Merge "[BUG] audiopolicy: engineconfigurable: prevent illegal map access" am: e355671896 am: e9ea3ceb7b
Original change: https://android-review.googlesource.com/c/platform/frameworks/av/+/1409790
Change-Id: I1cbb4eabf86af03e58d0a9c2c8a58695f30cae91
diff --git a/media/libmediametrics/include/media/MediaMetricsItem.h b/media/libmediametrics/include/media/MediaMetricsItem.h
index 428992c..cbf89c6 100644
--- a/media/libmediametrics/include/media/MediaMetricsItem.h
+++ b/media/libmediametrics/include/media/MediaMetricsItem.h
@@ -27,6 +27,7 @@
#include <variant>
#include <binder/Parcel.h>
+#include <log/log.h>
#include <utils/Errors.h>
#include <utils/Timers.h> // nsecs_t
@@ -469,16 +470,16 @@
template <> // static
status_t extract(std::string *val, const char **bufferpptr, const char *bufferptrmax) {
const char *ptr = *bufferpptr;
- while (*ptr != 0) {
+ do {
if (ptr >= bufferptrmax) {
ALOGE("%s: buffer exceeded", __func__);
+ android_errorWriteLog(0x534e4554, "204445255");
return BAD_VALUE;
}
- ++ptr;
- }
- const size_t size = (ptr - *bufferpptr) + 1;
+ } while (*ptr++ != 0);
+ // ptr is terminator+1, == bufferptrmax if we finished entire buffer
*val = *bufferpptr;
- *bufferpptr += size;
+ *bufferpptr = ptr;
return NO_ERROR;
}
template <> // static
diff --git a/media/libstagefright/SimpleDecodingSource.cpp b/media/libstagefright/SimpleDecodingSource.cpp
index 771dfea..55aa86b 100644
--- a/media/libstagefright/SimpleDecodingSource.cpp
+++ b/media/libstagefright/SimpleDecodingSource.cpp
@@ -318,18 +318,23 @@
}
size_t cpLen = min(in_buf->range_length(), in_buffer->capacity());
memcpy(in_buffer->base(), (uint8_t *)in_buf->data() + in_buf->range_offset(),
- cpLen );
+ cpLen);
if (mIsVorbis) {
int32_t numPageSamples;
if (!in_buf->meta_data().findInt32(kKeyValidSamples, &numPageSamples)) {
numPageSamples = -1;
}
- memcpy(in_buffer->base() + cpLen, &numPageSamples, sizeof(numPageSamples));
+ if (cpLen + sizeof(numPageSamples) <= in_buffer->capacity()) {
+ memcpy(in_buffer->base() + cpLen, &numPageSamples, sizeof(numPageSamples));
+ cpLen += sizeof(numPageSamples);
+ } else {
+ ALOGW("Didn't have enough space to copy kKeyValidSamples");
+ }
}
res = mCodec->queueInputBuffer(
- in_ix, 0 /* offset */, in_buf->range_length() + (mIsVorbis ? 4 : 0),
+ in_ix, 0 /* offset */, cpLen,
timestampUs, 0 /* flags */);
if (res != OK) {
ALOGI("[%s] failed to queue input buffer #%zu", mComponentName.c_str(), in_ix);
diff --git a/media/libstagefright/rtsp/AAVCAssembler.cpp b/media/libstagefright/rtsp/AAVCAssembler.cpp
index 3f4d662..30cdbc9 100644
--- a/media/libstagefright/rtsp/AAVCAssembler.cpp
+++ b/media/libstagefright/rtsp/AAVCAssembler.cpp
@@ -295,6 +295,10 @@
}
void AAVCAssembler::checkSpsUpdated(const sp<ABuffer> &buffer) {
+ if (buffer->size() == 0) {
+ android_errorWriteLog(0x534e4554, "204077881");
+ return;
+ }
const uint8_t *data = buffer->data();
unsigned nalType = data[0] & 0x1f;
if (nalType == 0x7) {