Merge cherrypicks of [2540686, 2540687, 2540384, 2540688, 2540689, 2540690, 2540385, 2540691, 2540386, 2540387, 2540732, 2540388, 2540389, 2540733, 2540390, 2540752, 2540753, 2540736, 2540737, 2540757, 2540738, 2540758, 2540739, 2540759, 2540740, 2540741, 2540742, 2540743, 2540744, 2540745] into mnc-mr2-release
Change-Id: I28eface222776a59980f56dac5d14e45ec05ad96
diff --git a/drm/mediadrm/plugins/clearkey/InitDataParser.cpp b/drm/mediadrm/plugins/clearkey/InitDataParser.cpp
index c22d73a..c9c2a38 100644
--- a/drm/mediadrm/plugins/clearkey/InitDataParser.cpp
+++ b/drm/mediadrm/plugins/clearkey/InitDataParser.cpp
@@ -109,7 +109,7 @@
memcpy(&keyIdCount, &initData[readPosition], sizeof(keyIdCount));
keyIdCount = ntohl(keyIdCount);
readPosition += sizeof(keyIdCount);
- if (readPosition + (keyIdCount * kKeyIdSize) !=
+ if (readPosition + ((uint64_t)keyIdCount * kKeyIdSize) !=
initData.size() - sizeof(uint32_t)) {
return android::ERROR_DRM_CANNOT_HANDLE;
}
diff --git a/media/libeffects/lvm/wrapper/Bundle/EffectBundle.cpp b/media/libeffects/lvm/wrapper/Bundle/EffectBundle.cpp
index 60f400e..e9e805b 100644
--- a/media/libeffects/lvm/wrapper/Bundle/EffectBundle.cpp
+++ b/media/libeffects/lvm/wrapper/Bundle/EffectBundle.cpp
@@ -148,7 +148,10 @@
void *pParam,
uint32_t *pValueSize,
void *pValue);
-int Equalizer_setParameter (EffectContext *pContext, void *pParam, void *pValue);
+int Equalizer_setParameter (EffectContext *pContext,
+ void *pParam,
+ uint32_t valueSize,
+ void *pValue);
int Equalizer_getParameter (EffectContext *pContext,
void *pParam,
uint32_t *pValueSize,
@@ -2470,12 +2473,17 @@
// Inputs:
// pEqualizer - handle to instance data
// pParam - pointer to parameter
+// valueSize - value size
// pValue - pointer to value
+
//
// Outputs:
//
//----------------------------------------------------------------------------
-int Equalizer_setParameter (EffectContext *pContext, void *pParam, void *pValue){
+int Equalizer_setParameter (EffectContext *pContext,
+ void *pParam,
+ uint32_t valueSize,
+ void *pValue) {
int status = 0;
int32_t preset;
int32_t band;
@@ -2487,6 +2495,10 @@
//ALOGV("\tEqualizer_setParameter start");
switch (param) {
case EQ_PARAM_CUR_PRESET:
+ if (valueSize < sizeof(int16_t)) {
+ status = -EINVAL;
+ break;
+ }
preset = (int32_t)(*(uint16_t *)pValue);
//ALOGV("\tEqualizer_setParameter() EQ_PARAM_CUR_PRESET %d", preset);
@@ -2497,6 +2509,10 @@
EqualizerSetPreset(pContext, preset);
break;
case EQ_PARAM_BAND_LEVEL:
+ if (valueSize < sizeof(int16_t)) {
+ status = -EINVAL;
+ break;
+ }
band = *pParamTemp;
level = (int32_t)(*(int16_t *)pValue);
//ALOGV("\tEqualizer_setParameter() EQ_PARAM_BAND_LEVEL band %d, level %d", band, level);
@@ -2512,6 +2528,10 @@
break;
case EQ_PARAM_PROPERTIES: {
//ALOGV("\tEqualizer_setParameter() EQ_PARAM_PROPERTIES");
+ if (valueSize < sizeof(int16_t)) {
+ status = -EINVAL;
+ break;
+ }
int16_t *p = (int16_t *)pValue;
if ((int)p[0] >= EqualizerGetNumPresets()) {
status = -EINVAL;
@@ -2520,6 +2540,13 @@
if (p[0] >= 0) {
EqualizerSetPreset(pContext, (int)p[0]);
} else {
+ if (valueSize < (2 + FIVEBAND_NUMBANDS) * sizeof(int16_t)) {
+ android_errorWriteLog(0x534e4554, "37563371");
+ ALOGE("\tERROR Equalizer_setParameter() EQ_PARAM_PROPERTIES valueSize %d < %d",
+ (int)valueSize, (int)((2 + FIVEBAND_NUMBANDS) * sizeof(int16_t)));
+ status = -EINVAL;
+ break;
+ }
if ((int)p[1] != FIVEBAND_NUMBANDS) {
status = -EINVAL;
break;
@@ -3295,7 +3322,8 @@
*(int *)pReplyData = android::Equalizer_setParameter(pContext,
(void *)p->data,
- p->data + p->psize);
+ p->vsize,
+ p->data + p->psize);
}
if(pContext->EffectType == LVM_VOLUME){
//ALOGV("\tVolume_command cmdCode Case: EFFECT_CMD_SET_PARAM start");
diff --git a/media/libmediaplayerservice/nuplayer/NuPlayerDecoder.cpp b/media/libmediaplayerservice/nuplayer/NuPlayerDecoder.cpp
index c005f3f..eb9f639 100644
--- a/media/libmediaplayerservice/nuplayer/NuPlayerDecoder.cpp
+++ b/media/libmediaplayerservice/nuplayer/NuPlayerDecoder.cpp
@@ -526,7 +526,10 @@
ALOGI("[%s] resubmitting CSD", mComponentName.c_str());
msg->setBuffer("buffer", buffer);
mCSDsToSubmit.removeAt(0);
- CHECK(onInputBufferFetched(msg));
+ if (!onInputBufferFetched(msg)) {
+ handleError(UNKNOWN_ERROR);
+ return false;
+ }
return true;
}
@@ -863,7 +866,11 @@
// copy into codec buffer
if (buffer != codecBuffer) {
- CHECK_LE(buffer->size(), codecBuffer->capacity());
+ if (buffer->size() > codecBuffer->capacity()) {
+ handleError(ERROR_BUFFER_TOO_SMALL);
+ mDequeuedInputBuffers.push_back(bufferIx);
+ return false;
+ }
codecBuffer->setRange(0, buffer->size());
memcpy(codecBuffer->data(), buffer->data(), buffer->size());
}
diff --git a/media/libstagefright/MPEG4Extractor.cpp b/media/libstagefright/MPEG4Extractor.cpp
index 91e9660..0996cdf 100755
--- a/media/libstagefright/MPEG4Extractor.cpp
+++ b/media/libstagefright/MPEG4Extractor.cpp
@@ -2638,8 +2638,10 @@
int32_t delay, padding;
if (sscanf(mLastCommentData,
" %*x %x %x %*x", &delay, &padding) == 2) {
- if (mLastTrack == NULL)
+ if (mLastTrack == NULL) {
+ delete[] buffer;
return ERROR_MALFORMED;
+ }
mLastTrack->meta->setInt32(kKeyEncoderDelay, delay);
mLastTrack->meta->setInt32(kKeyEncoderPadding, padding);
diff --git a/media/libstagefright/codecs/m4v_h263/dec/SoftMPEG4.cpp b/media/libstagefright/codecs/m4v_h263/dec/SoftMPEG4.cpp
index 1dd631a..411a251 100644
--- a/media/libstagefright/codecs/m4v_h263/dec/SoftMPEG4.cpp
+++ b/media/libstagefright/codecs/m4v_h263/dec/SoftMPEG4.cpp
@@ -255,13 +255,28 @@
mSignalledError = true;
return;
}
+
+ // Need to check if header contains new info, e.g., width/height, etc.
+ VopHeaderInfo header_info;
+ uint8_t *bitstreamTmp = bitstream;
+ if (PVDecodeVopHeader(
+ mHandle, &bitstreamTmp, ×tamp, &tmp,
+ &header_info, &useExtTimestamp,
+ outHeader->pBuffer) != PV_TRUE) {
+ ALOGE("failed to decode vop header.");
+
+ notify(OMX_EventError, OMX_ErrorUndefined, 0, NULL);
+ mSignalledError = true;
+ return;
+ }
+ if (handlePortSettingsChange()) {
+ return;
+ }
+
// The PV decoder is lying to us, sometimes it'll claim to only have
// consumed a subset of the buffer when it clearly consumed all of it.
// ignore whatever it says...
- if (PVDecodeVideoFrame(
- mHandle, &bitstream, ×tamp, &tmp,
- &useExtTimestamp,
- outHeader->pBuffer) != PV_TRUE) {
+ if (PVDecodeVopBody(mHandle, &tmp) != PV_TRUE) {
ALOGE("failed to decode video frame.");
notify(OMX_EventError, OMX_ErrorUndefined, 0, NULL);
diff --git a/media/libstagefright/codecs/m4v_h263/dec/src/vop.cpp b/media/libstagefright/codecs/m4v_h263/dec/src/vop.cpp
index 60c79a6..f18f789 100644
--- a/media/libstagefright/codecs/m4v_h263/dec/src/vop.cpp
+++ b/media/libstagefright/codecs/m4v_h263/dec/src/vop.cpp
@@ -15,6 +15,8 @@
* and limitations under the License.
* -------------------------------------------------------------------
*/
+#include "log/log.h"
+
#include "mp4dec_lib.h"
#include "bitstream.h"
#include "vlc_decode.h"
@@ -1336,8 +1338,7 @@
}
tmpvar = BitstreamReadBits16(stream, 9);
- video->displayWidth = (tmpvar + 1) << 2;
- video->width = (video->displayWidth + 15) & -16;
+ int tmpDisplayWidth = (tmpvar + 1) << 2;
/* marker bit */
if (!BitstreamRead1Bits(stream))
{
@@ -1350,14 +1351,21 @@
status = PV_FAIL;
goto return_point;
}
- video->displayHeight = tmpvar << 2;
- video->height = (video->displayHeight + 15) & -16;
+ int tmpDisplayHeight = tmpvar << 2;
+ int tmpHeight = (tmpDisplayHeight + 15) & -16;
+ int tmpWidth = (tmpDisplayWidth + 15) & -16;
- if (video->height * video->width > video->size)
+ if (tmpHeight * tmpWidth > video->size)
{
+ // This is just possibly "b/37079296".
+ ALOGE("b/37079296");
status = PV_FAIL;
goto return_point;
}
+ video->displayWidth = tmpDisplayWidth;
+ video->width = tmpWidth;
+ video->displayHeight = tmpDisplayHeight;
+ video->height = tmpHeight;
video->nTotalMB = video->width / MB_SIZE * video->height / MB_SIZE;
diff --git a/media/libstagefright/codecs/m4v_h263/enc/src/mp4enc_api.cpp b/media/libstagefright/codecs/m4v_h263/enc/src/mp4enc_api.cpp
index c2b7c8d..7ab8f45 100644
--- a/media/libstagefright/codecs/m4v_h263/enc/src/mp4enc_api.cpp
+++ b/media/libstagefright/codecs/m4v_h263/enc/src/mp4enc_api.cpp
@@ -773,7 +773,7 @@
|| (size_t)(size + (size >> 1)) > SIZE_MAX / sizeof(PIXEL)) {
goto CLEAN_UP;
}
- video->currVop->yChan = (PIXEL *)M4VENC_MALLOC(sizeof(PIXEL) * (size + (size >> 1))); /* Memory for currVop Y */
+ video->currVop->allChan = video->currVop->yChan = (PIXEL *)M4VENC_MALLOC(sizeof(PIXEL) * (size + (size >> 1))); /* Memory for currVop Y */
if (video->currVop->yChan == NULL) goto CLEAN_UP;
video->currVop->uChan = video->currVop->yChan + size;/* Memory for currVop U */
video->currVop->vChan = video->currVop->uChan + (size >> 2);/* Memory for currVop V */
@@ -791,7 +791,7 @@
video->prevBaseVop = (Vop *) M4VENC_MALLOC(sizeof(Vop)); /* Memory for Previous Base Vop */
if (video->prevBaseVop == NULL) goto CLEAN_UP;
- video->prevBaseVop->yChan = (PIXEL *) M4VENC_MALLOC(sizeof(PIXEL) * (size + (size >> 1))); /* Memory for prevBaseVop Y */
+ video->prevBaseVop->allChan = video->prevBaseVop->yChan = (PIXEL *) M4VENC_MALLOC(sizeof(PIXEL) * (size + (size >> 1))); /* Memory for prevBaseVop Y */
if (video->prevBaseVop->yChan == NULL) goto CLEAN_UP;
video->prevBaseVop->uChan = video->prevBaseVop->yChan + size; /* Memory for prevBaseVop U */
video->prevBaseVop->vChan = video->prevBaseVop->uChan + (size >> 2); /* Memory for prevBaseVop V */
@@ -808,7 +808,7 @@
{
video->nextBaseVop = (Vop *) M4VENC_MALLOC(sizeof(Vop)); /* Memory for Next Base Vop */
if (video->nextBaseVop == NULL) goto CLEAN_UP;
- video->nextBaseVop->yChan = (PIXEL *) M4VENC_MALLOC(sizeof(PIXEL) * (size + (size >> 1))); /* Memory for nextBaseVop Y */
+ video->nextBaseVop->allChan = video->nextBaseVop->yChan = (PIXEL *) M4VENC_MALLOC(sizeof(PIXEL) * (size + (size >> 1))); /* Memory for nextBaseVop Y */
if (video->nextBaseVop->yChan == NULL) goto CLEAN_UP;
video->nextBaseVop->uChan = video->nextBaseVop->yChan + size; /* Memory for nextBaseVop U */
video->nextBaseVop->vChan = video->nextBaseVop->uChan + (size >> 2); /* Memory for nextBaseVop V */
@@ -825,7 +825,7 @@
{
video->prevEnhanceVop = (Vop *) M4VENC_MALLOC(sizeof(Vop)); /* Memory for Previous Enhancement Vop */
if (video->prevEnhanceVop == NULL) goto CLEAN_UP;
- video->prevEnhanceVop->yChan = (PIXEL *) M4VENC_MALLOC(sizeof(PIXEL) * (size + (size >> 1))); /* Memory for Previous Ehancement Y */
+ video->prevEnhanceVop->allChan = video->prevEnhanceVop->yChan = (PIXEL *) M4VENC_MALLOC(sizeof(PIXEL) * (size + (size >> 1))); /* Memory for Previous Ehancement Y */
if (video->prevEnhanceVop->yChan == NULL) goto CLEAN_UP;
video->prevEnhanceVop->uChan = video->prevEnhanceVop->yChan + size; /* Memory for Previous Enhancement U */
video->prevEnhanceVop->vChan = video->prevEnhanceVop->uChan + (size >> 2); /* Memory for Previous Enhancement V */
@@ -1196,39 +1196,35 @@
if (video->currVop)
{
- if (video->currVop->yChan)
+ if (video->currVop->allChan)
{
- video->currVop->yChan -= offset;
- M4VENC_FREE(video->currVop->yChan);
+ M4VENC_FREE(video->currVop->allChan);
}
M4VENC_FREE(video->currVop);
}
if (video->nextBaseVop)
{
- if (video->nextBaseVop->yChan)
+ if (video->nextBaseVop->allChan)
{
- video->nextBaseVop->yChan -= offset;
- M4VENC_FREE(video->nextBaseVop->yChan);
+ M4VENC_FREE(video->nextBaseVop->allChan);
}
M4VENC_FREE(video->nextBaseVop);
}
if (video->prevBaseVop)
{
- if (video->prevBaseVop->yChan)
+ if (video->prevBaseVop->allChan)
{
- video->prevBaseVop->yChan -= offset;
- M4VENC_FREE(video->prevBaseVop->yChan);
+ M4VENC_FREE(video->prevBaseVop->allChan);
}
M4VENC_FREE(video->prevBaseVop);
}
if (video->prevEnhanceVop)
{
- if (video->prevEnhanceVop->yChan)
+ if (video->prevEnhanceVop->allChan)
{
- video->prevEnhanceVop->yChan -= offset;
- M4VENC_FREE(video->prevEnhanceVop->yChan);
+ M4VENC_FREE(video->prevEnhanceVop->allChan);
}
M4VENC_FREE(video->prevEnhanceVop);
}
diff --git a/media/libstagefright/codecs/m4v_h263/enc/src/mp4lib_int.h b/media/libstagefright/codecs/m4v_h263/enc/src/mp4lib_int.h
index 3bc9421..b05099c 100644
--- a/media/libstagefright/codecs/m4v_h263/enc/src/mp4lib_int.h
+++ b/media/libstagefright/codecs/m4v_h263/enc/src/mp4lib_int.h
@@ -39,6 +39,7 @@
typedef struct tagVOP
{
+ PIXEL *allChan; /* [yuv]Chan point into this buffer */
PIXEL *yChan; /* The Y component */
PIXEL *uChan; /* The U component */
PIXEL *vChan; /* The V component */
diff --git a/media/libstagefright/omx/GraphicBufferSource.cpp b/media/libstagefright/omx/GraphicBufferSource.cpp
index 1a7dc9d..a6ea9ce 100644
--- a/media/libstagefright/omx/GraphicBufferSource.cpp
+++ b/media/libstagefright/omx/GraphicBufferSource.cpp
@@ -170,9 +170,12 @@
mIsPersistent = true;
}
mConsumer->setDefaultBufferSize(bufferWidth, bufferHeight);
- // Note that we can't create an sp<...>(this) in a ctor that will not keep a
- // reference once the ctor ends, as that would cause the refcount of 'this'
- // dropping to 0 at the end of the ctor. Since all we need is a wp<...>
+}
+
+status_t GraphicBufferSource::init() {
+ // Note that we can't create an sp<...>(this) in a method that will not keep a
+ // reference once the method ends, as that may cause the refcount of 'this'
+ // dropping to 0 at the end of the method. Since all we need is a wp<...>
// that's what we create.
wp<BufferQueue::ConsumerListener> listener = static_cast<BufferQueue::ConsumerListener*>(this);
sp<IConsumerListener> proxy;
@@ -186,10 +189,9 @@
if (mInitCheck != NO_ERROR) {
ALOGE("Error connecting to BufferQueue: %s (%d)",
strerror(-mInitCheck), mInitCheck);
- return;
}
- CHECK(mInitCheck == NO_ERROR);
+ return mInitCheck;
}
GraphicBufferSource::~GraphicBufferSource() {
@@ -385,7 +387,7 @@
int id = codecBuffer.mBuf;
sp<Fence> fence = new Fence(fenceFd);
if (mBufferSlot[id] != NULL &&
- mBufferSlot[id]->handle == codecBuffer.mGraphicBuffer->handle) {
+ mBufferSlot[id]->handle == codecBuffer.mGraphicBuffer->handle) {
ALOGV("cbi %d matches bq slot %d, handle=%p",
cbi, id, mBufferSlot[id]->handle);
@@ -471,6 +473,12 @@
} else if (err != OK) {
ALOGW("suspend: acquireBuffer returned err=%d", err);
break;
+ } else if (item.mBuf < 0 ||
+ item.mBuf >= BufferQueue::NUM_BUFFER_SLOTS) {
+ // Invalid buffer index
+ ALOGW("suspend: corrupted buffer index (%d)",
+ item.mBuf);
+ break;
}
++mNumBufferAcquired;
@@ -522,6 +530,10 @@
// now what? fake end-of-stream?
ALOGW("fillCodecBuffer_l: acquireBuffer returned err=%d", err);
return false;
+ } else if (item.mBuf < 0 || item.mBuf >= BufferQueue::NUM_BUFFER_SLOTS) {
+ // Invalid buffer index
+ ALOGW("fillCodecBuffer_l: corrupted buffer index (%d)", item.mBuf);
+ return false;
}
mNumBufferAcquired++;
@@ -875,8 +887,14 @@
BufferItem item;
status_t err = mConsumer->acquireBuffer(&item, 0);
if (err == OK) {
+ if (item.mBuf < 0 ||
+ item.mBuf >= BufferQueue::NUM_BUFFER_SLOTS) {
+ // Invalid buffer index
+ ALOGW("onFrameAvailable: corrupted buffer index (%d)",
+ item.mBuf);
+ return;
+ }
mNumBufferAcquired++;
-
// If this is the first time we're seeing this buffer, add it to our
// slot table.
if (item.mGraphicBuffer != NULL) {
diff --git a/media/libstagefright/omx/GraphicBufferSource.h b/media/libstagefright/omx/GraphicBufferSource.h
index 2f929d9..b8e6c45 100644
--- a/media/libstagefright/omx/GraphicBufferSource.h
+++ b/media/libstagefright/omx/GraphicBufferSource.h
@@ -61,11 +61,7 @@
virtual ~GraphicBufferSource();
- // We can't throw an exception if the constructor fails, so we just set
- // this and require that the caller test the value.
- status_t initCheck() const {
- return mInitCheck;
- }
+ status_t init();
// Returns the handle to the producer side of the BufferQueue. Buffers
// queued on this will be received by GraphicBufferSource.
diff --git a/media/libstagefright/omx/OMXNodeInstance.cpp b/media/libstagefright/omx/OMXNodeInstance.cpp
index 62a6637..f55a743 100644
--- a/media/libstagefright/omx/OMXNodeInstance.cpp
+++ b/media/libstagefright/omx/OMXNodeInstance.cpp
@@ -1052,7 +1052,7 @@
usageBits,
bufferConsumer);
- if ((err = bufferSource->initCheck()) != OK) {
+ if ((err = bufferSource->init()) != OK) {
return err;
}
setGraphicBufferSource(bufferSource);