Merge "omxvts:vid:dec: modify resource files for avc dec and mpeg4 dec" into oc-mr1-dev
diff --git a/cas/1.0/default/DescramblerImpl.cpp b/cas/1.0/default/DescramblerImpl.cpp
index 3d90809..36699ba 100644
--- a/cas/1.0/default/DescramblerImpl.cpp
+++ b/cas/1.0/default/DescramblerImpl.cpp
@@ -18,8 +18,9 @@
#define LOG_TAG "android.hardware.cas@1.0-DescramblerImpl"
#include <hidlmemory/mapping.h>
-#include <media/hardware/CryptoAPI.h>
#include <media/cas/DescramblerAPI.h>
+#include <media/hardware/CryptoAPI.h>
+#include <media/stagefright/foundation/AUtils.h>
#include <utils/Log.h>
#include "DescramblerImpl.h"
@@ -70,6 +71,11 @@
return mPlugin->requiresSecureDecoderComponent(String8(mime.c_str()));
}
+static inline bool validateRangeForSize(
+ uint64_t offset, uint64_t length, uint64_t size) {
+ return isInRange<uint64_t, uint64_t>(0, size, offset, length);
+}
+
Return<void> DescramblerImpl::descramble(
ScramblingControl scramblingControl,
const hidl_vec<SubSample>& subSamples,
@@ -81,12 +87,57 @@
ALOGV("%s", __FUNCTION__);
sp<IMemory> srcMem = mapMemory(srcBuffer.heapBase);
+
+ // Validate if the offset and size in the SharedBuffer is consistent with the
+ // mapped ashmem, since the offset and size is controlled by client.
+ if (srcMem == NULL) {
+ ALOGE("Failed to map src buffer.");
+ _hidl_cb(toStatus(BAD_VALUE), 0, NULL);
+ return Void();
+ }
+ if (!validateRangeForSize(
+ srcBuffer.offset, srcBuffer.size, (uint64_t)srcMem->getSize())) {
+ ALOGE("Invalid src buffer range: offset %llu, size %llu, srcMem size %llu",
+ srcBuffer.offset, srcBuffer.size, (uint64_t)srcMem->getSize());
+ android_errorWriteLog(0x534e4554, "67962232");
+ _hidl_cb(toStatus(BAD_VALUE), 0, NULL);
+ return Void();
+ }
+
+ // use 64-bit here to catch bad subsample size that might be overflowing.
+ uint64_t totalBytesInSubSamples = 0;
+ for (size_t i = 0; i < subSamples.size(); i++) {
+ totalBytesInSubSamples += (uint64_t)subSamples[i].numBytesOfClearData +
+ subSamples[i].numBytesOfEncryptedData;
+ }
+ // Further validate if the specified srcOffset and requested total subsample size
+ // is consistent with the source shared buffer size.
+ if (!validateRangeForSize(srcOffset, totalBytesInSubSamples, srcBuffer.size)) {
+ ALOGE("Invalid srcOffset and subsample size: "
+ "srcOffset %llu, totalBytesInSubSamples %llu, srcBuffer size %llu",
+ srcOffset, totalBytesInSubSamples, srcBuffer.size);
+ android_errorWriteLog(0x534e4554, "67962232");
+ _hidl_cb(toStatus(BAD_VALUE), 0, NULL);
+ return Void();
+ }
+
void *srcPtr = (uint8_t *)(void *)srcMem->getPointer() + srcBuffer.offset;
void *dstPtr = NULL;
if (dstBuffer.type == BufferType::SHARED_MEMORY) {
// When using shared memory, src buffer is also used as dst,
// we don't map it again here.
dstPtr = srcPtr;
+
+ // In this case the dst and src would be the same buffer, need to validate
+ // dstOffset against the buffer size too.
+ if (!validateRangeForSize(dstOffset, totalBytesInSubSamples, srcBuffer.size)) {
+ ALOGE("Invalid dstOffset and subsample size: "
+ "dstOffset %llu, totalBytesInSubSamples %llu, srcBuffer size %llu",
+ dstOffset, totalBytesInSubSamples, srcBuffer.size);
+ android_errorWriteLog(0x534e4554, "67962232");
+ _hidl_cb(toStatus(BAD_VALUE), 0, NULL);
+ return Void();
+ }
} else {
native_handle_t *handle = const_cast<native_handle_t *>(
dstBuffer.secureMemory.getNativeHandle());
diff --git a/wifi/1.0/vts/functional/wifi_chip_hidl_test.cpp b/wifi/1.0/vts/functional/wifi_chip_hidl_test.cpp
index 3c23135..0c5bd45 100644
--- a/wifi/1.0/vts/functional/wifi_chip_hidl_test.cpp
+++ b/wifi/1.0/vts/functional/wifi_chip_hidl_test.cpp
@@ -441,8 +441,8 @@
* succeeds. The 2nd iface creation should be rejected.
*/
TEST_F(WifiChipHidlTest, CreateNanIface) {
- configureChipForIfaceType(IfaceType::NAN, gEnv->isNanOn);
if (!gEnv->isNanOn) return;
+ configureChipForIfaceType(IfaceType::NAN, gEnv->isNanOn);
sp<IWifiNanIface> iface;
ASSERT_EQ(WifiStatusCode::SUCCESS, createNanIface(&iface));
@@ -458,8 +458,8 @@
* iface name is returned via the list.
*/
TEST_F(WifiChipHidlTest, GetNanIfaceNames) {
- configureChipForIfaceType(IfaceType::NAN, gEnv->isNanOn);
if (!gEnv->isNanOn) return;
+ configureChipForIfaceType(IfaceType::NAN, gEnv->isNanOn);
const auto& status_and_iface_names1 =
HIDL_INVOKE(wifi_chip_, getNanIfaceNames);
@@ -491,8 +491,8 @@
* doesn't retrieve an iface object.
*/
TEST_F(WifiChipHidlTest, GetNanIface) {
- configureChipForIfaceType(IfaceType::NAN, gEnv->isNanOn);
if (!gEnv->isNanOn) return;
+ configureChipForIfaceType(IfaceType::NAN, gEnv->isNanOn);
sp<IWifiNanIface> nan_iface;
EXPECT_EQ(WifiStatusCode::SUCCESS, createNanIface(&nan_iface));
@@ -518,8 +518,8 @@
* doesn't remove the iface.
*/
TEST_F(WifiChipHidlTest, RemoveNanIface) {
- configureChipForIfaceType(IfaceType::NAN, gEnv->isNanOn);
if (!gEnv->isNanOn) return;
+ configureChipForIfaceType(IfaceType::NAN, gEnv->isNanOn);
sp<IWifiNanIface> nan_iface;
EXPECT_EQ(WifiStatusCode::SUCCESS, createNanIface(&nan_iface));