Google Git
Sign in
fuchsia / third_party / android / platform / frameworks / av / refs/tags/android-6.0.1_r33^! / .
commit40c15101c2130163aac2beb7c8fac1afb19af2ba[log] [tgz]
authorWonsik Kim <wonsik@google.com>Wed Mar 30 17:13:00 2016 +0900
committerThe Android Automerger <android-build@google.com>Mon Apr 25 13:01:33 2016 -0700
treec6c807fb8540d0f720e973f8895a6e97ddbf1e10
parent06305e5912418e3d8e108bb4c7e32b1db27cf52f [diff]
DO NOT MERGE codecs: check OMX buffer size before use in (vorbis|opus)dec

Bug: 27833616
Change-Id: I1ccdd16a00741da072527a6d13e87fd7c7fe8c54
(cherry picked from commit 67e58393b4b3be841a65173f274114b3869382da)

diff --git a/media/libstagefright/codecs/opus/dec/SoftOpus.cpp b/media/libstagefright/codecs/opus/dec/SoftOpus.cpp
index 2afa0ed..2e44ed7 100644
--- a/media/libstagefright/codecs/opus/dec/SoftOpus.cpp
+++ b/media/libstagefright/codecs/opus/dec/SoftOpus.cpp

@@ -458,12 +458,17 @@
 
         const uint8_t *data = inHeader->pBuffer + inHeader->nOffset;
         const uint32_t size = inHeader->nFilledLen;
+        size_t frameSize = kMaxOpusOutputPacketSizeSamples;
+        if (frameSize > outHeader->nAllocLen / sizeof(int16_t) / mHeader->channels) {
+            frameSize = outHeader->nAllocLen / sizeof(int16_t) / mHeader->channels;
+            android_errorWriteLog(0x534e4554, "27833616");
+        }
 
         int numFrames = opus_multistream_decode(mDecoder,
                                                 data,
                                                 size,
                                                 (int16_t *)outHeader->pBuffer,
-                                                kMaxOpusOutputPacketSizeSamples,
+                                                frameSize,
                                                 0);
         if (numFrames < 0) {
             ALOGE("opus_multistream_decode returned %d", numFrames);

diff --git a/media/libstagefright/codecs/vorbis/dec/SoftVorbis.cpp b/media/libstagefright/codecs/vorbis/dec/SoftVorbis.cpp
index 4e1e6a5..5f4e346 100644
--- a/media/libstagefright/codecs/vorbis/dec/SoftVorbis.cpp
+++ b/media/libstagefright/codecs/vorbis/dec/SoftVorbis.cpp

@@ -273,6 +273,12 @@
 
         const uint8_t *data = header->pBuffer + header->nOffset;
         size_t size = header->nFilledLen;
+        if (size < 7) {
+            ALOGE("Too small input buffer: %zu bytes", size);
+            android_errorWriteLog(0x534e4554, "27833616");
+            notify(OMX_EventError, OMX_ErrorUndefined, 0, NULL);
+            return;
+        }
 
         ogg_buffer buf;
         ogg_reference ref;
@@ -378,9 +384,14 @@
             ALOGW("vorbis_dsp_synthesis returned %d", err);
 #endif
         } else {
+            size_t numSamplesPerBuffer = kMaxNumSamplesPerBuffer;
+            if (numSamplesPerBuffer > outHeader->nAllocLen / sizeof(int16_t)) {
+                numSamplesPerBuffer = outHeader->nAllocLen / sizeof(int16_t);
+                android_errorWriteLog(0x534e4554, "27833616");
+            }
             numFrames = vorbis_dsp_pcmout(
                     mState, (int16_t *)outHeader->pBuffer,
-                    (kMaxNumSamplesPerBuffer / mVi->channels));
+                    (numSamplesPerBuffer / mVi->channels));
 
             if (numFrames < 0) {
                 ALOGE("vorbis_dsp_pcmout returned %d", numFrames);