From 17a8aa18fccceea616a3030c13cbcea5e7b9f54d Mon Sep 17 00:00:00 2001
From: Andy Hung <hunga@google.com>
Date: Tue, 26 May 2015 11:14:36 -0700
Subject: DO NOT MERGE - IOMX: Add buffer range check to emptyBuffer

CYNGNOS-446
Bug: 20634516
Change-Id: If351dbd573bb4aeb6968bfa33f6d407225bc752c
(cherry picked from commit 49fa7b75b65c3047f55efb4cd2b25261f4289799)
---
 media/libstagefright/omx/OMXNodeInstance.cpp | 6 ++++++
 1 file changed, 6 insertions(+)

diff --git a/media/libstagefright/omx/OMXNodeInstance.cpp b/media/libstagefright/omx/OMXNodeInstance.cpp
index 38667d14bc..7f7b9756d1 100644
--- a/media/libstagefright/omx/OMXNodeInstance.cpp
+++ b/media/libstagefright/omx/OMXNodeInstance.cpp
@@ -850,6 +850,12 @@ status_t OMXNodeInstance::emptyBuffer(
     Mutex::Autolock autoLock(mLock);
 
     OMX_BUFFERHEADERTYPE *header = (OMX_BUFFERHEADERTYPE *)buffer;
+    // rangeLength and rangeOffset must be a subset of the allocated data in the buffer.
+    // corner case: we permit rangeOffset == end-of-buffer with rangeLength == 0.
+    if (rangeOffset > header->nAllocLen
+            || rangeLength > header->nAllocLen - rangeOffset) {
+        return BAD_VALUE;
+    }
     header->nFilledLen = rangeLength;
     header->nOffset = rangeOffset;
     header->nFlags = flags;
-- 
cgit v1.2.3