aenc-aac: bounds checking

Add bounds checking for buffers CRs-Fixed: 2013236 Change-Id: I0e1f75ea307088b92e87b99f8b614afbcd0f1c82
author: Aalique Grahame <agrahame@codeaurora.org> 2017-03-22 15:12:59 -0700
committer: Gerrit - the friendly Code Review server <code-review@localhost> 2017-05-22 01:51:06 -0700
commit: bcd773fc4095589b7ae7e20b65a3b407534ca11a (patch)
tree: ea880347cadba517c62b2d3eff9dba66cfc2be1c
parent: 4ad46f59d1a9648a635262c6315150ae713945fe (diff)
download: hardware_qcom_audio-bcd773fc4095589b7ae7e20b65a3b407534ca11a.tar.gz
hardware_qcom_audio-bcd773fc4095589b7ae7e20b65a3b407534ca11a.tar.bz2
hardware_qcom_audio-bcd773fc4095589b7ae7e20b65a3b407534ca11a.zip
1 files changed, 16 insertions, 5 deletions
diff --git a/mm-audio/aenc-aac/qdsp6/src/omx_aac_aenc.cpp b/mm-audio/aenc-aac/qdsp6/src/omx_aac_aenc.cpp
index d2dd1d0e..9c9fbf50 100644
--- a/mm-audio/aenc-aac/qdsp6/src/omx_aac_aenc.cpp
+++ b/mm-audio/aenc-aac/qdsp6/src/omx_aac_aenc.cpp
@@ -1,5 +1,5 @@
 /*--------------------------------------------------------------------------
-Copyright (c) 2010-2016, The Linux Foundation. All rights reserved.
+Copyright (c) 2010-2017, The Linux Foundation. All rights reserved.
 
 Redistribution and use in source and binary forms, with or without
 modification, are permitted provided that the following conditions are met:
@@ -4178,14 +4178,25 @@ OMX_ERRORTYPE  omx_aac_aenc::fill_this_buffer_proxy
             DEBUG_DETAIL("FTBP->Al_len[%lu]buf[%p]size[%d]numOutBuf[%d]\n",\
                          buffer->nAllocLen,m_tmp_out_meta_buf,
                          nReadbytes,nNumOutputBuf);
-            if(*m_tmp_out_meta_buf <= 0)
+            if(m_tmp_out_meta_buf == NULL)
+                return OMX_ErrorUndefined;
+
+            if(*m_tmp_out_meta_buf <= 0 || *m_tmp_out_meta_buf > CHAR_MAX)
                 return OMX_ErrorBadParameter;
-            szadifhr = AUDAAC_MAX_ADIF_HEADER_LENGTH; 
+            szadifhr = AUDAAC_MAX_ADIF_HEADER_LENGTH;
             numframes =  *m_tmp_out_meta_buf;
             metainfo  = (int)((sizeof(ENC_META_OUT) * numframes)+
-			sizeof(unsigned char));
+                sizeof(unsigned char));
+            /*
+            * add bounds checking
+            */
+            if ((metainfo > INT_MAX - szadifhr) ||
+                (buffer->nAllocLen < (nReadbytes + szadifhr)) ||
+                (metainfo > nReadbytes)) {
+                return OMX_ErrorBadParameter;
+            }
             audaac_rec_install_adif_header_variable(0,sample_idx,
-				(OMX_U8)m_aac_param.nChannels);
+                (OMX_U8)m_aac_param.nChannels);
             memcpy(buffer->pBuffer,m_tmp_out_meta_buf,metainfo);
             memcpy(buffer->pBuffer + metainfo,&audaac_header_adif[0],szadifhr);
             memcpy(buffer->pBuffer + metainfo + szadifhr,
author	Aalique Grahame <agrahame@codeaurora.org>	2017-03-22 15:12:59 -0700
committer	Gerrit - the friendly Code Review server <code-review@localhost>	2017-05-22 01:51:06 -0700
commit	bcd773fc4095589b7ae7e20b65a3b407534ca11a (patch)
tree	ea880347cadba517c62b2d3eff9dba66cfc2be1c
parent	4ad46f59d1a9648a635262c6315150ae713945fe (diff)
download	hardware_qcom_audio-bcd773fc4095589b7ae7e20b65a3b407534ca11a.tar.gz hardware_qcom_audio-bcd773fc4095589b7ae7e20b65a3b407534ca11a.tar.bz2 hardware_qcom_audio-bcd773fc4095589b7ae7e20b65a3b407534ca11a.zip