Merge tag 'android-7.1.2_r8' into cm-14.1staging/cm-14.1_android-7.1.2_r8

Android 7.1.2 release 8 # gpg: Signature made Mon 01 May 2017 10:38:47 AM CDT # gpg: using DSA key E8AD3F819AB10E78 # gpg: Can't check signature: No public key
author: Dan Pasanen <dan.pasanen@gmail.com> 2017-05-01 18:26:09 -0500
committer: Dan Pasanen <dan.pasanen@gmail.com> 2017-05-01 18:26:09 -0500
commit: 16dcaaaca5c9b82db3c4722d2c5ce0acb3d759be (patch)
tree: 8eccdc5cbb9491e6bd3e24efba26be8c72576a62
parent: 4a9859015f3f8c9a875fd3ecabc870f93f518799 (diff)
parent: 594bf934384920618d2b6ce0bcda1f60144cb3eb (diff)
download: frameworks_av-staging/cm-14.1_android-7.1.2_r8.tar.gz
frameworks_av-staging/cm-14.1_android-7.1.2_r8.tar.bz2
frameworks_av-staging/cm-14.1_android-7.1.2_r8.zip
8 files changed, 75 insertions, 8 deletions
diff --git a/media/libstagefright/AMRExtractor.cpp b/media/libstagefright/AMRExtractor.cpp
index 0e98db828c..2892520c07 100644
--- a/media/libstagefright/AMRExtractor.cpp
+++ b/media/libstagefright/AMRExtractor.cpp
@@ -259,7 +259,7 @@ status_t AMRSource::read(
 
     int64_t seekTimeUs;
     ReadOptions::SeekMode mode;
-    if (options && options->getSeekTo(&seekTimeUs, &mode)) {
+    if (mOffsetTableLength > 0 && options && options->getSeekTo(&seekTimeUs, &mode)) {
         size_t size;
         int64_t seekFrame = seekTimeUs / 20000ll;  // 20ms per frame.
         mCurrentTimeUs = seekFrame * 20000ll;
diff --git a/media/libstagefright/HevcUtils.cpp b/media/libstagefright/HevcUtils.cpp
index 718710a01a..7d463a91c8 100644
--- a/media/libstagefright/HevcUtils.cpp
+++ b/media/libstagefright/HevcUtils.cpp
@@ -45,16 +45,32 @@ HevcParameterSets::HevcParameterSets()
 }
 
 status_t HevcParameterSets::addNalUnit(const uint8_t* data, size_t size) {
+    if (size < 1) {
+        ALOGE("empty NAL b/35467107");
+        return ERROR_MALFORMED;
+    }
     uint8_t nalUnitType = (data[0] >> 1) & 0x3f;
     status_t err = OK;
     switch (nalUnitType) {
         case 32:  // VPS
+            if (size < 2) {
+                ALOGE("invalid NAL/VPS size b/35467107");
+                return ERROR_MALFORMED;
+            }
             err = parseVps(data + 2, size - 2);
             break;
         case 33:  // SPS
+            if (size < 2) {
+                ALOGE("invalid NAL/SPS size b/35467107");
+                return ERROR_MALFORMED;
+            }
             err = parseSps(data + 2, size - 2);
             break;
         case 34:  // PPS
+            if (size < 2) {
+                ALOGE("invalid NAL/PPS size b/35467107");
+                return ERROR_MALFORMED;
+            }
             err = parsePps(data + 2, size - 2);
             break;
         case 39:  // Prefix SEI
diff --git a/media/libstagefright/NuMediaExtractor.cpp b/media/libstagefright/NuMediaExtractor.cpp
index 276d73136f..4558b3c1cf 100644
--- a/media/libstagefright/NuMediaExtractor.cpp
+++ b/media/libstagefright/NuMediaExtractor.cpp
@@ -618,7 +618,7 @@ bool NuMediaExtractor::getTotalBitrate(int64_t *bitrate) const {
     }
 
     off64_t size;
-    if (mDurationUs >= 0 && mDataSource->getSize(&size) == OK) {
+    if (mDurationUs > 0 && mDataSource->getSize(&size) == OK) {
         *bitrate = size * 8000000ll / mDurationUs;  // in bits/sec
         return true;
     }
diff --git a/media/libstagefright/codecs/aacenc/SoftAACEncoder2.cpp b/media/libstagefright/codecs/aacenc/SoftAACEncoder2.cpp
index 5f516cbc5c..f00a5d1b0c 100644
--- a/media/libstagefright/codecs/aacenc/SoftAACEncoder2.cpp
+++ b/media/libstagefright/codecs/aacenc/SoftAACEncoder2.cpp
@@ -510,6 +510,15 @@ void SoftAACEncoder2::onQueueFilled(OMX_U32 /* portIndex */) {
 
         BufferInfo *outInfo = *outQueue.begin();
         OMX_BUFFERHEADERTYPE *outHeader = outInfo->mHeader;
+
+        if (outHeader->nOffset + encInfo.confSize > outHeader->nAllocLen) {
+            ALOGE("b/34617444");
+            android_errorWriteLog(0x534e4554,"34617444");
+            notify(OMX_EventError, OMX_ErrorUndefined, 0, NULL);
+            mSignalledError = true;
+            return;
+        }
+
         outHeader->nFilledLen = encInfo.confSize;
         outHeader->nFlags = OMX_BUFFERFLAG_CODECCONFIG;
 
diff --git a/media/libstagefright/codecs/m4v_h263/dec/src/mb_motion_comp.cpp b/media/libstagefright/codecs/m4v_h263/dec/src/mb_motion_comp.cpp
index fbc7be1aa1..877723d758 100644
--- a/media/libstagefright/codecs/m4v_h263/dec/src/mb_motion_comp.cpp
+++ b/media/libstagefright/codecs/m4v_h263/dec/src/mb_motion_comp.cpp
@@ -15,6 +15,10 @@
  * and limitations under the License.
  * -------------------------------------------------------------------
  */
+
+#define LOG_TAG "m4v_h263"
+#include <log/log.h>
+
 /*
 ------------------------------------------------------------------------------
  INPUT AND OUTPUT DEFINITIONS
@@ -236,6 +240,11 @@ void  MBMotionComp(
 
     /* Pointer to previous luminance frame */
     c_prev  = prev->yChan;
+    if (!c_prev) {
+        ALOGE("b/35269635");
+        android_errorWriteLog(0x534e4554, "35269635");
+        return;
+    }
 
     pred_block = video->mblock->pred_block;
 
@@ -574,7 +583,14 @@ void  SkippedMBMotionComp(
 
     /* zero motion compensation for previous frame */
     /*mby*width + mbx;*/
-    c_prev  = prev->yChan + offset;
+    c_prev  = prev->yChan;
+    if (!c_prev) {
+        ALOGE("b/35269635");
+        android_errorWriteLog(0x534e4554, "35269635");
+        return;
+    }
+    c_prev += offset;
+
     /*by*width_uv + bx;*/
     cu_prev = prev->uChan + (offset >> 2) + (xpos >> 2);
     /*by*width_uv + bx;*/
diff --git a/media/libstagefright/codecs/m4v_h263/dec/src/pvdec_api.cpp b/media/libstagefright/codecs/m4v_h263/dec/src/pvdec_api.cpp
index c1720c6390..8d5d0712b3 100644
--- a/media/libstagefright/codecs/m4v_h263/dec/src/pvdec_api.cpp
+++ b/media/libstagefright/codecs/m4v_h263/dec/src/pvdec_api.cpp
@@ -15,6 +15,8 @@
  * and limitations under the License.
  * -------------------------------------------------------------------
  */
+#define LOG_TAG "pvdec_api"
+#include <log/log.h>
 #include "mp4dec_lib.h"
 #include "vlc_decode.h"
 #include "bitstream.h"
@@ -1335,6 +1337,11 @@ Bool PVDecodeVopBody(VideoDecControls *decCtrl, int32 buffer_size[])
             }
         }
 
+        if (!video->prevVop->yChan) {
+            ALOGE("b/35269635");
+            android_errorWriteLog(0x534e4554, "35269635");
+            return PV_FALSE;
+        }
         oscl_memcpy(currVop->yChan, video->prevVop->yChan, (decCtrl->size*3) / 2);
 
         video->prevVop = prevVop;
diff --git a/media/libstagefright/id3/ID3.cpp b/media/libstagefright/id3/ID3.cpp
index ba8ce2a4cd..2bbe319a61 100644
--- a/media/libstagefright/id3/ID3.cpp
+++ b/media/libstagefright/id3/ID3.cpp
@@ -379,7 +379,7 @@ bool ID3::removeUnsynchronizationV2_4(bool iTunesHack) {
             flags &= ~1;
         }
 
-        if (flags & 2) {
+        if ((flags & 2) && (dataSize >= 2)) {
             // This file has "unsynchronization", so we have to replace occurrences
             // of 0xff 0x00 with just 0xff in order to get the real data.
 
@@ -395,11 +395,15 @@ bool ID3::removeUnsynchronizationV2_4(bool iTunesHack) {
                 mData[writeOffset++] = mData[readOffset++];
             }
             // move the remaining data following this frame
-            memmove(&mData[writeOffset], &mData[readOffset], oldSize - readOffset);
+            if (readOffset <= oldSize) {
+                memmove(&mData[writeOffset], &mData[readOffset], oldSize - readOffset);
+            } else {
+                ALOGE("b/34618607 (%zu %zu %zu %zu)", readOffset, writeOffset, oldSize, mSize);
+                android_errorWriteLog(0x534e4554, "34618607");
+            }
 
-            flags &= ~2;
         }
-
+        flags &= ~2;
         if (flags != prevFlags || iTunesHack) {
             WriteSyncsafeInteger(&mData[offset + 4], dataSize);
             mData[offset + 8] = flags >> 8;
diff --git a/services/audioflinger/Tracks.cpp b/services/audioflinger/Tracks.cpp
index 95805251d3..0683f4f8d4 100644
--- a/services/audioflinger/Tracks.cpp
+++ b/services/audioflinger/Tracks.cpp
@@ -133,9 +133,24 @@ AudioFlinger::ThreadBase::TrackBase::TrackBase(
     mUid = clientUid;
 
     // ALOGD("Creating track with %d buffers @ %d bytes", bufferCount, bufferSize);
+
+    size_t bufferSize = buffer == NULL ? roundup(frameCount) : frameCount;
+    // check overflow when computing bufferSize due to multiplication by mFrameSize.
+    if (bufferSize < frameCount  // roundup rounds down for values above UINT_MAX / 2
+            || mFrameSize == 0   // format needs to be correct
+            || bufferSize > SIZE_MAX / mFrameSize) {
+        android_errorWriteLog(0x534e4554, "34749571");
+        return;
+    }
+    bufferSize *= mFrameSize;
+
     size_t size = sizeof(audio_track_cblk_t);
-    size_t bufferSize = (buffer == NULL ? roundup(frameCount) : frameCount) * mFrameSize;
     if (buffer == NULL && alloc == ALLOC_CBLK) {
+        // check overflow when computing allocation size for streaming tracks.
+        if (size > SIZE_MAX - bufferSize) {
+            android_errorWriteLog(0x534e4554, "34749571");
+            return;
+        }
         size += bufferSize;
     }
author	Dan Pasanen <dan.pasanen@gmail.com>	2017-05-01 18:26:09 -0500
committer	Dan Pasanen <dan.pasanen@gmail.com>	2017-05-01 18:26:09 -0500
commit	16dcaaaca5c9b82db3c4722d2c5ce0acb3d759be (patch)
tree	8eccdc5cbb9491e6bd3e24efba26be8c72576a62
parent	4a9859015f3f8c9a875fd3ecabc870f93f518799 (diff)
parent	594bf934384920618d2b6ce0bcda1f60144cb3eb (diff)
download	frameworks_av-staging/cm-14.1_android-7.1.2_r8.tar.gz frameworks_av-staging/cm-14.1_android-7.1.2_r8.tar.bz2 frameworks_av-staging/cm-14.1_android-7.1.2_r8.zip