diff options
author | Dongwon Kang <dwkang@google.com> | 2017-07-24 13:59:51 -0700 |
---|---|---|
committer | MSe <mse1969@posteo.de> | 2017-10-04 23:29:49 +0200 |
commit | cbaa061b6e0bd958d3685ec9ef8b4a34921c700d (patch) | |
tree | 59772364e251b6db196aa04c09138dc49294a2ee | |
parent | 135afc5f73eea239b6b8f0d2767cf64882b84913 (diff) | |
download | frameworks_av-cbaa061b6e0bd958d3685ec9ef8b4a34921c700d.tar.gz frameworks_av-cbaa061b6e0bd958d3685ec9ef8b4a34921c700d.tar.bz2 frameworks_av-cbaa061b6e0bd958d3685ec9ef8b4a34921c700d.zip |
Check buffer size in useBuffer in software components
Test: No more crash from oob read/write with running poc.
Bug: 63522430
Change-Id: I232d256eacdfaa9347902fe9b42650999f0d2d85
(cherry picked from commit 4e79910fdb303fd28a37a9401bed1b7fbccb1373)
CVE-2017-0817
-rw-r--r-- | media/libstagefright/omx/SimpleSoftOMXComponent.cpp | 9 |
1 files changed, 7 insertions, 2 deletions
diff --git a/media/libstagefright/omx/SimpleSoftOMXComponent.cpp b/media/libstagefright/omx/SimpleSoftOMXComponent.cpp index 2ae807ee94..06556b7dc8 100644 --- a/media/libstagefright/omx/SimpleSoftOMXComponent.cpp +++ b/media/libstagefright/omx/SimpleSoftOMXComponent.cpp @@ -199,6 +199,13 @@ OMX_ERRORTYPE SimpleSoftOMXComponent::useBuffer( Mutex::Autolock autoLock(mLock); CHECK_LT(portIndex, mPorts.size()); + PortInfo *port = &mPorts.editItemAt(portIndex); + if (size < port->mDef.nBufferSize) { + ALOGE("b/63522430, Buffer size is too small."); + android_errorWriteLog(0x534e4554, "63522430"); + return OMX_ErrorBadParameter; + } + *header = new OMX_BUFFERHEADERTYPE; (*header)->nSize = sizeof(OMX_BUFFERHEADERTYPE); (*header)->nVersion.s.nVersionMajor = 1; @@ -221,8 +228,6 @@ OMX_ERRORTYPE SimpleSoftOMXComponent::useBuffer( (*header)->nOutputPortIndex = portIndex; (*header)->nInputPortIndex = portIndex; - PortInfo *port = &mPorts.editItemAt(portIndex); - CHECK(mState == OMX_StateLoaded || port->mDef.bEnabled == OMX_FALSE); CHECK_LT(port->mBuffers.size(), port->mDef.nBufferCountActual); |