DO NOT MERGE - IOMX: Add buffer range check to emptyBuffer

author Andy Hung <hunga@google.com>

Tue, 26 May 2015 18:14:36 +0000 (11:14 -0700)

committer Bart Sears <bsears@google.com>

Wed, 27 May 2015 01:22:14 +0000 (01:22 +0000)
author Andy Hung <hunga@google.com>
Tue, 26 May 2015 18:14:36 +0000 (11:14 -0700)
committer Bart Sears <bsears@google.com>
Wed, 27 May 2015 01:22:14 +0000 (01:22 +0000)
diff --git a/media/libstagefright/omx/OMXNodeInstance.cpp b/media/libstagefright/omx/OMXNodeInstance.cpp

index 6c5c857..4fe41c9 100644 (file)
--- a/media/libstagefright/omx/OMXNodeInstance.cpp
+++ b/media/libstagefright/omx/OMXNodeInstance.cpp
@@ -797,6 +797,12 @@ status_t OMXNodeInstance::emptyBuffer(
      Mutex::Autolock autoLock(mLock);
  
      OMX_BUFFERHEADERTYPE *header = (OMX_BUFFERHEADERTYPE *)buffer;
+    // rangeLength and rangeOffset must be a subset of the allocated data in the buffer.
+    // corner case: we permit rangeOffset == end-of-buffer with rangeLength == 0.
+    if (rangeOffset > header->nAllocLen
+            || rangeLength > header->nAllocLen - rangeOffset) {
+        return BAD_VALUE;
+    }
      header->nFilledLen = rangeLength;
      header->nOffset = rangeOffset;
      header->nFlags = flags;
author	Andy Hung <hunga@google.com>
	Tue, 26 May 2015 18:14:36 +0000 (11:14 -0700)
committer	Bart Sears <bsears@google.com>
	Wed, 27 May 2015 01:22:14 +0000 (01:22 +0000)