diff options
author | android-build-team Robot <android-build-team-robot@google.com> | 2020-03-26 23:46:22 +0000 |
---|---|---|
committer | android-build-team Robot <android-build-team-robot@google.com> | 2020-03-26 23:46:22 +0000 |
commit | f39f936e00ace75c14995980ec9269c035557f2d (patch) | |
tree | 97274f018e171a91a1787b2de77c7299fb3fc5de | |
parent | 530703f600da1243190f5c6abdc44339935661e8 (diff) | |
parent | ae2c605380345aa2b08b9f78f16161a5cb9d6f7c (diff) | |
download | frameworks_av-f39f936e00ace75c14995980ec9269c035557f2d.tar.gz frameworks_av-f39f936e00ace75c14995980ec9269c035557f2d.tar.bz2 frameworks_av-f39f936e00ace75c14995980ec9269c035557f2d.zip |
Snap for 6337011 from ae2c605380345aa2b08b9f78f16161a5cb9d6f7c to qt-qpr3-release
Change-Id: I10fdf783b0d265b61ddada020b0716a3a25be0f3
-rw-r--r-- | media/codec2/sfplugin/CCodecBuffers.cpp | 7 | ||||
-rwxr-xr-x | media/extractors/mp4/MPEG4Extractor.cpp | 40 | ||||
-rw-r--r-- | media/extractors/mp4/SampleTable.cpp | 17 | ||||
-rw-r--r-- | media/libaudioclient/AudioRecord.cpp | 10 | ||||
-rw-r--r-- | media/libaudioclient/AudioTrack.cpp | 10 | ||||
-rw-r--r-- | media/libaudioclient/include/media/AudioRecord.h | 8 | ||||
-rw-r--r-- | media/libaudioclient/include/media/AudioTrack.h | 8 |
7 files changed, 80 insertions, 20 deletions
diff --git a/media/codec2/sfplugin/CCodecBuffers.cpp b/media/codec2/sfplugin/CCodecBuffers.cpp index 26c702ddc0..ed8b832478 100644 --- a/media/codec2/sfplugin/CCodecBuffers.cpp +++ b/media/codec2/sfplugin/CCodecBuffers.cpp @@ -878,9 +878,10 @@ void OutputBuffersArray::realloc(const std::shared_ptr<C2Buffer> &c2buffer) { switch (c2buffer->data().type()) { case C2BufferData::LINEAR: { uint32_t size = kLinearBufferSize; - const C2ConstLinearBlock &block = c2buffer->data().linearBlocks().front(); - if (block.size() < kMaxLinearBufferSize / 2) { - size = block.size() * 2; + const std::vector<C2ConstLinearBlock> &linear_blocks = c2buffer->data().linearBlocks(); + const uint32_t block_size = linear_blocks.front().size(); + if (block_size < kMaxLinearBufferSize / 2) { + size = block_size * 2; } else { size = kMaxLinearBufferSize; } diff --git a/media/extractors/mp4/MPEG4Extractor.cpp b/media/extractors/mp4/MPEG4Extractor.cpp index 14fe0dc444..fa562f3026 100755 --- a/media/extractors/mp4/MPEG4Extractor.cpp +++ b/media/extractors/mp4/MPEG4Extractor.cpp @@ -4993,8 +4993,11 @@ status_t MPEG4Source::parseChunk(off64_t *offset) { } status_t MPEG4Source::parseSampleAuxiliaryInformationSizes( - off64_t offset, off64_t /* size */) { + off64_t offset, off64_t size) { ALOGV("parseSampleAuxiliaryInformationSizes"); + if (size < 9) { + return -EINVAL; + } // 14496-12 8.7.12 uint8_t version; if (mDataSource->readAt( @@ -5007,25 +5010,32 @@ status_t MPEG4Source::parseSampleAuxiliaryInformationSizes( return ERROR_UNSUPPORTED; } offset++; + size--; uint32_t flags; if (!mDataSource->getUInt24(offset, &flags)) { return ERROR_IO; } offset += 3; + size -= 3; if (flags & 1) { + if (size < 13) { + return -EINVAL; + } uint32_t tmp; if (!mDataSource->getUInt32(offset, &tmp)) { return ERROR_MALFORMED; } mCurrentAuxInfoType = tmp; offset += 4; + size -= 4; if (!mDataSource->getUInt32(offset, &tmp)) { return ERROR_MALFORMED; } mCurrentAuxInfoTypeParameter = tmp; offset += 4; + size -= 4; } uint8_t defsize; @@ -5034,6 +5044,7 @@ status_t MPEG4Source::parseSampleAuxiliaryInformationSizes( } mCurrentDefaultSampleInfoSize = defsize; offset++; + size--; uint32_t smplcnt; if (!mDataSource->getUInt32(offset, &smplcnt)) { @@ -5041,11 +5052,16 @@ status_t MPEG4Source::parseSampleAuxiliaryInformationSizes( } mCurrentSampleInfoCount = smplcnt; offset += 4; - + size -= 4; if (mCurrentDefaultSampleInfoSize != 0) { ALOGV("@@@@ using default sample info size of %d", mCurrentDefaultSampleInfoSize); return OK; } + if(smplcnt > size) { + ALOGW("b/124525515 - smplcnt(%u) > size(%ld)", (unsigned int)smplcnt, (unsigned long)size); + android_errorWriteLog(0x534e4554, "124525515"); + return -EINVAL; + } if (smplcnt > mCurrentSampleInfoAllocSize) { uint8_t * newPtr = (uint8_t*) realloc(mCurrentSampleInfoSizes, smplcnt); if (newPtr == NULL) { @@ -5061,26 +5077,32 @@ status_t MPEG4Source::parseSampleAuxiliaryInformationSizes( } status_t MPEG4Source::parseSampleAuxiliaryInformationOffsets( - off64_t offset, off64_t /* size */) { + off64_t offset, off64_t size) { ALOGV("parseSampleAuxiliaryInformationOffsets"); + if (size < 8) { + return -EINVAL; + } // 14496-12 8.7.13 uint8_t version; if (mDataSource->readAt(offset, &version, sizeof(version)) != 1) { return ERROR_IO; } offset++; + size--; uint32_t flags; if (!mDataSource->getUInt24(offset, &flags)) { return ERROR_IO; } offset += 3; + size -= 3; uint32_t entrycount; if (!mDataSource->getUInt32(offset, &entrycount)) { return ERROR_IO; } offset += 4; + size -= 4; if (entrycount == 0) { return OK; } @@ -5106,19 +5128,31 @@ status_t MPEG4Source::parseSampleAuxiliaryInformationOffsets( for (size_t i = 0; i < entrycount; i++) { if (version == 0) { + if (size < 4) { + ALOGW("b/124526959"); + android_errorWriteLog(0x534e4554, "124526959"); + return -EINVAL; + } uint32_t tmp; if (!mDataSource->getUInt32(offset, &tmp)) { return ERROR_IO; } mCurrentSampleInfoOffsets[i] = tmp; offset += 4; + size -= 4; } else { + if (size < 8) { + ALOGW("b/124526959"); + android_errorWriteLog(0x534e4554, "124526959"); + return -EINVAL; + } uint64_t tmp; if (!mDataSource->getUInt64(offset, &tmp)) { return ERROR_IO; } mCurrentSampleInfoOffsets[i] = tmp; offset += 8; + size -= 8; } } diff --git a/media/extractors/mp4/SampleTable.cpp b/media/extractors/mp4/SampleTable.cpp index bf29bf1eac..e7e8901bf1 100644 --- a/media/extractors/mp4/SampleTable.cpp +++ b/media/extractors/mp4/SampleTable.cpp @@ -391,20 +391,11 @@ status_t SampleTable::setTimeToSampleParams( } mTimeToSampleCount = U32_AT(&header[4]); - if (mTimeToSampleCount > UINT32_MAX / (2 * sizeof(uint32_t))) { - // Choose this bound because - // 1) 2 * sizeof(uint32_t) is the amount of memory needed for one - // time-to-sample entry in the time-to-sample table. - // 2) mTimeToSampleCount is the number of entries of the time-to-sample - // table. - // 3) We hope that the table size does not exceed UINT32_MAX. + if (mTimeToSampleCount > (data_size - 8) / (2 * sizeof(uint32_t))) { ALOGE("Time-to-sample table size too large."); return ERROR_OUT_OF_RANGE; } - // Note: At this point, we know that mTimeToSampleCount * 2 will not - // overflow because of the above condition. - uint64_t allocSize = (uint64_t)mTimeToSampleCount * 2 * sizeof(uint32_t); mTotalSize += allocSize; if (mTotalSize > kMaxTotalSize) { @@ -540,6 +531,12 @@ status_t SampleTable::setSyncSampleParams(off64_t data_offset, size_t data_size) } uint64_t allocSize = (uint64_t)numSyncSamples * sizeof(uint32_t); + if (allocSize > data_size - 8) { + ALOGW("b/124771364 - allocSize(%lu) > size(%lu)", + (unsigned long)allocSize, (unsigned long)(data_size - 8)); + android_errorWriteLog(0x534e4554, "124771364"); + return ERROR_MALFORMED; + } if (allocSize > kMaxTotalSize) { ALOGE("Sync sample table size too large."); return ERROR_OUT_OF_RANGE; diff --git a/media/libaudioclient/AudioRecord.cpp b/media/libaudioclient/AudioRecord.cpp index a1b04caa92..271e18655e 100644 --- a/media/libaudioclient/AudioRecord.cpp +++ b/media/libaudioclient/AudioRecord.cpp @@ -884,7 +884,6 @@ status_t AudioRecord::obtainBuffer(Buffer* audioBuffer, const struct timespec *r { // previous and new IAudioRecord sequence numbers are used to detect track re-creation uint32_t oldSequence = 0; - uint32_t newSequence; Proxy::Buffer buffer; status_t status = NO_ERROR; @@ -902,7 +901,7 @@ status_t AudioRecord::obtainBuffer(Buffer* audioBuffer, const struct timespec *r // start of lock scope AutoMutex lock(mLock); - newSequence = mSequence; + uint32_t newSequence = mSequence; // did previous obtainBuffer() fail due to media server death or voluntary invalidation? if (status == DEAD_OBJECT) { // re-create track, unless someone else has already done so @@ -939,6 +938,7 @@ status_t AudioRecord::obtainBuffer(Buffer* audioBuffer, const struct timespec *r audioBuffer->frameCount = buffer.mFrameCount; audioBuffer->size = buffer.mFrameCount * mFrameSize; audioBuffer->raw = buffer.mRaw; + audioBuffer->sequence = oldSequence; if (nonContig != NULL) { *nonContig = buffer.mNonContig; } @@ -959,6 +959,12 @@ void AudioRecord::releaseBuffer(const Buffer* audioBuffer) buffer.mRaw = audioBuffer->raw; AutoMutex lock(mLock); + if (audioBuffer->sequence != mSequence) { + // This Buffer came from a different IAudioRecord instance, so ignore the releaseBuffer + ALOGD("%s is no-op due to IAudioRecord sequence mismatch %u != %u", + __func__, audioBuffer->sequence, mSequence); + return; + } mInOverrun = false; mProxy->releaseBuffer(&buffer); diff --git a/media/libaudioclient/AudioTrack.cpp b/media/libaudioclient/AudioTrack.cpp index 4a80cd3baa..9a66d48a90 100644 --- a/media/libaudioclient/AudioTrack.cpp +++ b/media/libaudioclient/AudioTrack.cpp @@ -1665,7 +1665,6 @@ status_t AudioTrack::obtainBuffer(Buffer* audioBuffer, const struct timespec *re { // previous and new IAudioTrack sequence numbers are used to detect track re-creation uint32_t oldSequence = 0; - uint32_t newSequence; Proxy::Buffer buffer; status_t status = NO_ERROR; @@ -1682,7 +1681,7 @@ status_t AudioTrack::obtainBuffer(Buffer* audioBuffer, const struct timespec *re { // start of lock scope AutoMutex lock(mLock); - newSequence = mSequence; + uint32_t newSequence = mSequence; // did previous obtainBuffer() fail due to media server death or voluntary invalidation? if (status == DEAD_OBJECT) { // re-create track, unless someone else has already done so @@ -1729,6 +1728,7 @@ status_t AudioTrack::obtainBuffer(Buffer* audioBuffer, const struct timespec *re audioBuffer->frameCount = buffer.mFrameCount; audioBuffer->size = buffer.mFrameCount * mFrameSize; audioBuffer->raw = buffer.mRaw; + audioBuffer->sequence = oldSequence; if (nonContig != NULL) { *nonContig = buffer.mNonContig; } @@ -1752,6 +1752,12 @@ void AudioTrack::releaseBuffer(const Buffer* audioBuffer) buffer.mRaw = audioBuffer->raw; AutoMutex lock(mLock); + if (audioBuffer->sequence != mSequence) { + // This Buffer came from a different IAudioTrack instance, so ignore the releaseBuffer + ALOGD("%s is no-op due to IAudioTrack sequence mismatch %u != %u", + __func__, audioBuffer->sequence, mSequence); + return; + } mReleased += stepCount; mInUnderrun = false; mProxy->releaseBuffer(&buffer); diff --git a/media/libaudioclient/include/media/AudioRecord.h b/media/libaudioclient/include/media/AudioRecord.h index a3c0fe4ac5..574302b869 100644 --- a/media/libaudioclient/include/media/AudioRecord.h +++ b/media/libaudioclient/include/media/AudioRecord.h @@ -92,6 +92,11 @@ public: int8_t* i8; // unsigned 8-bit, offset by 0x80 // input to obtainBuffer(): unused, output: pointer to buffer }; + + uint32_t sequence; // IAudioRecord instance sequence number, as of obtainBuffer(). + // It is set by obtainBuffer() and confirmed by releaseBuffer(). + // Not "user-serviceable". + // TODO Consider sp<IMemory> instead, or in addition to this. }; /* As a convenience, if a callback is supplied, a handler thread @@ -420,14 +425,17 @@ public: * frameCount number of frames requested * size ignored * raw ignored + * sequence ignored * After error return: * frameCount 0 * size 0 * raw undefined + * sequence undefined * After successful return: * frameCount actual number of frames available, <= number requested * size actual number of bytes available * raw pointer to the buffer + * sequence IAudioRecord instance sequence number, as of obtainBuffer() */ status_t obtainBuffer(Buffer* audioBuffer, int32_t waitCount, diff --git a/media/libaudioclient/include/media/AudioTrack.h b/media/libaudioclient/include/media/AudioTrack.h index df5eabc5cc..c607918b96 100644 --- a/media/libaudioclient/include/media/AudioTrack.h +++ b/media/libaudioclient/include/media/AudioTrack.h @@ -107,6 +107,11 @@ public: int16_t* i16; // signed 16-bit int8_t* i8; // unsigned 8-bit, offset by 0x80 }; // input to obtainBuffer(): unused, output: pointer to buffer + + uint32_t sequence; // IAudioTrack instance sequence number, as of obtainBuffer(). + // It is set by obtainBuffer() and confirmed by releaseBuffer(). + // Not "user-serviceable". + // TODO Consider sp<IMemory> instead, or in addition to this. }; /* As a convenience, if a callback is supplied, a handler thread @@ -692,14 +697,17 @@ public: * frameCount number of [empty slots for] frames requested * size ignored * raw ignored + * sequence ignored * After error return: * frameCount 0 * size 0 * raw undefined + * sequence undefined * After successful return: * frameCount actual number of [empty slots for] frames available, <= number requested * size actual number of bytes available * raw pointer to the buffer + * sequence IAudioTrack instance sequence number, as of obtainBuffer() */ status_t obtainBuffer(Buffer* audioBuffer, int32_t waitCount, size_t *nonContig = NULL); |