Merge "RESTRICT AUTOMERGE Check the buffer index from acquireBuffer" into nyc-mr1-dev am: c422235e9b
am: f13d78e7e8
Change-Id: I400e3759e5066b67f57e5b75801391890548239e
diff --git a/media/libstagefright/omx/GraphicBufferSource.cpp b/media/libstagefright/omx/GraphicBufferSource.cpp
index 3bcc599..e1bcd28 100644
--- a/media/libstagefright/omx/GraphicBufferSource.cpp
+++ b/media/libstagefright/omx/GraphicBufferSource.cpp
@@ -398,7 +398,7 @@
int id = codecBuffer.mSlot;
sp<Fence> fence = new Fence(fenceFd);
if (mBufferSlot[id] != NULL &&
- mBufferSlot[id]->handle == codecBuffer.mGraphicBuffer->handle) {
+ mBufferSlot[id]->handle == codecBuffer.mGraphicBuffer->handle) {
mBufferUseCount[id]--;
ALOGV("codecBufferEmptied: slot=%d, cbi=%d, useCount=%d, handle=%p",
@@ -488,6 +488,12 @@
} else if (err != OK) {
ALOGW("suspend: acquireBuffer returned err=%d", err);
break;
+ } else if (item.mSlot < 0 ||
+ item.mSlot >= BufferQueue::NUM_BUFFER_SLOTS) {
+ // Invalid buffer index
+ ALOGW("suspend: corrupted buffer index (%d)",
+ item.mSlot);
+ break;
}
++mNumBufferAcquired;
@@ -609,6 +615,10 @@
// now what? fake end-of-stream?
ALOGW("fillCodecBuffer_l: acquireBuffer returned err=%d", err);
return false;
+ } else if (item.mSlot < 0 || item.mSlot >= BufferQueue::NUM_BUFFER_SLOTS) {
+ // Invalid buffer index
+ ALOGW("fillCodecBuffer_l: corrupted buffer index (%d)", item.mSlot);
+ return false;
}
mNumBufferAcquired++;
@@ -983,8 +993,14 @@
BufferItem item;
status_t err = mConsumer->acquireBuffer(&item, 0);
if (err == OK) {
+ if (item.mSlot < 0 ||
+ item.mSlot >= BufferQueue::NUM_BUFFER_SLOTS) {
+ // Invalid buffer index
+ ALOGW("onFrameAvailable: corrupted buffer index (%d)",
+ item.mSlot);
+ return;
+ }
mNumBufferAcquired++;
-
// If this is the first time we're seeing this buffer, add it to our
// slot table.
if (item.mGraphicBuffer != NULL) {