Merge cherrypicks of [2435782, 2435615, 2435577, 2435653, 2435616, 2435708, 2435617, 2435558, 2435784, 2435709, 2435631, 2435559, 2435560, 2435618, 2435801, 2435674, 2435710, 2435746, 2435579, 2435747, 2435711, 2435785, 2435786, 2435787, 2435713, 2435804, 2435822, 2435842, 2435753, 2435965, 2436024, 2435885] into nyc-mr1-security-e-release
Change-Id: Iae6482309778021eabb5e8ec4234e02d6cb2a788
diff --git a/drm/mediadrm/plugins/clearkey/InitDataParser.cpp b/drm/mediadrm/plugins/clearkey/InitDataParser.cpp
index 0216b8d..6a4f8d5 100644
--- a/drm/mediadrm/plugins/clearkey/InitDataParser.cpp
+++ b/drm/mediadrm/plugins/clearkey/InitDataParser.cpp
@@ -114,7 +114,7 @@
memcpy(&keyIdCount, &initData[readPosition], sizeof(keyIdCount));
keyIdCount = ntohl(keyIdCount);
readPosition += sizeof(keyIdCount);
- if (readPosition + (keyIdCount * kKeyIdSize) !=
+ if (readPosition + ((uint64_t)keyIdCount * kKeyIdSize) !=
initData.size() - sizeof(uint32_t)) {
return android::ERROR_DRM_CANNOT_HANDLE;
}
diff --git a/media/libeffects/lvm/wrapper/Bundle/EffectBundle.cpp b/media/libeffects/lvm/wrapper/Bundle/EffectBundle.cpp
index 592ec13..dcf3fa0 100644
--- a/media/libeffects/lvm/wrapper/Bundle/EffectBundle.cpp
+++ b/media/libeffects/lvm/wrapper/Bundle/EffectBundle.cpp
@@ -148,7 +148,10 @@
void *pParam,
uint32_t *pValueSize,
void *pValue);
-int Equalizer_setParameter (EffectContext *pContext, void *pParam, void *pValue);
+int Equalizer_setParameter (EffectContext *pContext,
+ void *pParam,
+ uint32_t valueSize,
+ void *pValue);
int Equalizer_getParameter (EffectContext *pContext,
void *pParam,
uint32_t *pValueSize,
@@ -2473,12 +2476,17 @@
// Inputs:
// pEqualizer - handle to instance data
// pParam - pointer to parameter
+// valueSize - value size
// pValue - pointer to value
+
//
// Outputs:
//
//----------------------------------------------------------------------------
-int Equalizer_setParameter (EffectContext *pContext, void *pParam, void *pValue){
+int Equalizer_setParameter (EffectContext *pContext,
+ void *pParam,
+ uint32_t valueSize,
+ void *pValue) {
int status = 0;
int32_t preset;
int32_t band;
@@ -2490,6 +2498,10 @@
//ALOGV("\tEqualizer_setParameter start");
switch (param) {
case EQ_PARAM_CUR_PRESET:
+ if (valueSize < sizeof(int16_t)) {
+ status = -EINVAL;
+ break;
+ }
preset = (int32_t)(*(uint16_t *)pValue);
//ALOGV("\tEqualizer_setParameter() EQ_PARAM_CUR_PRESET %d", preset);
@@ -2500,6 +2512,10 @@
EqualizerSetPreset(pContext, preset);
break;
case EQ_PARAM_BAND_LEVEL:
+ if (valueSize < sizeof(int16_t)) {
+ status = -EINVAL;
+ break;
+ }
band = *pParamTemp;
level = (int32_t)(*(int16_t *)pValue);
//ALOGV("\tEqualizer_setParameter() EQ_PARAM_BAND_LEVEL band %d, level %d", band, level);
@@ -2515,6 +2531,10 @@
break;
case EQ_PARAM_PROPERTIES: {
//ALOGV("\tEqualizer_setParameter() EQ_PARAM_PROPERTIES");
+ if (valueSize < sizeof(int16_t)) {
+ status = -EINVAL;
+ break;
+ }
int16_t *p = (int16_t *)pValue;
if ((int)p[0] >= EqualizerGetNumPresets()) {
status = -EINVAL;
@@ -2523,6 +2543,13 @@
if (p[0] >= 0) {
EqualizerSetPreset(pContext, (int)p[0]);
} else {
+ if (valueSize < (2 + FIVEBAND_NUMBANDS) * sizeof(int16_t)) {
+ android_errorWriteLog(0x534e4554, "37563371");
+ ALOGE("\tERROR Equalizer_setParameter() EQ_PARAM_PROPERTIES valueSize %d < %d",
+ (int)valueSize, (int)((2 + FIVEBAND_NUMBANDS) * sizeof(int16_t)));
+ status = -EINVAL;
+ break;
+ }
if ((int)p[1] != FIVEBAND_NUMBANDS) {
status = -EINVAL;
break;
@@ -3301,7 +3328,8 @@
*(int *)pReplyData = android::Equalizer_setParameter(pContext,
(void *)p->data,
- p->data + p->psize);
+ p->vsize,
+ p->data + p->psize);
}
if(pContext->EffectType == LVM_VOLUME){
//ALOGV("\tVolume_command cmdCode Case: EFFECT_CMD_SET_PARAM start");
diff --git a/media/libstagefright/MPEG4Extractor.cpp b/media/libstagefright/MPEG4Extractor.cpp
index 2d6e776..5441714 100644
--- a/media/libstagefright/MPEG4Extractor.cpp
+++ b/media/libstagefright/MPEG4Extractor.cpp
@@ -2826,8 +2826,10 @@
int32_t delay, padding;
if (sscanf(mLastCommentData,
" %*x %x %x %*x", &delay, &padding) == 2) {
- if (mLastTrack == NULL)
+ if (mLastTrack == NULL) {
+ delete[] buffer;
return ERROR_MALFORMED;
+ }
mLastTrack->meta->setInt32(kKeyEncoderDelay, delay);
mLastTrack->meta->setInt32(kKeyEncoderPadding, padding);
diff --git a/media/libstagefright/codecs/m4v_h263/dec/SoftMPEG4.cpp b/media/libstagefright/codecs/m4v_h263/dec/SoftMPEG4.cpp
index 1dd631a..411a251 100644
--- a/media/libstagefright/codecs/m4v_h263/dec/SoftMPEG4.cpp
+++ b/media/libstagefright/codecs/m4v_h263/dec/SoftMPEG4.cpp
@@ -255,13 +255,28 @@
mSignalledError = true;
return;
}
+
+ // Need to check if header contains new info, e.g., width/height, etc.
+ VopHeaderInfo header_info;
+ uint8_t *bitstreamTmp = bitstream;
+ if (PVDecodeVopHeader(
+ mHandle, &bitstreamTmp, ×tamp, &tmp,
+ &header_info, &useExtTimestamp,
+ outHeader->pBuffer) != PV_TRUE) {
+ ALOGE("failed to decode vop header.");
+
+ notify(OMX_EventError, OMX_ErrorUndefined, 0, NULL);
+ mSignalledError = true;
+ return;
+ }
+ if (handlePortSettingsChange()) {
+ return;
+ }
+
// The PV decoder is lying to us, sometimes it'll claim to only have
// consumed a subset of the buffer when it clearly consumed all of it.
// ignore whatever it says...
- if (PVDecodeVideoFrame(
- mHandle, &bitstream, ×tamp, &tmp,
- &useExtTimestamp,
- outHeader->pBuffer) != PV_TRUE) {
+ if (PVDecodeVopBody(mHandle, &tmp) != PV_TRUE) {
ALOGE("failed to decode video frame.");
notify(OMX_EventError, OMX_ErrorUndefined, 0, NULL);
diff --git a/media/libstagefright/codecs/m4v_h263/dec/src/vop.cpp b/media/libstagefright/codecs/m4v_h263/dec/src/vop.cpp
index 60c79a6..f18f789 100644
--- a/media/libstagefright/codecs/m4v_h263/dec/src/vop.cpp
+++ b/media/libstagefright/codecs/m4v_h263/dec/src/vop.cpp
@@ -15,6 +15,8 @@
* and limitations under the License.
* -------------------------------------------------------------------
*/
+#include "log/log.h"
+
#include "mp4dec_lib.h"
#include "bitstream.h"
#include "vlc_decode.h"
@@ -1336,8 +1338,7 @@
}
tmpvar = BitstreamReadBits16(stream, 9);
- video->displayWidth = (tmpvar + 1) << 2;
- video->width = (video->displayWidth + 15) & -16;
+ int tmpDisplayWidth = (tmpvar + 1) << 2;
/* marker bit */
if (!BitstreamRead1Bits(stream))
{
@@ -1350,14 +1351,21 @@
status = PV_FAIL;
goto return_point;
}
- video->displayHeight = tmpvar << 2;
- video->height = (video->displayHeight + 15) & -16;
+ int tmpDisplayHeight = tmpvar << 2;
+ int tmpHeight = (tmpDisplayHeight + 15) & -16;
+ int tmpWidth = (tmpDisplayWidth + 15) & -16;
- if (video->height * video->width > video->size)
+ if (tmpHeight * tmpWidth > video->size)
{
+ // This is just possibly "b/37079296".
+ ALOGE("b/37079296");
status = PV_FAIL;
goto return_point;
}
+ video->displayWidth = tmpDisplayWidth;
+ video->width = tmpWidth;
+ video->displayHeight = tmpDisplayHeight;
+ video->height = tmpHeight;
video->nTotalMB = video->width / MB_SIZE * video->height / MB_SIZE;
diff --git a/media/libstagefright/codecs/m4v_h263/enc/src/mp4enc_api.cpp b/media/libstagefright/codecs/m4v_h263/enc/src/mp4enc_api.cpp
index c2b7c8d..7ab8f45 100644
--- a/media/libstagefright/codecs/m4v_h263/enc/src/mp4enc_api.cpp
+++ b/media/libstagefright/codecs/m4v_h263/enc/src/mp4enc_api.cpp
@@ -773,7 +773,7 @@
|| (size_t)(size + (size >> 1)) > SIZE_MAX / sizeof(PIXEL)) {
goto CLEAN_UP;
}
- video->currVop->yChan = (PIXEL *)M4VENC_MALLOC(sizeof(PIXEL) * (size + (size >> 1))); /* Memory for currVop Y */
+ video->currVop->allChan = video->currVop->yChan = (PIXEL *)M4VENC_MALLOC(sizeof(PIXEL) * (size + (size >> 1))); /* Memory for currVop Y */
if (video->currVop->yChan == NULL) goto CLEAN_UP;
video->currVop->uChan = video->currVop->yChan + size;/* Memory for currVop U */
video->currVop->vChan = video->currVop->uChan + (size >> 2);/* Memory for currVop V */
@@ -791,7 +791,7 @@
video->prevBaseVop = (Vop *) M4VENC_MALLOC(sizeof(Vop)); /* Memory for Previous Base Vop */
if (video->prevBaseVop == NULL) goto CLEAN_UP;
- video->prevBaseVop->yChan = (PIXEL *) M4VENC_MALLOC(sizeof(PIXEL) * (size + (size >> 1))); /* Memory for prevBaseVop Y */
+ video->prevBaseVop->allChan = video->prevBaseVop->yChan = (PIXEL *) M4VENC_MALLOC(sizeof(PIXEL) * (size + (size >> 1))); /* Memory for prevBaseVop Y */
if (video->prevBaseVop->yChan == NULL) goto CLEAN_UP;
video->prevBaseVop->uChan = video->prevBaseVop->yChan + size; /* Memory for prevBaseVop U */
video->prevBaseVop->vChan = video->prevBaseVop->uChan + (size >> 2); /* Memory for prevBaseVop V */
@@ -808,7 +808,7 @@
{
video->nextBaseVop = (Vop *) M4VENC_MALLOC(sizeof(Vop)); /* Memory for Next Base Vop */
if (video->nextBaseVop == NULL) goto CLEAN_UP;
- video->nextBaseVop->yChan = (PIXEL *) M4VENC_MALLOC(sizeof(PIXEL) * (size + (size >> 1))); /* Memory for nextBaseVop Y */
+ video->nextBaseVop->allChan = video->nextBaseVop->yChan = (PIXEL *) M4VENC_MALLOC(sizeof(PIXEL) * (size + (size >> 1))); /* Memory for nextBaseVop Y */
if (video->nextBaseVop->yChan == NULL) goto CLEAN_UP;
video->nextBaseVop->uChan = video->nextBaseVop->yChan + size; /* Memory for nextBaseVop U */
video->nextBaseVop->vChan = video->nextBaseVop->uChan + (size >> 2); /* Memory for nextBaseVop V */
@@ -825,7 +825,7 @@
{
video->prevEnhanceVop = (Vop *) M4VENC_MALLOC(sizeof(Vop)); /* Memory for Previous Enhancement Vop */
if (video->prevEnhanceVop == NULL) goto CLEAN_UP;
- video->prevEnhanceVop->yChan = (PIXEL *) M4VENC_MALLOC(sizeof(PIXEL) * (size + (size >> 1))); /* Memory for Previous Ehancement Y */
+ video->prevEnhanceVop->allChan = video->prevEnhanceVop->yChan = (PIXEL *) M4VENC_MALLOC(sizeof(PIXEL) * (size + (size >> 1))); /* Memory for Previous Ehancement Y */
if (video->prevEnhanceVop->yChan == NULL) goto CLEAN_UP;
video->prevEnhanceVop->uChan = video->prevEnhanceVop->yChan + size; /* Memory for Previous Enhancement U */
video->prevEnhanceVop->vChan = video->prevEnhanceVop->uChan + (size >> 2); /* Memory for Previous Enhancement V */
@@ -1196,39 +1196,35 @@
if (video->currVop)
{
- if (video->currVop->yChan)
+ if (video->currVop->allChan)
{
- video->currVop->yChan -= offset;
- M4VENC_FREE(video->currVop->yChan);
+ M4VENC_FREE(video->currVop->allChan);
}
M4VENC_FREE(video->currVop);
}
if (video->nextBaseVop)
{
- if (video->nextBaseVop->yChan)
+ if (video->nextBaseVop->allChan)
{
- video->nextBaseVop->yChan -= offset;
- M4VENC_FREE(video->nextBaseVop->yChan);
+ M4VENC_FREE(video->nextBaseVop->allChan);
}
M4VENC_FREE(video->nextBaseVop);
}
if (video->prevBaseVop)
{
- if (video->prevBaseVop->yChan)
+ if (video->prevBaseVop->allChan)
{
- video->prevBaseVop->yChan -= offset;
- M4VENC_FREE(video->prevBaseVop->yChan);
+ M4VENC_FREE(video->prevBaseVop->allChan);
}
M4VENC_FREE(video->prevBaseVop);
}
if (video->prevEnhanceVop)
{
- if (video->prevEnhanceVop->yChan)
+ if (video->prevEnhanceVop->allChan)
{
- video->prevEnhanceVop->yChan -= offset;
- M4VENC_FREE(video->prevEnhanceVop->yChan);
+ M4VENC_FREE(video->prevEnhanceVop->allChan);
}
M4VENC_FREE(video->prevEnhanceVop);
}
diff --git a/media/libstagefright/codecs/m4v_h263/enc/src/mp4lib_int.h b/media/libstagefright/codecs/m4v_h263/enc/src/mp4lib_int.h
index 3bc9421..b05099c 100644
--- a/media/libstagefright/codecs/m4v_h263/enc/src/mp4lib_int.h
+++ b/media/libstagefright/codecs/m4v_h263/enc/src/mp4lib_int.h
@@ -39,6 +39,7 @@
typedef struct tagVOP
{
+ PIXEL *allChan; /* [yuv]Chan point into this buffer */
PIXEL *yChan; /* The Y component */
PIXEL *uChan; /* The U component */
PIXEL *vChan; /* The V component */
diff --git a/media/libstagefright/omx/GraphicBufferSource.cpp b/media/libstagefright/omx/GraphicBufferSource.cpp
index 93d6584..8b6c591 100644
--- a/media/libstagefright/omx/GraphicBufferSource.cpp
+++ b/media/libstagefright/omx/GraphicBufferSource.cpp
@@ -177,9 +177,12 @@
mIsPersistent = true;
}
mConsumer->setDefaultBufferSize(bufferWidth, bufferHeight);
- // Note that we can't create an sp<...>(this) in a ctor that will not keep a
- // reference once the ctor ends, as that would cause the refcount of 'this'
- // dropping to 0 at the end of the ctor. Since all we need is a wp<...>
+}
+
+status_t GraphicBufferSource::init() {
+ // Note that we can't create an sp<...>(this) in a method that will not keep a
+ // reference once the method ends, as that may cause the refcount of 'this'
+ // dropping to 0 at the end of the method. Since all we need is a wp<...>
// that's what we create.
wp<BufferQueue::ConsumerListener> listener = static_cast<BufferQueue::ConsumerListener*>(this);
sp<IConsumerListener> proxy;
@@ -190,15 +193,14 @@
}
mInitCheck = mConsumer->consumerConnect(proxy, false);
- if (mInitCheck != NO_ERROR) {
+ if (mInitCheck == NO_ERROR) {
+ memset(&mColorAspects, 0, sizeof(mColorAspects));
+ } else {
ALOGE("Error connecting to BufferQueue: %s (%d)",
strerror(-mInitCheck), mInitCheck);
- return;
}
- memset(&mColorAspects, 0, sizeof(mColorAspects));
-
- CHECK(mInitCheck == NO_ERROR);
+ return mInitCheck;
}
GraphicBufferSource::~GraphicBufferSource() {
@@ -396,7 +398,7 @@
int id = codecBuffer.mSlot;
sp<Fence> fence = new Fence(fenceFd);
if (mBufferSlot[id] != NULL &&
- mBufferSlot[id]->handle == codecBuffer.mGraphicBuffer->handle) {
+ mBufferSlot[id]->handle == codecBuffer.mGraphicBuffer->handle) {
mBufferUseCount[id]--;
ALOGV("codecBufferEmptied: slot=%d, cbi=%d, useCount=%d, handle=%p",
@@ -486,6 +488,12 @@
} else if (err != OK) {
ALOGW("suspend: acquireBuffer returned err=%d", err);
break;
+ } else if (item.mSlot < 0 ||
+ item.mSlot >= BufferQueue::NUM_BUFFER_SLOTS) {
+ // Invalid buffer index
+ ALOGW("suspend: corrupted buffer index (%d)",
+ item.mSlot);
+ break;
}
++mNumBufferAcquired;
@@ -607,6 +615,10 @@
// now what? fake end-of-stream?
ALOGW("fillCodecBuffer_l: acquireBuffer returned err=%d", err);
return false;
+ } else if (item.mSlot < 0 || item.mSlot >= BufferQueue::NUM_BUFFER_SLOTS) {
+ // Invalid buffer index
+ ALOGW("fillCodecBuffer_l: corrupted buffer index (%d)", item.mSlot);
+ return false;
}
mNumBufferAcquired++;
@@ -980,8 +992,14 @@
BufferItem item;
status_t err = mConsumer->acquireBuffer(&item, 0);
if (err == OK) {
+ if (item.mSlot < 0 ||
+ item.mSlot >= BufferQueue::NUM_BUFFER_SLOTS) {
+ // Invalid buffer index
+ ALOGW("onFrameAvailable: corrupted buffer index (%d)",
+ item.mSlot);
+ return;
+ }
mNumBufferAcquired++;
-
// If this is the first time we're seeing this buffer, add it to our
// slot table.
if (item.mGraphicBuffer != NULL) {
diff --git a/media/libstagefright/omx/GraphicBufferSource.h b/media/libstagefright/omx/GraphicBufferSource.h
index aa4ceb3..b3fcd1b 100644
--- a/media/libstagefright/omx/GraphicBufferSource.h
+++ b/media/libstagefright/omx/GraphicBufferSource.h
@@ -62,11 +62,7 @@
virtual ~GraphicBufferSource();
- // We can't throw an exception if the constructor fails, so we just set
- // this and require that the caller test the value.
- status_t initCheck() const {
- return mInitCheck;
- }
+ status_t init();
// Returns the handle to the producer side of the BufferQueue. Buffers
// queued on this will be received by GraphicBufferSource.
diff --git a/media/libstagefright/omx/OMXNodeInstance.cpp b/media/libstagefright/omx/OMXNodeInstance.cpp
index c3514b3..e7aaead 100644
--- a/media/libstagefright/omx/OMXNodeInstance.cpp
+++ b/media/libstagefright/omx/OMXNodeInstance.cpp
@@ -1130,7 +1130,7 @@
usageBits,
bufferConsumer);
- if ((err = bufferSource->initCheck()) != OK) {
+ if ((err = bufferSource->init()) != OK) {
return err;
}
setGraphicBufferSource(bufferSource);
