Merge "codecs: check OMX buffer size before use in (avc|hevc|mpeg2)dec" into mnc-dr-dev
diff --git a/media/libstagefright/codecs/m4v_h263/dec/SoftMPEG4.cpp b/media/libstagefright/codecs/m4v_h263/dec/SoftMPEG4.cpp
index 0c1a149..bb59ae4 100644
--- a/media/libstagefright/codecs/m4v_h263/dec/SoftMPEG4.cpp
+++ b/media/libstagefright/codecs/m4v_h263/dec/SoftMPEG4.cpp
@@ -229,6 +229,14 @@
int32_t bufferSize = inHeader->nFilledLen;
int32_t tmp = bufferSize;
+ OMX_U32 frameSize = (mWidth * mHeight * 3) / 2;
+ if (outHeader->nAllocLen < frameSize) {
+ android_errorWriteLog(0x534e4554, "27833616");
+ ALOGE("Insufficient output buffer size");
+ notify(OMX_EventError, OMX_ErrorUndefined, 0, NULL);
+ mSignalledError = true;
+ return;
+ }
// The PV decoder is lying to us, sometimes it'll claim to only have
// consumed a subset of the buffer when it clearly consumed all of it.
// ignore whatever it says...
@@ -272,7 +280,7 @@
++mInputBufferCount;
outHeader->nOffset = 0;
- outHeader->nFilledLen = (mWidth * mHeight * 3) / 2;
+ outHeader->nFilledLen = frameSize;
List<BufferInfo *>::iterator it = outQueue.begin();
while ((*it)->mHeader != outHeader) {
diff --git a/media/libstagefright/codecs/on2/h264dec/SoftAVC.cpp b/media/libstagefright/codecs/on2/h264dec/SoftAVC.cpp
index 6b8b395..2f61d12 100644
--- a/media/libstagefright/codecs/on2/h264dec/SoftAVC.cpp
+++ b/media/libstagefright/codecs/on2/h264dec/SoftAVC.cpp
@@ -202,7 +202,12 @@
}
if (mFirstPicture && !outQueue.empty()) {
- drainOneOutputBuffer(mFirstPictureId, mFirstPicture);
+ if (!drainOneOutputBuffer(mFirstPictureId, mFirstPicture)) {
+ ALOGE("Drain failed");
+ notify(OMX_EventError, OMX_ErrorUndefined, 0, NULL);
+ mSignalledError = true;
+ return;
+ }
delete[] mFirstPicture;
mFirstPicture = NULL;
mFirstPictureId = -1;
@@ -242,15 +247,20 @@
memcpy(mFirstPicture, data, pictureSize);
}
-void SoftAVC::drainOneOutputBuffer(int32_t picId, uint8_t* data) {
+bool SoftAVC::drainOneOutputBuffer(int32_t picId, uint8_t* data) {
List<BufferInfo *> &outQueue = getPortQueue(kOutputPortIndex);
BufferInfo *outInfo = *outQueue.begin();
- outQueue.erase(outQueue.begin());
OMX_BUFFERHEADERTYPE *outHeader = outInfo->mHeader;
+ OMX_U32 frameSize = mWidth * mHeight * 3 / 2;
+ if (outHeader->nAllocLen - outHeader->nOffset < frameSize) {
+ android_errorWriteLog(0x534e4554, "27833616");
+ return false;
+ }
+ outQueue.erase(outQueue.begin());
OMX_BUFFERHEADERTYPE *header = mPicToHeaderMap.valueFor(picId);
outHeader->nTimeStamp = header->nTimeStamp;
outHeader->nFlags = header->nFlags;
- outHeader->nFilledLen = mWidth * mHeight * 3 / 2;
+ outHeader->nFilledLen = frameSize;
uint8_t *dst = outHeader->pBuffer + outHeader->nOffset;
const uint8_t *srcY = data;
@@ -265,6 +275,7 @@
delete header;
outInfo->mOwnedByUs = false;
notifyFillBufferDone(outHeader);
+ return true;
}
void SoftAVC::drainAllOutputBuffers(bool eos) {
@@ -277,7 +288,12 @@
mHandle, &decodedPicture, eos /* flush */)) {
int32_t picId = decodedPicture.picId;
uint8_t *data = (uint8_t *) decodedPicture.pOutputPicture;
- drainOneOutputBuffer(picId, data);
+ if (!drainOneOutputBuffer(picId, data)) {
+ ALOGE("Drain failed");
+ notify(OMX_EventError, OMX_ErrorUndefined, 0, NULL);
+ mSignalledError = true;
+ return;
+ }
}
}
diff --git a/media/libstagefright/codecs/on2/h264dec/SoftAVC.h b/media/libstagefright/codecs/on2/h264dec/SoftAVC.h
index 069107d..b8c1807 100644
--- a/media/libstagefright/codecs/on2/h264dec/SoftAVC.h
+++ b/media/libstagefright/codecs/on2/h264dec/SoftAVC.h
@@ -71,7 +71,7 @@
status_t initDecoder();
void drainAllOutputBuffers(bool eos);
- void drainOneOutputBuffer(int32_t picId, uint8_t *data);
+ bool drainOneOutputBuffer(int32_t picId, uint8_t *data);
void saveFirstOutputBuffer(int32_t pidId, uint8_t *data);
CropSettingsMode handleCropParams(const H264SwDecInfo& decInfo);
diff --git a/media/libstagefright/codecs/opus/dec/SoftOpus.cpp b/media/libstagefright/codecs/opus/dec/SoftOpus.cpp
index 2afa0ed..2e44ed7 100644
--- a/media/libstagefright/codecs/opus/dec/SoftOpus.cpp
+++ b/media/libstagefright/codecs/opus/dec/SoftOpus.cpp
@@ -458,12 +458,17 @@
const uint8_t *data = inHeader->pBuffer + inHeader->nOffset;
const uint32_t size = inHeader->nFilledLen;
+ size_t frameSize = kMaxOpusOutputPacketSizeSamples;
+ if (frameSize > outHeader->nAllocLen / sizeof(int16_t) / mHeader->channels) {
+ frameSize = outHeader->nAllocLen / sizeof(int16_t) / mHeader->channels;
+ android_errorWriteLog(0x534e4554, "27833616");
+ }
int numFrames = opus_multistream_decode(mDecoder,
data,
size,
(int16_t *)outHeader->pBuffer,
- kMaxOpusOutputPacketSizeSamples,
+ frameSize,
0);
if (numFrames < 0) {
ALOGE("opus_multistream_decode returned %d", numFrames);
diff --git a/media/libstagefright/codecs/vorbis/dec/SoftVorbis.cpp b/media/libstagefright/codecs/vorbis/dec/SoftVorbis.cpp
index 4e1e6a5..5f4e346 100644
--- a/media/libstagefright/codecs/vorbis/dec/SoftVorbis.cpp
+++ b/media/libstagefright/codecs/vorbis/dec/SoftVorbis.cpp
@@ -273,6 +273,12 @@
const uint8_t *data = header->pBuffer + header->nOffset;
size_t size = header->nFilledLen;
+ if (size < 7) {
+ ALOGE("Too small input buffer: %zu bytes", size);
+ android_errorWriteLog(0x534e4554, "27833616");
+ notify(OMX_EventError, OMX_ErrorUndefined, 0, NULL);
+ return;
+ }
ogg_buffer buf;
ogg_reference ref;
@@ -378,9 +384,14 @@
ALOGW("vorbis_dsp_synthesis returned %d", err);
#endif
} else {
+ size_t numSamplesPerBuffer = kMaxNumSamplesPerBuffer;
+ if (numSamplesPerBuffer > outHeader->nAllocLen / sizeof(int16_t)) {
+ numSamplesPerBuffer = outHeader->nAllocLen / sizeof(int16_t);
+ android_errorWriteLog(0x534e4554, "27833616");
+ }
numFrames = vorbis_dsp_pcmout(
mState, (int16_t *)outHeader->pBuffer,
- (kMaxNumSamplesPerBuffer / mVi->channels));
+ (numSamplesPerBuffer / mVi->channels));
if (numFrames < 0) {
ALOGE("vorbis_dsp_pcmout returned %d", numFrames);