Merge "Checking BadOffset while queuing buffers" into main am: 978ed252ea am: 04464a07e0
Original change: https://android-review.googlesource.com/c/platform/frameworks/base/+/3042241
Change-Id: I9da7c70e6dd141f438871df72ec7d4d397d9faa9
Signed-off-by: Automerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com>
diff --git a/media/jni/android_media_MediaCodec.cpp b/media/jni/android_media_MediaCodec.cpp
index 4f9917b..8a13c03 100644
--- a/media/jni/android_media_MediaCodec.cpp
+++ b/media/jni/android_media_MediaCodec.cpp
@@ -2099,9 +2099,14 @@
}
if (i == 0) {
*initialOffset = offset;
+ if (CC_UNLIKELY(*initialOffset < 0)) {
+ if (errorDetailMsg) {
+ *errorDetailMsg = "Error: offset/size in BufferInfo";
+ }
+ return BAD_VALUE;
+ }
}
- if (CC_UNLIKELY((offset > UINT32_MAX)
- || ((long)(offset + size) > UINT32_MAX)
+ if (CC_UNLIKELY(((ssize_t)(UINT32_MAX - offset) < (ssize_t)size)
|| ((offset - *initialOffset) != *totalSize))) {
if (errorDetailMsg) {
*errorDetailMsg = "Error: offset/size in BufferInfo";