SoftMPEG4: Check the buffer size before writing the reference frame.

author Pawin Vongmasa <pawin@google.com>

Tue, 19 Jul 2016 03:12:02 +0000 (20:12 -0700)

committer Pawin Vongmasa <pawin@google.com>

Mon, 8 Aug 2016 03:22:05 +0000 (20:22 -0700)
author Pawin Vongmasa <pawin@google.com>
Tue, 19 Jul 2016 03:12:02 +0000 (20:12 -0700)
committer Pawin Vongmasa <pawin@google.com>
Mon, 8 Aug 2016 03:22:05 +0000 (20:22 -0700)
diff --git a/media/libstagefright/codecs/m4v_h263/dec/SoftMPEG4.cpp b/media/libstagefright/codecs/m4v_h263/dec/SoftMPEG4.cpp

index c10c8f1..451f627 100644 (file)
--- a/media/libstagefright/codecs/m4v_h263/dec/SoftMPEG4.cpp
+++ b/media/libstagefright/codecs/m4v_h263/dec/SoftMPEG4.cpp
@@ -203,8 +203,17 @@ void SoftMPEG4::onQueueFilled(OMX_U32 /* portIndex */) {
              PortInfo *port = editPortInfo(1);
              OMX_BUFFERHEADERTYPE *outHeader = port->mBuffers.editItemAt(1).mHeader;
  
+            OMX_U32 yFrameSize = sizeof(uint8) * mHandle->size;
+            if ((outHeader->nAllocLen < yFrameSize) ||
+                    (outHeader->nAllocLen - yFrameSize < yFrameSize / 2)) {
+                ALOGE("Too small output buffer for reference frame: %zu bytes",
+                        outHeader->nAllocLen);
+                android_errorWriteLog(0x534e4554, "30033990");
+                notify(OMX_EventError, OMX_ErrorUndefined, 0, NULL);
+                mSignalledError = true;
+                return;
+            }
              PVSetReferenceYUV(mHandle, outHeader->pBuffer);
-
              mFramesConfigured = true;
          }
  
@@ -222,7 +231,16 @@ void SoftMPEG4::onQueueFilled(OMX_U32 /* portIndex */) {
          int32_t bufferSize = inHeader->nFilledLen;
          int32_t tmp = bufferSize;
  
-        OMX_U32 frameSize = (mWidth * mHeight * 3) / 2;
+        OMX_U32 frameSize;
+        OMX_U64 yFrameSize = (OMX_U64)mWidth * (OMX_U64)mHeight;
+        if (yFrameSize > ((OMX_U64)UINT32_MAX / 3) * 2) {
+            ALOGE("Frame size too large");
+            notify(OMX_EventError, OMX_ErrorUndefined, 0, NULL);
+            mSignalledError = true;
+            return;
+        }
+        frameSize = (OMX_U32)(yFrameSize + (yFrameSize / 2));
+
          if (outHeader->nAllocLen < frameSize) {
              android_errorWriteLog(0x534e4554, "27833616");
              ALOGE("Insufficient output buffer size");
diff --git a/media/libstagefright/codecs/m4v_h263/enc/SoftMPEG4Encoder.cpp b/media/libstagefright/codecs/m4v_h263/enc/SoftMPEG4Encoder.cpp

index 3bd2e1a..971dad0 100644 (file)
--- a/media/libstagefright/codecs/m4v_h263/enc/SoftMPEG4Encoder.cpp
+++ b/media/libstagefright/codecs/m4v_h263/enc/SoftMPEG4Encoder.cpp
@@ -116,6 +116,10 @@ OMX_ERRORTYPE SoftMPEG4Encoder::initEncParams() {
          ALOGE("Failed to get default encoding parameters");
          return OMX_ErrorUndefined;
      }
+    if (mFramerate == 0) {
+        ALOGE("Framerate should not be 0");
+        return OMX_ErrorUndefined;
+    }
      mEncParams->encMode = mEncodeMode;
      mEncParams->encWidth[0] = mWidth;
      mEncParams->encHeight[0] = mHeight;
author	Pawin Vongmasa <pawin@google.com>
	Tue, 19 Jul 2016 03:12:02 +0000 (20:12 -0700)
committer	Pawin Vongmasa <pawin@google.com>
	Mon, 8 Aug 2016 03:22:05 +0000 (20:22 -0700)
media/libstagefright/codecs/m4v_h263/dec/SoftMPEG4.cpp		patch \| blob \| history
media/libstagefright/codecs/m4v_h263/enc/SoftMPEG4Encoder.cpp		patch \| blob \| history