diff options
author | Andy Hung <hunga@google.com> | 2015-05-26 11:14:36 -0700 |
---|---|---|
committer | Abhisek Devkota <ciwrl@cyanogenmod.com> | 2015-08-12 13:29:20 -0700 |
commit | 17a8aa18fccceea616a3030c13cbcea5e7b9f54d (patch) | |
tree | 912197d9ceee8fc096dc2453af8bc199f37ede14 | |
parent | 0de41b453b7069772f8ed8e2d5fd4ed65dade97c (diff) | |
download | frameworks_av-17a8aa18fccceea616a3030c13cbcea5e7b9f54d.tar.gz frameworks_av-17a8aa18fccceea616a3030c13cbcea5e7b9f54d.tar.bz2 frameworks_av-17a8aa18fccceea616a3030c13cbcea5e7b9f54d.zip |
DO NOT MERGE - IOMX: Add buffer range check to emptyBuffer
CYNGNOS-446
Bug: 20634516
Change-Id: If351dbd573bb4aeb6968bfa33f6d407225bc752c
(cherry picked from commit 49fa7b75b65c3047f55efb4cd2b25261f4289799)
-rw-r--r-- | media/libstagefright/omx/OMXNodeInstance.cpp | 6 |
1 files changed, 6 insertions, 0 deletions
diff --git a/media/libstagefright/omx/OMXNodeInstance.cpp b/media/libstagefright/omx/OMXNodeInstance.cpp index 38667d14bc..7f7b9756d1 100644 --- a/media/libstagefright/omx/OMXNodeInstance.cpp +++ b/media/libstagefright/omx/OMXNodeInstance.cpp @@ -850,6 +850,12 @@ status_t OMXNodeInstance::emptyBuffer( Mutex::Autolock autoLock(mLock); OMX_BUFFERHEADERTYPE *header = (OMX_BUFFERHEADERTYPE *)buffer; + // rangeLength and rangeOffset must be a subset of the allocated data in the buffer. + // corner case: we permit rangeOffset == end-of-buffer with rangeLength == 0. + if (rangeOffset > header->nAllocLen + || rangeLength > header->nAllocLen - rangeOffset) { + return BAD_VALUE; + } header->nFilledLen = rangeLength; header->nOffset = rangeOffset; header->nFlags = flags; |