summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorAndy Hung <hunga@google.com>2015-05-26 11:14:36 -0700
committerAbhisek Devkota <ciwrl@cyanogenmod.com>2015-08-12 13:29:20 -0700
commit17a8aa18fccceea616a3030c13cbcea5e7b9f54d (patch)
tree912197d9ceee8fc096dc2453af8bc199f37ede14
parent0de41b453b7069772f8ed8e2d5fd4ed65dade97c (diff)
downloadframeworks_av-17a8aa18fccceea616a3030c13cbcea5e7b9f54d.tar.gz
frameworks_av-17a8aa18fccceea616a3030c13cbcea5e7b9f54d.tar.bz2
frameworks_av-17a8aa18fccceea616a3030c13cbcea5e7b9f54d.zip
DO NOT MERGE - IOMX: Add buffer range check to emptyBuffer
CYNGNOS-446 Bug: 20634516 Change-Id: If351dbd573bb4aeb6968bfa33f6d407225bc752c (cherry picked from commit 49fa7b75b65c3047f55efb4cd2b25261f4289799)
Diffstat
-rw-r--r--media/libstagefright/omx/OMXNodeInstance.cpp6
1 files changed, 6 insertions, 0 deletions
diff --git a/media/libstagefright/omx/OMXNodeInstance.cpp b/media/libstagefright/omx/OMXNodeInstance.cpp
index 38667d14bc..7f7b9756d1 100644
--- a/media/libstagefright/omx/OMXNodeInstance.cpp
+++ b/media/libstagefright/omx/OMXNodeInstance.cpp
@@ -850,6 +850,12 @@ status_t OMXNodeInstance::emptyBuffer(
Mutex::Autolock autoLock(mLock);
OMX_BUFFERHEADERTYPE *header = (OMX_BUFFERHEADERTYPE *)buffer;
+ // rangeLength and rangeOffset must be a subset of the allocated data in the buffer.
+ // corner case: we permit rangeOffset == end-of-buffer with rangeLength == 0.
+ if (rangeOffset > header->nAllocLen
+ || rangeLength > header->nAllocLen - rangeOffset) {
+ return BAD_VALUE;
+ }
header->nFilledLen = rangeLength;
header->nOffset = rangeOffset;
header->nFlags = flags;
generated by cgit v1.2.3 (git 2.25.1) at 2024-05-25 11:11:39 +0000