize;
- bool mIsBackup;
+ bool mCopyFromOmx;
+ bool mCopyToOmx;
OMX_U32 mPortIndex;
+ OMX_U8 *mBackup;
BufferMeta(const BufferMeta &);
BufferMeta &operator=(const BufferMeta &);
@@ -104,7 +120,11 @@
mNodeID(NULL),
mHandle(NULL),
mObserver(observer),
- mDying(false) {
+ mDying(false),
+ mSailed(false),
+ mQueriedProhibitedExtensions(false) {
+ mUsingMetadata[0] = false;
+ mUsingMetadata[1] = false;
mIsSecure = AString(name).endsWith(".secure");
}
@@ -252,7 +272,12 @@
status_t OMXNodeInstance::sendCommand(
OMX_COMMANDTYPE cmd, OMX_S32 param) {
- const sp<GraphicBufferSource>& bufferSource(getGraphicBufferSource());
+ if (cmd == OMX_CommandStateSet && param != OMX_StateIdle) {
+ // We do not support returning from unloaded state, so there are no configurations past
+ // first StateSet command. However, OMXCodec supports meta configuration past Stateset:Idle.
+ mSailed = true;
+ }
+ const sp<GraphicBufferSource> bufferSource(getGraphicBufferSource());
if (bufferSource != NULL && cmd == OMX_CommandStateSet) {
if (param == OMX_StateIdle) {
// Initiating transition from Executing -> Idle
@@ -275,10 +300,50 @@
return StatusFromOMXError(err);
}
+bool OMXNodeInstance::isProhibitedIndex_l(OMX_INDEXTYPE index) {
+ // these extensions can only be used from OMXNodeInstance, not by clients directly.
+ static const char *restricted_extensions[] = {
+ "OMX.google.android.index.storeMetaDataInBuffers",
+ "OMX.google.android.index.prepareForAdaptivePlayback",
+ "OMX.google.android.index.useAndroidNativeBuffer2",
+ "OMX.google.android.index.useAndroidNativeBuffer",
+ "OMX.google.android.index.enableAndroidNativeBuffers",
+ "OMX.google.android.index.getAndroidNativeBufferUsage",
+ };
+
+ if ((index > OMX_IndexComponentStartUnused && index <= OMX_IndexParamStandardComponentRole)
+ || (index > OMX_IndexPortStartUnused && index <= OMX_IndexParamCompBufferSupplier)
+ || (index > OMX_IndexAudioStartUnused && index <= OMX_IndexConfigAudioChannelVolume)
+ || (index > OMX_IndexVideoStartUnused && index <= OMX_IndexConfigVideoNalSize)
+ || (index > OMX_IndexCommonStartUnused
+ && index <= OMX_IndexConfigCommonTransitionEffect)
+ || (index > (OMX_INDEXTYPE)OMX_IndexExtVideoStartUnused
+ && index <= (OMX_INDEXTYPE)OMX_IndexConfigVideoVp8ReferenceFrameType)) {
+ return false;
+ }
+
+ if (!mQueriedProhibitedExtensions) {
+ for (size_t i = 0; i < NELEM(restricted_extensions); ++i) {
+ OMX_INDEXTYPE ext;
+ if (OMX_GetExtensionIndex(mHandle, (OMX_STRING)restricted_extensions[i], &ext) == OMX_ErrorNone) {
+ mProhibitedExtensions.add(ext);
+ }
+ }
+ mQueriedProhibitedExtensions = true;
+ }
+
+ return mProhibitedExtensions.indexOf(index) >= 0;
+}
+
status_t OMXNodeInstance::getParameter(
OMX_INDEXTYPE index, void *params, size_t size) {
Mutex::Autolock autoLock(mLock);
+ if (isProhibitedIndex_l(index)) {
+ android_errorWriteLog(0x534e4554, "29422020");
+ return BAD_INDEX;
+ }
+
OMX_ERRORTYPE err = OMX_GetParameter(mHandle, index, params);
return StatusFromOMXError(err);
@@ -288,6 +353,11 @@
OMX_INDEXTYPE index, const void *params, size_t size) {
Mutex::Autolock autoLock(mLock);
+ if (isProhibitedIndex_l(index)) {
+ android_errorWriteLog(0x534e4554, "29422020");
+ return BAD_INDEX;
+ }
+
OMX_ERRORTYPE err = OMX_SetParameter(
mHandle, index, const_cast<void *>(params));
@@ -298,6 +368,11 @@
OMX_INDEXTYPE index, void *params, size_t size) {
Mutex::Autolock autoLock(mLock);
+ if (isProhibitedIndex_l(index)) {
+ android_errorWriteLog(0x534e4554, "29422020");
+ return BAD_INDEX;
+ }
+
OMX_ERRORTYPE err = OMX_GetConfig(mHandle, index, params);
return StatusFromOMXError(err);
}
@@ -306,6 +381,11 @@
OMX_INDEXTYPE index, const void *params, size_t size) {
Mutex::Autolock autoLock(mLock);
+ if (isProhibitedIndex_l(index)) {
+ android_errorWriteLog(0x534e4554, "29422020");
+ return BAD_INDEX;
+ }
+
OMX_ERRORTYPE err = OMX_SetConfig(
mHandle, index, const_cast<void *>(params));
@@ -405,6 +485,15 @@
status_t OMXNodeInstance::storeMetaDataInBuffers_l(
OMX_U32 portIndex,
OMX_BOOL enable) {
+ if (mSailed) {
+ android_errorWriteLog(0x534e4554, "29422020");
+ return INVALID_OPERATION;
+ }
+ if (portIndex != kPortIndexInput && portIndex != kPortIndexOutput) {
+ android_errorWriteLog(0x534e4554, "26324358");
+ return BAD_VALUE;
+ }
+
OMX_INDEXTYPE index;
OMX_STRING name = const_cast<OMX_STRING>(
"OMX.google.android.index.storeMetaDataInBuffers");
@@ -427,7 +516,12 @@
params.bStoreMetaData = enable;
if ((err = OMX_SetParameter(mHandle, index, ¶ms)) != OMX_ErrorNone) {
ALOGE("OMX_SetParameter() failed for StoreMetaDataInBuffers: 0x%08x", err);
+ if (enable) {
+ mUsingMetadata[portIndex] = false;
+ }
return UNKNOWN_ERROR;
+ } else {
+ mUsingMetadata[portIndex] = enable;
}
return err;
}
@@ -436,6 +530,10 @@
OMX_U32 portIndex, OMX_BOOL enable, OMX_U32 maxFrameWidth,
OMX_U32 maxFrameHeight) {
Mutex::Autolock autolock(mLock);
+ if (mSailed) {
+ android_errorWriteLog(0x534e4554, "29422020");
+ return INVALID_OPERATION;
+ }
OMX_INDEXTYPE index;
OMX_STRING name = const_cast<OMX_STRING>(
@@ -468,16 +566,39 @@
status_t OMXNodeInstance::useBuffer(
OMX_U32 portIndex, const sp<IMemory> ¶ms,
- OMX::buffer_id *buffer) {
+ OMX::buffer_id *buffer, OMX_BOOL crossProcess) {
Mutex::Autolock autoLock(mLock);
+ if (portIndex >= NELEM(mUsingMetadata)) {
+ return BAD_VALUE;
+ }
+ // We do not support metadata mode changes past buffer allocation
+ mSailed = true;
- BufferMeta *buffer_meta = new BufferMeta(params, portIndex);
+ // metadata buffers are not connected cross process
+ BufferMeta *buffer_meta;
+ bool isMeta = mUsingMetadata[portIndex];
+ bool useBackup = crossProcess && isMeta; // use a backup buffer instead of the actual buffer
+ OMX_U8 *data = static_cast<OMX_U8 *>(params->pointer());
+ // allocate backup buffer
+ if (useBackup) {
+ data = new (std::nothrow) OMX_U8[params->size()];
+ if (data == NULL) {
+ return NO_MEMORY;
+ }
+ memset(data, 0, params->size());
+
+ buffer_meta = new BufferMeta(
+ params, portIndex, false /* copyToOmx */, false /* copyFromOmx */, data);
+ } else {
+ buffer_meta = new BufferMeta(
+ params, portIndex, false /* copyFromOmx */, false /* copyToOmx */, NULL);
+ }
OMX_BUFFERHEADERTYPE *header;
OMX_ERRORTYPE err = OMX_UseBuffer(
mHandle, &header, portIndex, buffer_meta,
- params->size(), static_cast<OMX_U8 *>(params->pointer()));
+ params->size(), data);
if (err != OMX_ErrorNone) {
ALOGE("OMX_UseBuffer failed with error %d (0x%08x)", err, err);
@@ -645,7 +766,16 @@
Mutex::Autolock autolock(mLock);
status_t err;
- const sp<GraphicBufferSource>& surfaceCheck = getGraphicBufferSource();
+ // only allow graphic source on input port, when there are no allocated buffers yet
+ if (portIndex != kPortIndexInput) {
+ android_errorWriteLog(0x534e4554, "29422020");
+ return BAD_VALUE;
+ } else if (mActiveBuffers.size() > 0) {
+ android_errorWriteLog(0x534e4554, "29422020");
+ return INVALID_OPERATION;
+ }
+
+ const sp<GraphicBufferSource> surfaceCheck = getGraphicBufferSource();
if (surfaceCheck != NULL) {
return ALREADY_EXISTS;
}
@@ -704,6 +834,8 @@
OMX_U32 portIndex, size_t size, OMX::buffer_id *buffer,
void **buffer_data) {
Mutex::Autolock autoLock(mLock);
+ // We do not support metadata mode changes past buffer allocation
+ mSailed = true;
BufferMeta *buffer_meta = new BufferMeta(size, portIndex);
@@ -740,10 +872,23 @@
status_t OMXNodeInstance::allocateBufferWithBackup(
OMX_U32 portIndex, const sp<IMemory> ¶ms,
- OMX::buffer_id *buffer) {
+ OMX::buffer_id *buffer, OMX_BOOL crossProcess) {
Mutex::Autolock autoLock(mLock);
+ if (portIndex >= NELEM(mUsingMetadata)) {
+ return BAD_VALUE;
+ }
+ // We do not support metadata mode changes past buffer allocation
+ mSailed = true;
- BufferMeta *buffer_meta = new BufferMeta(params, portIndex, true);
+ // metadata buffers are not connected cross process
+ bool isMeta = mUsingMetadata[portIndex];
+ bool copy = !(crossProcess && isMeta);
+
+ BufferMeta *buffer_meta = new BufferMeta(
+ params, portIndex,
+ (portIndex == kPortIndexInput) && copy /* copyToOmx */,
+ (portIndex == kPortIndexOutput) && copy /* copyFromOmx */,
+ NULL /* data */);
OMX_BUFFERHEADERTYPE *header;
@@ -762,6 +907,7 @@
}
CHECK_EQ(header->pAppPrivate, buffer_meta);
+ memset(header->pBuffer, 0, header->nAllocLen);
*buffer = header;
@@ -824,9 +970,17 @@
Mutex::Autolock autoLock(mLock);
OMX_BUFFERHEADERTYPE *header = (OMX_BUFFERHEADERTYPE *)buffer;
+
+ // no emptybuffer if using input surface
+ if (getGraphicBufferSource() != NULL) {
+ android_errorWriteLog(0x534e4554, "29422020");
+ return INVALID_OPERATION;
+ }
+
// rangeLength and rangeOffset must be a subset of the allocated data in the buffer.
// corner case: we permit rangeOffset == end-of-buffer with rangeLength == 0.
- if (rangeOffset > header->nAllocLen
+ if (header == NULL
+ || rangeOffset > header->nAllocLen
|| rangeLength > header->nAllocLen - rangeOffset) {
return BAD_VALUE;
}