IOMX: Add buffer range check to emptyBuffer Bug: 20634516 Change-Id: If351dbd573bb4aeb6968bfa33f6d407225bc752c (cherry picked from commit d971df0eb300356b3c995d533289216f43aa60de)

commit: 086d84f45ab7b64d1a7ed7ac8ba5833664a6a5ab [log] [tgz]
author: Andy Hung <hunga@google.com> Tue May 26 11:14:36 2015 -0700
committer: The Android Automerger <android-build@google.com> Thu Jul 09 14:03:00 2015 -0700
tree: 05678105c5712f7a425231183a207eccbe498430
parent: c82e31a7039a03dca7b37c65b7890ba5c1e18ced [diff]
diff --git a/media/libstagefright/omx/OMXNodeInstance.cpp b/media/libstagefright/omx/OMXNodeInstance.cpp
index c04d95f..01ce247 100644
--- a/media/libstagefright/omx/OMXNodeInstance.cpp
+++ b/media/libstagefright/omx/OMXNodeInstance.cpp

@@ -980,6 +980,12 @@
     Mutex::Autolock autoLock(mLock);
 
     OMX_BUFFERHEADERTYPE *header = findBufferHeader(buffer);
+    // rangeLength and rangeOffset must be a subset of the allocated data in the buffer.
+    // corner case: we permit rangeOffset == end-of-buffer with rangeLength == 0.
+    if (rangeOffset > header->nAllocLen
+            || rangeLength > header->nAllocLen - rangeOffset) {
+        return BAD_VALUE;
+    }
     header->nFilledLen = rangeLength;
     header->nOffset = rangeOffset;
commit	086d84f45ab7b64d1a7ed7ac8ba5833664a6a5ab	[log] [tgz]
author	Andy Hung <hunga@google.com>	Tue May 26 11:14:36 2015 -0700
committer	The Android Automerger <android-build@google.com>	Thu Jul 09 14:03:00 2015 -0700
tree	05678105c5712f7a425231183a207eccbe498430
parent	c82e31a7039a03dca7b37c65b7890ba5c1e18ced [diff]