DO NOT MERGE - SoftMPEG4: Check the buffer size before writing the reference frame.

author Pawin Vongmasa <pawin@google.com>

Tue, 19 Jul 2016 03:12:02 +0000 (20:12 -0700)

committer Pawin Vongmasa <pawin@google.com>

Wed, 17 Aug 2016 12:44:12 +0000 (12:44 +0000)
author Pawin Vongmasa <pawin@google.com>
Tue, 19 Jul 2016 03:12:02 +0000 (20:12 -0700)
committer Pawin Vongmasa <pawin@google.com>
Wed, 17 Aug 2016 12:44:12 +0000 (12:44 +0000)
diff --git a/media/libstagefright/codecs/m4v_h263/dec/SoftMPEG4.cpp b/media/libstagefright/codecs/m4v_h263/dec/SoftMPEG4.cpp

index 78cfaa5..72f7e0c 100644 (file)
--- a/media/libstagefright/codecs/m4v_h263/dec/SoftMPEG4.cpp
+++ b/media/libstagefright/codecs/m4v_h263/dec/SoftMPEG4.cpp
@@ -202,8 +202,17 @@ void SoftMPEG4::onQueueFilled(OMX_U32 /* portIndex */) {
              PortInfo *port = editPortInfo(1);
              OMX_BUFFERHEADERTYPE *outHeader = port->mBuffers.editItemAt(1).mHeader;
  
+            OMX_U32 yFrameSize = sizeof(uint8) * mHandle->size;
+            if ((outHeader->nAllocLen < yFrameSize) ||
+                    (outHeader->nAllocLen - yFrameSize < yFrameSize / 2)) {
+                ALOGE("Too small output buffer for reference frame: %zu bytes",
+                        outHeader->nAllocLen);
+                android_errorWriteLog(0x534e4554, "30033990");
+                notify(OMX_EventError, OMX_ErrorUndefined, 0, NULL);
+                mSignalledError = true;
+                return;
+            }
              PVSetReferenceYUV(mHandle, outHeader->pBuffer);
-
              mFramesConfigured = true;
          }
  
@@ -221,7 +230,16 @@ void SoftMPEG4::onQueueFilled(OMX_U32 /* portIndex */) {
          int32_t bufferSize = inHeader->nFilledLen;
          int32_t tmp = bufferSize;
  
-        OMX_U32 frameSize = (mWidth * mHeight * 3) / 2;
+        OMX_U32 frameSize;
+        OMX_U64 yFrameSize = (OMX_U64)mWidth * (OMX_U64)mHeight;
+        if (yFrameSize > ((OMX_U64)UINT32_MAX / 3) * 2) {
+            ALOGE("Frame size too large");
+            notify(OMX_EventError, OMX_ErrorUndefined, 0, NULL);
+            mSignalledError = true;
+            return;
+        }
+        frameSize = (OMX_U32)(yFrameSize + (yFrameSize / 2));
+
          if (outHeader->nAllocLen < frameSize) {
              android_errorWriteLog(0x534e4554, "27833616");
              ALOGE("Insufficient output buffer size");
diff --git a/media/libstagefright/codecs/m4v_h263/enc/SoftMPEG4Encoder.cpp b/media/libstagefright/codecs/m4v_h263/enc/SoftMPEG4Encoder.cpp

index d16097f..596b329 100644 (file)
--- a/media/libstagefright/codecs/m4v_h263/enc/SoftMPEG4Encoder.cpp
+++ b/media/libstagefright/codecs/m4v_h263/enc/SoftMPEG4Encoder.cpp
@@ -101,6 +101,10 @@ OMX_ERRORTYPE SoftMPEG4Encoder::initEncParams() {
          ALOGE("Failed to get default encoding parameters");
          return OMX_ErrorUndefined;
      }
+    if (mVideoFrameRate == 0) {
+        ALOGE("Framerate should not be 0");
+        return OMX_ErrorUndefined;
+    }
      mEncParams->encMode = mEncodeMode;
      mEncParams->encWidth[0] = mVideoWidth;
      mEncParams->encHeight[0] = mVideoHeight;
author	Pawin Vongmasa <pawin@google.com>
	Tue, 19 Jul 2016 03:12:02 +0000 (20:12 -0700)
committer	Pawin Vongmasa <pawin@google.com>
	Wed, 17 Aug 2016 12:44:12 +0000 (12:44 +0000)
media/libstagefright/codecs/m4v_h263/dec/SoftMPEG4.cpp		patch \| blob \| history
media/libstagefright/codecs/m4v_h263/enc/SoftMPEG4Encoder.cpp		patch \| blob \| history