diff options
author | Dan Pasanen <dan.pasanen@gmail.com> | 2017-05-01 18:26:09 -0500 |
---|---|---|
committer | Dan Pasanen <dan.pasanen@gmail.com> | 2017-05-01 18:26:09 -0500 |
commit | 16dcaaaca5c9b82db3c4722d2c5ce0acb3d759be (patch) | |
tree | 8eccdc5cbb9491e6bd3e24efba26be8c72576a62 | |
parent | 4a9859015f3f8c9a875fd3ecabc870f93f518799 (diff) | |
parent | 594bf934384920618d2b6ce0bcda1f60144cb3eb (diff) | |
download | frameworks_av-staging/cm-14.1_android-7.1.2_r8.tar.gz frameworks_av-staging/cm-14.1_android-7.1.2_r8.tar.bz2 frameworks_av-staging/cm-14.1_android-7.1.2_r8.zip |
Merge tag 'android-7.1.2_r8' into cm-14.1staging/cm-14.1_android-7.1.2_r8
Android 7.1.2 release 8
# gpg: Signature made Mon 01 May 2017 10:38:47 AM CDT
# gpg: using DSA key E8AD3F819AB10E78
# gpg: Can't check signature: No public key
-rw-r--r-- | media/libstagefright/AMRExtractor.cpp | 2 | ||||
-rw-r--r-- | media/libstagefright/HevcUtils.cpp | 16 | ||||
-rw-r--r-- | media/libstagefright/NuMediaExtractor.cpp | 2 | ||||
-rw-r--r-- | media/libstagefright/codecs/aacenc/SoftAACEncoder2.cpp | 9 | ||||
-rw-r--r-- | media/libstagefright/codecs/m4v_h263/dec/src/mb_motion_comp.cpp | 18 | ||||
-rw-r--r-- | media/libstagefright/codecs/m4v_h263/dec/src/pvdec_api.cpp | 7 | ||||
-rw-r--r-- | media/libstagefright/id3/ID3.cpp | 12 | ||||
-rw-r--r-- | services/audioflinger/Tracks.cpp | 17 |
8 files changed, 75 insertions, 8 deletions
diff --git a/media/libstagefright/AMRExtractor.cpp b/media/libstagefright/AMRExtractor.cpp index 0e98db828c..2892520c07 100644 --- a/media/libstagefright/AMRExtractor.cpp +++ b/media/libstagefright/AMRExtractor.cpp @@ -259,7 +259,7 @@ status_t AMRSource::read( int64_t seekTimeUs; ReadOptions::SeekMode mode; - if (options && options->getSeekTo(&seekTimeUs, &mode)) { + if (mOffsetTableLength > 0 && options && options->getSeekTo(&seekTimeUs, &mode)) { size_t size; int64_t seekFrame = seekTimeUs / 20000ll; // 20ms per frame. mCurrentTimeUs = seekFrame * 20000ll; diff --git a/media/libstagefright/HevcUtils.cpp b/media/libstagefright/HevcUtils.cpp index 718710a01a..7d463a91c8 100644 --- a/media/libstagefright/HevcUtils.cpp +++ b/media/libstagefright/HevcUtils.cpp @@ -45,16 +45,32 @@ HevcParameterSets::HevcParameterSets() } status_t HevcParameterSets::addNalUnit(const uint8_t* data, size_t size) { + if (size < 1) { + ALOGE("empty NAL b/35467107"); + return ERROR_MALFORMED; + } uint8_t nalUnitType = (data[0] >> 1) & 0x3f; status_t err = OK; switch (nalUnitType) { case 32: // VPS + if (size < 2) { + ALOGE("invalid NAL/VPS size b/35467107"); + return ERROR_MALFORMED; + } err = parseVps(data + 2, size - 2); break; case 33: // SPS + if (size < 2) { + ALOGE("invalid NAL/SPS size b/35467107"); + return ERROR_MALFORMED; + } err = parseSps(data + 2, size - 2); break; case 34: // PPS + if (size < 2) { + ALOGE("invalid NAL/PPS size b/35467107"); + return ERROR_MALFORMED; + } err = parsePps(data + 2, size - 2); break; case 39: // Prefix SEI diff --git a/media/libstagefright/NuMediaExtractor.cpp b/media/libstagefright/NuMediaExtractor.cpp index 276d73136f..4558b3c1cf 100644 --- a/media/libstagefright/NuMediaExtractor.cpp +++ b/media/libstagefright/NuMediaExtractor.cpp @@ -618,7 +618,7 @@ bool NuMediaExtractor::getTotalBitrate(int64_t *bitrate) const { } off64_t size; - if (mDurationUs >= 0 && mDataSource->getSize(&size) == OK) { + if (mDurationUs > 0 && mDataSource->getSize(&size) == OK) { *bitrate = size * 8000000ll / mDurationUs; // in bits/sec return true; } diff --git a/media/libstagefright/codecs/aacenc/SoftAACEncoder2.cpp b/media/libstagefright/codecs/aacenc/SoftAACEncoder2.cpp index 5f516cbc5c..f00a5d1b0c 100644 --- a/media/libstagefright/codecs/aacenc/SoftAACEncoder2.cpp +++ b/media/libstagefright/codecs/aacenc/SoftAACEncoder2.cpp @@ -510,6 +510,15 @@ void SoftAACEncoder2::onQueueFilled(OMX_U32 /* portIndex */) { BufferInfo *outInfo = *outQueue.begin(); OMX_BUFFERHEADERTYPE *outHeader = outInfo->mHeader; + + if (outHeader->nOffset + encInfo.confSize > outHeader->nAllocLen) { + ALOGE("b/34617444"); + android_errorWriteLog(0x534e4554,"34617444"); + notify(OMX_EventError, OMX_ErrorUndefined, 0, NULL); + mSignalledError = true; + return; + } + outHeader->nFilledLen = encInfo.confSize; outHeader->nFlags = OMX_BUFFERFLAG_CODECCONFIG; diff --git a/media/libstagefright/codecs/m4v_h263/dec/src/mb_motion_comp.cpp b/media/libstagefright/codecs/m4v_h263/dec/src/mb_motion_comp.cpp index fbc7be1aa1..877723d758 100644 --- a/media/libstagefright/codecs/m4v_h263/dec/src/mb_motion_comp.cpp +++ b/media/libstagefright/codecs/m4v_h263/dec/src/mb_motion_comp.cpp @@ -15,6 +15,10 @@ * and limitations under the License. * ------------------------------------------------------------------- */ + +#define LOG_TAG "m4v_h263" +#include <log/log.h> + /* ------------------------------------------------------------------------------ INPUT AND OUTPUT DEFINITIONS @@ -236,6 +240,11 @@ void MBMotionComp( /* Pointer to previous luminance frame */ c_prev = prev->yChan; + if (!c_prev) { + ALOGE("b/35269635"); + android_errorWriteLog(0x534e4554, "35269635"); + return; + } pred_block = video->mblock->pred_block; @@ -574,7 +583,14 @@ void SkippedMBMotionComp( /* zero motion compensation for previous frame */ /*mby*width + mbx;*/ - c_prev = prev->yChan + offset; + c_prev = prev->yChan; + if (!c_prev) { + ALOGE("b/35269635"); + android_errorWriteLog(0x534e4554, "35269635"); + return; + } + c_prev += offset; + /*by*width_uv + bx;*/ cu_prev = prev->uChan + (offset >> 2) + (xpos >> 2); /*by*width_uv + bx;*/ diff --git a/media/libstagefright/codecs/m4v_h263/dec/src/pvdec_api.cpp b/media/libstagefright/codecs/m4v_h263/dec/src/pvdec_api.cpp index c1720c6390..8d5d0712b3 100644 --- a/media/libstagefright/codecs/m4v_h263/dec/src/pvdec_api.cpp +++ b/media/libstagefright/codecs/m4v_h263/dec/src/pvdec_api.cpp @@ -15,6 +15,8 @@ * and limitations under the License. * ------------------------------------------------------------------- */ +#define LOG_TAG "pvdec_api" +#include <log/log.h> #include "mp4dec_lib.h" #include "vlc_decode.h" #include "bitstream.h" @@ -1335,6 +1337,11 @@ Bool PVDecodeVopBody(VideoDecControls *decCtrl, int32 buffer_size[]) } } + if (!video->prevVop->yChan) { + ALOGE("b/35269635"); + android_errorWriteLog(0x534e4554, "35269635"); + return PV_FALSE; + } oscl_memcpy(currVop->yChan, video->prevVop->yChan, (decCtrl->size*3) / 2); video->prevVop = prevVop; diff --git a/media/libstagefright/id3/ID3.cpp b/media/libstagefright/id3/ID3.cpp index ba8ce2a4cd..2bbe319a61 100644 --- a/media/libstagefright/id3/ID3.cpp +++ b/media/libstagefright/id3/ID3.cpp @@ -379,7 +379,7 @@ bool ID3::removeUnsynchronizationV2_4(bool iTunesHack) { flags &= ~1; } - if (flags & 2) { + if ((flags & 2) && (dataSize >= 2)) { // This file has "unsynchronization", so we have to replace occurrences // of 0xff 0x00 with just 0xff in order to get the real data. @@ -395,11 +395,15 @@ bool ID3::removeUnsynchronizationV2_4(bool iTunesHack) { mData[writeOffset++] = mData[readOffset++]; } // move the remaining data following this frame - memmove(&mData[writeOffset], &mData[readOffset], oldSize - readOffset); + if (readOffset <= oldSize) { + memmove(&mData[writeOffset], &mData[readOffset], oldSize - readOffset); + } else { + ALOGE("b/34618607 (%zu %zu %zu %zu)", readOffset, writeOffset, oldSize, mSize); + android_errorWriteLog(0x534e4554, "34618607"); + } - flags &= ~2; } - + flags &= ~2; if (flags != prevFlags || iTunesHack) { WriteSyncsafeInteger(&mData[offset + 4], dataSize); mData[offset + 8] = flags >> 8; diff --git a/services/audioflinger/Tracks.cpp b/services/audioflinger/Tracks.cpp index 95805251d3..0683f4f8d4 100644 --- a/services/audioflinger/Tracks.cpp +++ b/services/audioflinger/Tracks.cpp @@ -133,9 +133,24 @@ AudioFlinger::ThreadBase::TrackBase::TrackBase( mUid = clientUid; // ALOGD("Creating track with %d buffers @ %d bytes", bufferCount, bufferSize); + + size_t bufferSize = buffer == NULL ? roundup(frameCount) : frameCount; + // check overflow when computing bufferSize due to multiplication by mFrameSize. + if (bufferSize < frameCount // roundup rounds down for values above UINT_MAX / 2 + || mFrameSize == 0 // format needs to be correct + || bufferSize > SIZE_MAX / mFrameSize) { + android_errorWriteLog(0x534e4554, "34749571"); + return; + } + bufferSize *= mFrameSize; + size_t size = sizeof(audio_track_cblk_t); - size_t bufferSize = (buffer == NULL ? roundup(frameCount) : frameCount) * mFrameSize; if (buffer == NULL && alloc == ALLOC_CBLK) { + // check overflow when computing allocation size for streaming tracks. + if (size > SIZE_MAX - bufferSize) { + android_errorWriteLog(0x534e4554, "34749571"); + return; + } size += bufferSize; } |