From dc5e47f013bfbb74c5c35ad976aa98d480cb351b Mon Sep 17 00:00:00 2001 From: Wei Jia Date: Mon, 8 Jun 2015 14:01:42 -0700 Subject: [PATCH] DO NOT MERGE - SoftwareRenderer: sanity check buffer size before copying data. Bug: 21443020 Change-Id: I63cf86217b8201fb41809c23e4b752b845a93ee2 (cherry picked from commit 760f92f8b6da9c9cf128cb18fe3c09402fdde6cd) --- media/libstagefright/colorconversion/SoftwareRenderer.cpp | 9 ++++++++- 1 file changed, 8 insertions(+), 1 deletion(-) diff --git a/media/libstagefright/colorconversion/SoftwareRenderer.cpp b/media/libstagefright/colorconversion/SoftwareRenderer.cpp index 1899b40405..f906757205 100644 --- a/media/libstagefright/colorconversion/SoftwareRenderer.cpp +++ b/media/libstagefright/colorconversion/SoftwareRenderer.cpp @@ -180,7 +180,7 @@ void SoftwareRenderer::resetFormatIfChanged(const sp &format) { } void SoftwareRenderer::render( - const void *data, size_t /*size*/, int64_t timestampNs, + const void *data, size_t size, int64_t timestampNs, void* /*platformPrivate*/, const sp& format) { resetFormatIfChanged(format); @@ -209,6 +209,9 @@ void SoftwareRenderer::render( buf->stride, buf->height, 0, 0, mCropWidth - 1, mCropHeight - 1); } else if (mColorFormat == OMX_COLOR_FormatYUV420Planar) { + if ((size_t)mWidth * mHeight * 3 / 2 > size) { + goto skip_copying; + } const uint8_t *src_y = (const uint8_t *)data; const uint8_t *src_u = (const uint8_t *)data + mWidth * mHeight; const uint8_t *src_v = src_u + (mWidth / 2 * mHeight / 2); @@ -238,6 +241,9 @@ void SoftwareRenderer::render( } } else { CHECK_EQ(mColorFormat, OMX_TI_COLOR_FormatYUV420PackedSemiPlanar); + if ((size_t)mWidth * mHeight * 3 / 2 > size) { + goto skip_copying; + } const uint8_t *src_y = (const uint8_t *)data; @@ -273,6 +279,7 @@ void SoftwareRenderer::render( } } +skip_copying: CHECK_EQ(0, mapper.unlock(buf->handle)); if ((err = native_window_set_buffers_timestamp(mNativeWindow.get(), -- 2.11.0