DO NOT MERGE Verify OMX buffer sizes prior to access
Bug: 27207275
Change-Id: I4412825d1ee233d993af0a67708bea54304ff62d
(cherry picked from commit f1a2668f4f09e38722424a6a74f0ea26f49e4110)
diff --git a/media/libmedia/IOMX.cpp b/media/libmedia/IOMX.cpp
index 865d575..84925f1 100644
--- a/media/libmedia/IOMX.cpp
+++ b/media/libmedia/IOMX.cpp
@@ -18,6 +18,8 @@
#define LOG_TAG "IOMX"
#include <utils/Log.h>
+#include <sys/mman.h>
+
#include <binder/IMemory.h>
#include <binder/Parcel.h>
#include <media/IOMX.h>
@@ -692,38 +694,70 @@
size_t size = data.readInt64();
- status_t err = NO_MEMORY;
- void *params = calloc(size, 1);
- if (params) {
- err = data.read(params, size);
- if (err != OK) {
- android_errorWriteLog(0x534e4554, "26914474");
+ status_t err = NOT_ENOUGH_DATA;
+ void *params = NULL;
+ size_t pageSize = 0;
+ size_t allocSize = 0;
+ if (code != SET_INTERNAL_OPTION && size < 8) {
+ // we expect the structure to contain at least the size and
+ // version, 8 bytes total
+ ALOGE("b/27207275 (%zu)", size);
+ android_errorWriteLog(0x534e4554, "27207275");
+ } else {
+ err = NO_MEMORY;
+ pageSize = (size_t) sysconf(_SC_PAGE_SIZE);
+ if (size > SIZE_MAX - (pageSize * 2)) {
+ ALOGE("requested param size too big");
} else {
- switch (code) {
- case GET_PARAMETER:
- err = getParameter(node, index, params, size);
- break;
- case SET_PARAMETER:
- err = setParameter(node, index, params, size);
- break;
- case GET_CONFIG:
- err = getConfig(node, index, params, size);
- break;
- case SET_CONFIG:
- err = setConfig(node, index, params, size);
- break;
- case SET_INTERNAL_OPTION:
- {
- InternalOptionType type =
- (InternalOptionType)data.readInt32();
+ allocSize = (size + pageSize * 2) & ~(pageSize - 1);
+ params = mmap(NULL, allocSize, PROT_READ | PROT_WRITE,
+ MAP_PRIVATE | MAP_ANONYMOUS, -1 /* fd */, 0 /* offset */);
+ }
+ if (params != MAP_FAILED) {
+ err = data.read(params, size);
+ if (err != OK) {
+ android_errorWriteLog(0x534e4554, "26914474");
+ } else {
+ err = NOT_ENOUGH_DATA;
+ OMX_U32 declaredSize = *(OMX_U32*)params;
+ if (code != SET_INTERNAL_OPTION && declaredSize > size) {
+ // the buffer says it's bigger than it actually is
+ ALOGE("b/27207275 (%u/%zu)", declaredSize, size);
+ android_errorWriteLog(0x534e4554, "27207275");
+ } else {
+ // mark the last page as inaccessible, to avoid exploitation
+ // of codecs that access past the end of the allocation because
+ // they didn't check the size
+ mprotect((char*)params + allocSize - pageSize, pageSize, PROT_NONE);
+ switch (code) {
+ case GET_PARAMETER:
+ err = getParameter(node, index, params, size);
+ break;
+ case SET_PARAMETER:
+ err = setParameter(node, index, params, size);
+ break;
+ case GET_CONFIG:
+ err = getConfig(node, index, params, size);
+ break;
+ case SET_CONFIG:
+ err = setConfig(node, index, params, size);
+ break;
+ case SET_INTERNAL_OPTION:
+ {
+ InternalOptionType type =
+ (InternalOptionType)data.readInt32();
- err = setInternalOption(node, index, type, params, size);
- break;
+ err = setInternalOption(node, index, type, params, size);
+ break;
+ }
+
+ default:
+ TRESPASS();
+ }
}
-
- default:
- TRESPASS();
}
+ } else {
+ ALOGE("couldn't map: %s", strerror(errno));
}
}
@@ -733,7 +767,9 @@
reply->write(params, size);
}
- free(params);
+ if (params) {
+ munmap(params, allocSize);
+ }
params = NULL;
return NO_ERROR;
diff --git a/media/libstagefright/codecs/aacdec/SoftAAC2.cpp b/media/libstagefright/codecs/aacdec/SoftAAC2.cpp
index 965c55e..520ecb4 100644
--- a/media/libstagefright/codecs/aacdec/SoftAAC2.cpp
+++ b/media/libstagefright/codecs/aacdec/SoftAAC2.cpp
@@ -209,6 +209,10 @@
OMX_AUDIO_PARAM_AACPROFILETYPE *aacParams =
(OMX_AUDIO_PARAM_AACPROFILETYPE *)params;
+ if (!isValidOMXParam(aacParams)) {
+ return OMX_ErrorBadParameter;
+ }
+
if (aacParams->nPortIndex != 0) {
return OMX_ErrorUndefined;
}
@@ -244,6 +248,10 @@
OMX_AUDIO_PARAM_PCMMODETYPE *pcmParams =
(OMX_AUDIO_PARAM_PCMMODETYPE *)params;
+ if (!isValidOMXParam(pcmParams)) {
+ return OMX_ErrorBadParameter;
+ }
+
if (pcmParams->nPortIndex != 1) {
return OMX_ErrorUndefined;
}
@@ -284,6 +292,10 @@
const OMX_PARAM_COMPONENTROLETYPE *roleParams =
(const OMX_PARAM_COMPONENTROLETYPE *)params;
+ if (!isValidOMXParam(roleParams)) {
+ return OMX_ErrorBadParameter;
+ }
+
if (strncmp((const char *)roleParams->cRole,
"audio_decoder.aac",
OMX_MAX_STRINGNAME_SIZE - 1)) {
@@ -298,6 +310,10 @@
const OMX_AUDIO_PARAM_AACPROFILETYPE *aacParams =
(const OMX_AUDIO_PARAM_AACPROFILETYPE *)params;
+ if (!isValidOMXParam(aacParams)) {
+ return OMX_ErrorBadParameter;
+ }
+
if (aacParams->nPortIndex != 0) {
return OMX_ErrorUndefined;
}
@@ -318,6 +334,11 @@
{
const OMX_AUDIO_PARAM_ANDROID_AACPRESENTATIONTYPE *aacPresParams =
(const OMX_AUDIO_PARAM_ANDROID_AACPRESENTATIONTYPE *)params;
+
+ if (!isValidOMXParam(aacPresParams)) {
+ return OMX_ErrorBadParameter;
+ }
+
// for the following parameters of the OMX_AUDIO_PARAM_AACPROFILETYPE structure,
// a value of -1 implies the parameter is not set by the application:
// nMaxOutputChannels uses default platform properties, see configureDownmix()
@@ -384,6 +405,10 @@
const OMX_AUDIO_PARAM_PCMMODETYPE *pcmParams =
(OMX_AUDIO_PARAM_PCMMODETYPE *)params;
+ if (!isValidOMXParam(pcmParams)) {
+ return OMX_ErrorBadParameter;
+ }
+
if (pcmParams->nPortIndex != 1) {
return OMX_ErrorUndefined;
}
diff --git a/media/libstagefright/codecs/aacenc/SoftAACEncoder.cpp b/media/libstagefright/codecs/aacenc/SoftAACEncoder.cpp
index c6724c2..ab0a228 100644
--- a/media/libstagefright/codecs/aacenc/SoftAACEncoder.cpp
+++ b/media/libstagefright/codecs/aacenc/SoftAACEncoder.cpp
@@ -154,6 +154,10 @@
OMX_AUDIO_PARAM_PORTFORMATTYPE *formatParams =
(OMX_AUDIO_PARAM_PORTFORMATTYPE *)params;
+ if (!isValidOMXParam(formatParams)) {
+ return OMX_ErrorBadParameter;
+ }
+
if (formatParams->nPortIndex > 1) {
return OMX_ErrorUndefined;
}
@@ -174,6 +178,10 @@
OMX_AUDIO_PARAM_AACPROFILETYPE *aacParams =
(OMX_AUDIO_PARAM_AACPROFILETYPE *)params;
+ if (!isValidOMXParam(aacParams)) {
+ return OMX_ErrorBadParameter;
+ }
+
if (aacParams->nPortIndex != 1) {
return OMX_ErrorUndefined;
}
@@ -198,6 +206,10 @@
OMX_AUDIO_PARAM_PCMMODETYPE *pcmParams =
(OMX_AUDIO_PARAM_PCMMODETYPE *)params;
+ if (!isValidOMXParam(pcmParams)) {
+ return OMX_ErrorBadParameter;
+ }
+
if (pcmParams->nPortIndex != 0) {
return OMX_ErrorUndefined;
}
@@ -229,6 +241,10 @@
const OMX_PARAM_COMPONENTROLETYPE *roleParams =
(const OMX_PARAM_COMPONENTROLETYPE *)params;
+ if (!isValidOMXParam(roleParams)) {
+ return OMX_ErrorBadParameter;
+ }
+
if (strncmp((const char *)roleParams->cRole,
"audio_encoder.aac",
OMX_MAX_STRINGNAME_SIZE - 1)) {
@@ -243,6 +259,10 @@
const OMX_AUDIO_PARAM_PORTFORMATTYPE *formatParams =
(const OMX_AUDIO_PARAM_PORTFORMATTYPE *)params;
+ if (!isValidOMXParam(formatParams)) {
+ return OMX_ErrorBadParameter;
+ }
+
if (formatParams->nPortIndex > 1) {
return OMX_ErrorUndefined;
}
@@ -266,6 +286,10 @@
OMX_AUDIO_PARAM_AACPROFILETYPE *aacParams =
(OMX_AUDIO_PARAM_AACPROFILETYPE *)params;
+ if (!isValidOMXParam(aacParams)) {
+ return OMX_ErrorBadParameter;
+ }
+
if (aacParams->nPortIndex != 1) {
return OMX_ErrorUndefined;
}
@@ -286,6 +310,10 @@
OMX_AUDIO_PARAM_PCMMODETYPE *pcmParams =
(OMX_AUDIO_PARAM_PCMMODETYPE *)params;
+ if (!isValidOMXParam(pcmParams)) {
+ return OMX_ErrorBadParameter;
+ }
+
if (pcmParams->nPortIndex != 0) {
return OMX_ErrorUndefined;
}
diff --git a/media/libstagefright/codecs/aacenc/SoftAACEncoder2.cpp b/media/libstagefright/codecs/aacenc/SoftAACEncoder2.cpp
index 35aa883..e8dabed 100644
--- a/media/libstagefright/codecs/aacenc/SoftAACEncoder2.cpp
+++ b/media/libstagefright/codecs/aacenc/SoftAACEncoder2.cpp
@@ -123,6 +123,10 @@
OMX_AUDIO_PARAM_PORTFORMATTYPE *formatParams =
(OMX_AUDIO_PARAM_PORTFORMATTYPE *)params;
+ if (!isValidOMXParam(formatParams)) {
+ return OMX_ErrorBadParameter;
+ }
+
if (formatParams->nPortIndex > 1) {
return OMX_ErrorUndefined;
}
@@ -143,6 +147,10 @@
OMX_AUDIO_PARAM_AACPROFILETYPE *aacParams =
(OMX_AUDIO_PARAM_AACPROFILETYPE *)params;
+ if (!isValidOMXParam(aacParams)) {
+ return OMX_ErrorBadParameter;
+ }
+
if (aacParams->nPortIndex != 1) {
return OMX_ErrorUndefined;
}
@@ -202,6 +210,10 @@
OMX_AUDIO_PARAM_PCMMODETYPE *pcmParams =
(OMX_AUDIO_PARAM_PCMMODETYPE *)params;
+ if (!isValidOMXParam(pcmParams)) {
+ return OMX_ErrorBadParameter;
+ }
+
if (pcmParams->nPortIndex != 0) {
return OMX_ErrorUndefined;
}
@@ -233,6 +245,10 @@
const OMX_PARAM_COMPONENTROLETYPE *roleParams =
(const OMX_PARAM_COMPONENTROLETYPE *)params;
+ if (!isValidOMXParam(roleParams)) {
+ return OMX_ErrorBadParameter;
+ }
+
if (strncmp((const char *)roleParams->cRole,
"audio_encoder.aac",
OMX_MAX_STRINGNAME_SIZE - 1)) {
@@ -247,6 +263,10 @@
const OMX_AUDIO_PARAM_PORTFORMATTYPE *formatParams =
(const OMX_AUDIO_PARAM_PORTFORMATTYPE *)params;
+ if (!isValidOMXParam(formatParams)) {
+ return OMX_ErrorBadParameter;
+ }
+
if (formatParams->nPortIndex > 1) {
return OMX_ErrorUndefined;
}
@@ -270,6 +290,10 @@
OMX_AUDIO_PARAM_AACPROFILETYPE *aacParams =
(OMX_AUDIO_PARAM_AACPROFILETYPE *)params;
+ if (!isValidOMXParam(aacParams)) {
+ return OMX_ErrorBadParameter;
+ }
+
if (aacParams->nPortIndex != 1) {
return OMX_ErrorUndefined;
}
@@ -310,6 +334,10 @@
OMX_AUDIO_PARAM_PCMMODETYPE *pcmParams =
(OMX_AUDIO_PARAM_PCMMODETYPE *)params;
+ if (!isValidOMXParam(pcmParams)) {
+ return OMX_ErrorBadParameter;
+ }
+
if (pcmParams->nPortIndex != 0) {
return OMX_ErrorUndefined;
}
diff --git a/media/libstagefright/codecs/amrnb/dec/SoftAMR.cpp b/media/libstagefright/codecs/amrnb/dec/SoftAMR.cpp
index 955309a..edf648d 100644
--- a/media/libstagefright/codecs/amrnb/dec/SoftAMR.cpp
+++ b/media/libstagefright/codecs/amrnb/dec/SoftAMR.cpp
@@ -148,6 +148,10 @@
OMX_AUDIO_PARAM_AMRTYPE *amrParams =
(OMX_AUDIO_PARAM_AMRTYPE *)params;
+ if (!isValidOMXParam(amrParams)) {
+ return OMX_ErrorBadParameter;
+ }
+
if (amrParams->nPortIndex != 0) {
return OMX_ErrorUndefined;
}
@@ -174,6 +178,10 @@
OMX_AUDIO_PARAM_PCMMODETYPE *pcmParams =
(OMX_AUDIO_PARAM_PCMMODETYPE *)params;
+ if (!isValidOMXParam(pcmParams)) {
+ return OMX_ErrorBadParameter;
+ }
+
if (pcmParams->nPortIndex != 1) {
return OMX_ErrorUndefined;
}
@@ -207,6 +215,10 @@
const OMX_PARAM_COMPONENTROLETYPE *roleParams =
(const OMX_PARAM_COMPONENTROLETYPE *)params;
+ if (!isValidOMXParam(roleParams)) {
+ return OMX_ErrorBadParameter;
+ }
+
if (mMode == MODE_NARROW) {
if (strncmp((const char *)roleParams->cRole,
"audio_decoder.amrnb",
@@ -229,6 +241,10 @@
const OMX_AUDIO_PARAM_AMRTYPE *aacParams =
(const OMX_AUDIO_PARAM_AMRTYPE *)params;
+ if (!isValidOMXParam(aacParams)) {
+ return OMX_ErrorBadParameter;
+ }
+
if (aacParams->nPortIndex != 0) {
return OMX_ErrorUndefined;
}
@@ -241,6 +257,10 @@
const OMX_AUDIO_PARAM_PCMMODETYPE *pcmParams =
(OMX_AUDIO_PARAM_PCMMODETYPE *)params;
+ if (!isValidOMXParam(pcmParams)) {
+ return OMX_ErrorBadParameter;
+ }
+
if (pcmParams->nPortIndex != 1) {
return OMX_ErrorUndefined;
}
diff --git a/media/libstagefright/codecs/amrnb/enc/SoftAMRNBEncoder.cpp b/media/libstagefright/codecs/amrnb/enc/SoftAMRNBEncoder.cpp
index 9489457..aaa6731 100644
--- a/media/libstagefright/codecs/amrnb/enc/SoftAMRNBEncoder.cpp
+++ b/media/libstagefright/codecs/amrnb/enc/SoftAMRNBEncoder.cpp
@@ -120,6 +120,10 @@
OMX_AUDIO_PARAM_PORTFORMATTYPE *formatParams =
(OMX_AUDIO_PARAM_PORTFORMATTYPE *)params;
+ if (!isValidOMXParam(formatParams)) {
+ return OMX_ErrorBadParameter;
+ }
+
if (formatParams->nPortIndex > 1) {
return OMX_ErrorUndefined;
}
@@ -140,6 +144,10 @@
OMX_AUDIO_PARAM_AMRTYPE *amrParams =
(OMX_AUDIO_PARAM_AMRTYPE *)params;
+ if (!isValidOMXParam(amrParams)) {
+ return OMX_ErrorBadParameter;
+ }
+
if (amrParams->nPortIndex != 1) {
return OMX_ErrorUndefined;
}
@@ -158,6 +166,10 @@
OMX_AUDIO_PARAM_PCMMODETYPE *pcmParams =
(OMX_AUDIO_PARAM_PCMMODETYPE *)params;
+ if (!isValidOMXParam(pcmParams)) {
+ return OMX_ErrorBadParameter;
+ }
+
if (pcmParams->nPortIndex != 0) {
return OMX_ErrorUndefined;
}
@@ -188,6 +200,10 @@
const OMX_PARAM_COMPONENTROLETYPE *roleParams =
(const OMX_PARAM_COMPONENTROLETYPE *)params;
+ if (!isValidOMXParam(roleParams)) {
+ return OMX_ErrorBadParameter;
+ }
+
if (strncmp((const char *)roleParams->cRole,
"audio_encoder.amrnb",
OMX_MAX_STRINGNAME_SIZE - 1)) {
@@ -202,6 +218,10 @@
const OMX_AUDIO_PARAM_PORTFORMATTYPE *formatParams =
(const OMX_AUDIO_PARAM_PORTFORMATTYPE *)params;
+ if (!isValidOMXParam(formatParams)) {
+ return OMX_ErrorBadParameter;
+ }
+
if (formatParams->nPortIndex > 1) {
return OMX_ErrorUndefined;
}
@@ -225,6 +245,10 @@
OMX_AUDIO_PARAM_AMRTYPE *amrParams =
(OMX_AUDIO_PARAM_AMRTYPE *)params;
+ if (!isValidOMXParam(amrParams)) {
+ return OMX_ErrorBadParameter;
+ }
+
if (amrParams->nPortIndex != 1) {
return OMX_ErrorUndefined;
}
@@ -252,6 +276,10 @@
OMX_AUDIO_PARAM_PCMMODETYPE *pcmParams =
(OMX_AUDIO_PARAM_PCMMODETYPE *)params;
+ if (!isValidOMXParam(pcmParams)) {
+ return OMX_ErrorBadParameter;
+ }
+
if (pcmParams->nPortIndex != 0) {
return OMX_ErrorUndefined;
}
diff --git a/media/libstagefright/codecs/amrwbenc/SoftAMRWBEncoder.cpp b/media/libstagefright/codecs/amrwbenc/SoftAMRWBEncoder.cpp
index 91a512d..9d50c4e 100644
--- a/media/libstagefright/codecs/amrwbenc/SoftAMRWBEncoder.cpp
+++ b/media/libstagefright/codecs/amrwbenc/SoftAMRWBEncoder.cpp
@@ -155,6 +155,10 @@
OMX_AUDIO_PARAM_PORTFORMATTYPE *formatParams =
(OMX_AUDIO_PARAM_PORTFORMATTYPE *)params;
+ if (!isValidOMXParam(formatParams)) {
+ return OMX_ErrorBadParameter;
+ }
+
if (formatParams->nPortIndex > 1) {
return OMX_ErrorUndefined;
}
@@ -175,6 +179,10 @@
OMX_AUDIO_PARAM_AMRTYPE *amrParams =
(OMX_AUDIO_PARAM_AMRTYPE *)params;
+ if (!isValidOMXParam(amrParams)) {
+ return OMX_ErrorBadParameter;
+ }
+
if (amrParams->nPortIndex != 1) {
return OMX_ErrorUndefined;
}
@@ -196,6 +204,10 @@
OMX_AUDIO_PARAM_PCMMODETYPE *pcmParams =
(OMX_AUDIO_PARAM_PCMMODETYPE *)params;
+ if (!isValidOMXParam(pcmParams)) {
+ return OMX_ErrorBadParameter;
+ }
+
if (pcmParams->nPortIndex != 0) {
return OMX_ErrorUndefined;
}
@@ -226,6 +238,10 @@
const OMX_PARAM_COMPONENTROLETYPE *roleParams =
(const OMX_PARAM_COMPONENTROLETYPE *)params;
+ if (!isValidOMXParam(roleParams)) {
+ return OMX_ErrorBadParameter;
+ }
+
if (strncmp((const char *)roleParams->cRole,
"audio_encoder.amrwb",
OMX_MAX_STRINGNAME_SIZE - 1)) {
@@ -240,6 +256,10 @@
const OMX_AUDIO_PARAM_PORTFORMATTYPE *formatParams =
(const OMX_AUDIO_PARAM_PORTFORMATTYPE *)params;
+ if (!isValidOMXParam(formatParams)) {
+ return OMX_ErrorBadParameter;
+ }
+
if (formatParams->nPortIndex > 1) {
return OMX_ErrorUndefined;
}
@@ -263,6 +283,10 @@
OMX_AUDIO_PARAM_AMRTYPE *amrParams =
(OMX_AUDIO_PARAM_AMRTYPE *)params;
+ if (!isValidOMXParam(amrParams)) {
+ return OMX_ErrorBadParameter;
+ }
+
if (amrParams->nPortIndex != 1) {
return OMX_ErrorUndefined;
}
@@ -299,6 +323,10 @@
OMX_AUDIO_PARAM_PCMMODETYPE *pcmParams =
(OMX_AUDIO_PARAM_PCMMODETYPE *)params;
+ if (!isValidOMXParam(pcmParams)) {
+ return OMX_ErrorBadParameter;
+ }
+
if (pcmParams->nPortIndex != 0) {
return OMX_ErrorUndefined;
}
diff --git a/media/libstagefright/codecs/avc/enc/SoftAVCEncoder.cpp b/media/libstagefright/codecs/avc/enc/SoftAVCEncoder.cpp
index fa6ec40..cce6d15 100644
--- a/media/libstagefright/codecs/avc/enc/SoftAVCEncoder.cpp
+++ b/media/libstagefright/codecs/avc/enc/SoftAVCEncoder.cpp
@@ -370,6 +370,10 @@
OMX_VIDEO_PARAM_BITRATETYPE *bitRate =
(OMX_VIDEO_PARAM_BITRATETYPE *) params;
+ if (!isValidOMXParam(bitRate)) {
+ return OMX_ErrorBadParameter;
+ }
+
if (bitRate->nPortIndex != 1) {
return OMX_ErrorUndefined;
}
@@ -384,6 +388,10 @@
OMX_VIDEO_PARAM_AVCTYPE *avcParams =
(OMX_VIDEO_PARAM_AVCTYPE *)params;
+ if (!isValidOMXParam(avcParams)) {
+ return OMX_ErrorBadParameter;
+ }
+
if (avcParams->nPortIndex != 1) {
return OMX_ErrorUndefined;
}
@@ -427,6 +435,10 @@
OMX_VIDEO_PARAM_BITRATETYPE *bitRate =
(OMX_VIDEO_PARAM_BITRATETYPE *) params;
+ if (!isValidOMXParam(bitRate)) {
+ return OMX_ErrorBadParameter;
+ }
+
if (bitRate->nPortIndex != 1 ||
bitRate->eControlRate != OMX_Video_ControlRateVariable) {
return OMX_ErrorUndefined;
@@ -441,6 +453,10 @@
OMX_VIDEO_PARAM_AVCTYPE *avcType =
(OMX_VIDEO_PARAM_AVCTYPE *)params;
+ if (!isValidOMXParam(avcType)) {
+ return OMX_ErrorBadParameter;
+ }
+
if (avcType->nPortIndex != 1) {
return OMX_ErrorUndefined;
}
diff --git a/media/libstagefright/codecs/avcenc/SoftAVCEnc.cpp b/media/libstagefright/codecs/avcenc/SoftAVCEnc.cpp
index 387d17d..e4e8fd7 100644
--- a/media/libstagefright/codecs/avcenc/SoftAVCEnc.cpp
+++ b/media/libstagefright/codecs/avcenc/SoftAVCEnc.cpp
@@ -926,6 +926,10 @@
OMX_VIDEO_PARAM_BITRATETYPE *bitRate =
(OMX_VIDEO_PARAM_BITRATETYPE *)params;
+ if (!isValidOMXParam(bitRate)) {
+ return OMX_ErrorBadParameter;
+ }
+
if (bitRate->nPortIndex != 1) {
return OMX_ErrorUndefined;
}
@@ -939,6 +943,10 @@
{
OMX_VIDEO_PARAM_AVCTYPE *avcParams = (OMX_VIDEO_PARAM_AVCTYPE *)params;
+ if (!isValidOMXParam(avcParams)) {
+ return OMX_ErrorBadParameter;
+ }
+
if (avcParams->nPortIndex != 1) {
return OMX_ErrorUndefined;
}
@@ -976,14 +984,24 @@
switch (indexFull) {
case OMX_IndexParamVideoBitrate:
{
- return internalSetBitrateParams(
- (const OMX_VIDEO_PARAM_BITRATETYPE *)params);
+ OMX_VIDEO_PARAM_BITRATETYPE *bitRate =
+ (OMX_VIDEO_PARAM_BITRATETYPE *)params;
+
+ if (!isValidOMXParam(bitRate)) {
+ return OMX_ErrorBadParameter;
+ }
+
+ return internalSetBitrateParams(bitRate);
}
case OMX_IndexParamVideoAvc:
{
OMX_VIDEO_PARAM_AVCTYPE *avcType = (OMX_VIDEO_PARAM_AVCTYPE *)params;
+ if (!isValidOMXParam(avcType)) {
+ return OMX_ErrorBadParameter;
+ }
+
if (avcType->nPortIndex != 1) {
return OMX_ErrorUndefined;
}
@@ -1035,6 +1053,10 @@
OMX_CONFIG_INTRAREFRESHVOPTYPE *params =
(OMX_CONFIG_INTRAREFRESHVOPTYPE *)_params;
+ if (!isValidOMXParam(params)) {
+ return OMX_ErrorBadParameter;
+ }
+
if (params->nPortIndex != kOutputPortIndex) {
return OMX_ErrorBadPortIndex;
}
@@ -1048,6 +1070,10 @@
OMX_VIDEO_CONFIG_BITRATETYPE *params =
(OMX_VIDEO_CONFIG_BITRATETYPE *)_params;
+ if (!isValidOMXParam(params)) {
+ return OMX_ErrorBadParameter;
+ }
+
if (params->nPortIndex != kOutputPortIndex) {
return OMX_ErrorBadPortIndex;
}
diff --git a/media/libstagefright/codecs/flac/enc/SoftFlacEncoder.cpp b/media/libstagefright/codecs/flac/enc/SoftFlacEncoder.cpp
index 9edffd2..caceda9 100644
--- a/media/libstagefright/codecs/flac/enc/SoftFlacEncoder.cpp
+++ b/media/libstagefright/codecs/flac/enc/SoftFlacEncoder.cpp
@@ -159,6 +159,10 @@
OMX_AUDIO_PARAM_PCMMODETYPE *pcmParams =
(OMX_AUDIO_PARAM_PCMMODETYPE *)params;
+ if (!isValidOMXParam(pcmParams)) {
+ return OMX_ErrorBadParameter;
+ }
+
if (pcmParams->nPortIndex > 1) {
return OMX_ErrorUndefined;
}
@@ -180,6 +184,11 @@
case OMX_IndexParamAudioFlac:
{
OMX_AUDIO_PARAM_FLACTYPE *flacParams = (OMX_AUDIO_PARAM_FLACTYPE *)params;
+
+ if (!isValidOMXParam(flacParams)) {
+ return OMX_ErrorBadParameter;
+ }
+
flacParams->nCompressionLevel = mCompressionLevel;
flacParams->nChannels = mNumChannels;
flacParams->nSampleRate = mSampleRate;
@@ -199,6 +208,10 @@
ALOGV("SoftFlacEncoder::internalSetParameter(OMX_IndexParamAudioPcm)");
OMX_AUDIO_PARAM_PCMMODETYPE *pcmParams = (OMX_AUDIO_PARAM_PCMMODETYPE *)params;
+ if (!isValidOMXParam(pcmParams)) {
+ return OMX_ErrorBadParameter;
+ }
+
if (pcmParams->nPortIndex != 0 && pcmParams->nPortIndex != 1) {
ALOGE("SoftFlacEncoder::internalSetParameter() Error #1");
return OMX_ErrorUndefined;
@@ -221,6 +234,10 @@
const OMX_PARAM_COMPONENTROLETYPE *roleParams =
(const OMX_PARAM_COMPONENTROLETYPE *)params;
+ if (!isValidOMXParam(roleParams)) {
+ return OMX_ErrorBadParameter;
+ }
+
if (strncmp((const char *)roleParams->cRole,
"audio_encoder.flac",
OMX_MAX_STRINGNAME_SIZE - 1)) {
@@ -236,6 +253,11 @@
{
// used only for setting the compression level
OMX_AUDIO_PARAM_FLACTYPE *flacParams = (OMX_AUDIO_PARAM_FLACTYPE *)params;
+
+ if (!isValidOMXParam(flacParams)) {
+ return OMX_ErrorBadParameter;
+ }
+
mCompressionLevel = flacParams->nCompressionLevel; // range clamping done inside encoder
return OMX_ErrorNone;
}
@@ -245,6 +267,10 @@
OMX_PARAM_PORTDEFINITIONTYPE *defParams =
(OMX_PARAM_PORTDEFINITIONTYPE *)params;
+ if (!isValidOMXParam(defParams)) {
+ return OMX_ErrorBadParameter;
+ }
+
if (defParams->nPortIndex == 0) {
if (defParams->nBufferSize > kMaxInputBufferSize) {
ALOGE("Input buffer size must be at most %d bytes",
diff --git a/media/libstagefright/codecs/g711/dec/SoftG711.cpp b/media/libstagefright/codecs/g711/dec/SoftG711.cpp
index 91152e1..c8277de 100644
--- a/media/libstagefright/codecs/g711/dec/SoftG711.cpp
+++ b/media/libstagefright/codecs/g711/dec/SoftG711.cpp
@@ -110,6 +110,10 @@
OMX_AUDIO_PARAM_PCMMODETYPE *pcmParams =
(OMX_AUDIO_PARAM_PCMMODETYPE *)params;
+ if (!isValidOMXParam(pcmParams)) {
+ return OMX_ErrorBadParameter;
+ }
+
if (pcmParams->nPortIndex > 1) {
return OMX_ErrorUndefined;
}
@@ -148,6 +152,10 @@
OMX_AUDIO_PARAM_PCMMODETYPE *pcmParams =
(OMX_AUDIO_PARAM_PCMMODETYPE *)params;
+ if (!isValidOMXParam(pcmParams)) {
+ return OMX_ErrorBadParameter;
+ }
+
if (pcmParams->nPortIndex != 0 && pcmParams->nPortIndex != 1) {
return OMX_ErrorUndefined;
}
@@ -170,6 +178,10 @@
const OMX_PARAM_COMPONENTROLETYPE *roleParams =
(const OMX_PARAM_COMPONENTROLETYPE *)params;
+ if (!isValidOMXParam(roleParams)) {
+ return OMX_ErrorBadParameter;
+ }
+
if (mIsMLaw) {
if (strncmp((const char *)roleParams->cRole,
"audio_decoder.g711mlaw",
diff --git a/media/libstagefright/codecs/gsm/dec/SoftGSM.cpp b/media/libstagefright/codecs/gsm/dec/SoftGSM.cpp
index 032e528..04d5a33 100644
--- a/media/libstagefright/codecs/gsm/dec/SoftGSM.cpp
+++ b/media/libstagefright/codecs/gsm/dec/SoftGSM.cpp
@@ -110,6 +110,10 @@
OMX_AUDIO_PARAM_PCMMODETYPE *pcmParams =
(OMX_AUDIO_PARAM_PCMMODETYPE *)params;
+ if (!isValidOMXParam(pcmParams)) {
+ return OMX_ErrorBadParameter;
+ }
+
if (pcmParams->nPortIndex > 1) {
return OMX_ErrorUndefined;
}
@@ -141,6 +145,10 @@
OMX_AUDIO_PARAM_PCMMODETYPE *pcmParams =
(OMX_AUDIO_PARAM_PCMMODETYPE *)params;
+ if (!isValidOMXParam(pcmParams)) {
+ return OMX_ErrorBadParameter;
+ }
+
if (pcmParams->nPortIndex != 0 && pcmParams->nPortIndex != 1) {
return OMX_ErrorUndefined;
}
@@ -161,6 +169,10 @@
const OMX_PARAM_COMPONENTROLETYPE *roleParams =
(const OMX_PARAM_COMPONENTROLETYPE *)params;
+ if (!isValidOMXParam(roleParams)) {
+ return OMX_ErrorBadParameter;
+ }
+
if (strncmp((const char *)roleParams->cRole,
"audio_decoder.gsm",
OMX_MAX_STRINGNAME_SIZE - 1)) {
diff --git a/media/libstagefright/codecs/m4v_h263/enc/SoftMPEG4Encoder.cpp b/media/libstagefright/codecs/m4v_h263/enc/SoftMPEG4Encoder.cpp
index f2a4e65..7638bb7 100644
--- a/media/libstagefright/codecs/m4v_h263/enc/SoftMPEG4Encoder.cpp
+++ b/media/libstagefright/codecs/m4v_h263/enc/SoftMPEG4Encoder.cpp
@@ -232,6 +232,10 @@
OMX_VIDEO_PARAM_BITRATETYPE *bitRate =
(OMX_VIDEO_PARAM_BITRATETYPE *) params;
+ if (!isValidOMXParam(bitRate)) {
+ return OMX_ErrorBadParameter;
+ }
+
if (bitRate->nPortIndex != 1) {
return OMX_ErrorUndefined;
}
@@ -246,6 +250,10 @@
OMX_VIDEO_PARAM_H263TYPE *h263type =
(OMX_VIDEO_PARAM_H263TYPE *)params;
+ if (!isValidOMXParam(h263type)) {
+ return OMX_ErrorBadParameter;
+ }
+
if (h263type->nPortIndex != 1) {
return OMX_ErrorUndefined;
}
@@ -267,6 +275,10 @@
OMX_VIDEO_PARAM_MPEG4TYPE *mpeg4type =
(OMX_VIDEO_PARAM_MPEG4TYPE *)params;
+ if (!isValidOMXParam(mpeg4type)) {
+ return OMX_ErrorBadParameter;
+ }
+
if (mpeg4type->nPortIndex != 1) {
return OMX_ErrorUndefined;
}
@@ -301,6 +313,10 @@
OMX_VIDEO_PARAM_BITRATETYPE *bitRate =
(OMX_VIDEO_PARAM_BITRATETYPE *) params;
+ if (!isValidOMXParam(bitRate)) {
+ return OMX_ErrorBadParameter;
+ }
+
if (bitRate->nPortIndex != 1 ||
bitRate->eControlRate != OMX_Video_ControlRateVariable) {
return OMX_ErrorUndefined;
@@ -315,6 +331,10 @@
OMX_VIDEO_PARAM_H263TYPE *h263type =
(OMX_VIDEO_PARAM_H263TYPE *)params;
+ if (!isValidOMXParam(h263type)) {
+ return OMX_ErrorBadParameter;
+ }
+
if (h263type->nPortIndex != 1) {
return OMX_ErrorUndefined;
}
@@ -337,6 +357,10 @@
OMX_VIDEO_PARAM_MPEG4TYPE *mpeg4type =
(OMX_VIDEO_PARAM_MPEG4TYPE *)params;
+ if (!isValidOMXParam(mpeg4type)) {
+ return OMX_ErrorBadParameter;
+ }
+
if (mpeg4type->nPortIndex != 1) {
return OMX_ErrorUndefined;
}
diff --git a/media/libstagefright/codecs/mp3dec/SoftMP3.cpp b/media/libstagefright/codecs/mp3dec/SoftMP3.cpp
index 1720376..aa946e6 100644
--- a/media/libstagefright/codecs/mp3dec/SoftMP3.cpp
+++ b/media/libstagefright/codecs/mp3dec/SoftMP3.cpp
@@ -128,6 +128,10 @@
OMX_AUDIO_PARAM_PCMMODETYPE *pcmParams =
(OMX_AUDIO_PARAM_PCMMODETYPE *)params;
+ if (!isValidOMXParam(pcmParams)) {
+ return OMX_ErrorBadParameter;
+ }
+
if (pcmParams->nPortIndex > 1) {
return OMX_ErrorUndefined;
}
@@ -151,6 +155,10 @@
OMX_AUDIO_PARAM_MP3TYPE *mp3Params =
(OMX_AUDIO_PARAM_MP3TYPE *)params;
+ if (!isValidOMXParam(mp3Params)) {
+ return OMX_ErrorBadParameter;
+ }
+
if (mp3Params->nPortIndex > 1) {
return OMX_ErrorUndefined;
}
@@ -176,6 +184,10 @@
const OMX_PARAM_COMPONENTROLETYPE *roleParams =
(const OMX_PARAM_COMPONENTROLETYPE *)params;
+ if (!isValidOMXParam(roleParams)) {
+ return OMX_ErrorBadParameter;
+ }
+
if (strncmp((const char *)roleParams->cRole,
"audio_decoder.mp3",
OMX_MAX_STRINGNAME_SIZE - 1)) {
@@ -190,6 +202,10 @@
const OMX_AUDIO_PARAM_PCMMODETYPE *pcmParams =
(const OMX_AUDIO_PARAM_PCMMODETYPE *)params;
+ if (!isValidOMXParam(pcmParams)) {
+ return OMX_ErrorBadParameter;
+ }
+
if (pcmParams->nPortIndex != 1) {
return OMX_ErrorUndefined;
}
diff --git a/media/libstagefright/codecs/on2/enc/SoftVPXEncoder.cpp b/media/libstagefright/codecs/on2/enc/SoftVPXEncoder.cpp
index d9895f0..5c950c7 100644
--- a/media/libstagefright/codecs/on2/enc/SoftVPXEncoder.cpp
+++ b/media/libstagefright/codecs/on2/enc/SoftVPXEncoder.cpp
@@ -368,20 +368,24 @@
OMX_VIDEO_PARAM_BITRATETYPE *bitrate =
(OMX_VIDEO_PARAM_BITRATETYPE *)param;
- if (bitrate->nPortIndex != kOutputPortIndex) {
- return OMX_ErrorUnsupportedIndex;
- }
+ if (!isValidOMXParam(bitrate)) {
+ return OMX_ErrorBadParameter;
+ }
- bitrate->nTargetBitrate = mBitrate;
+ if (bitrate->nPortIndex != kOutputPortIndex) {
+ return OMX_ErrorUnsupportedIndex;
+ }
- if (mBitrateControlMode == VPX_VBR) {
- bitrate->eControlRate = OMX_Video_ControlRateVariable;
- } else if (mBitrateControlMode == VPX_CBR) {
- bitrate->eControlRate = OMX_Video_ControlRateConstant;
- } else {
- return OMX_ErrorUnsupportedSetting;
- }
- return OMX_ErrorNone;
+ bitrate->nTargetBitrate = mBitrate;
+
+ if (mBitrateControlMode == VPX_VBR) {
+ bitrate->eControlRate = OMX_Video_ControlRateVariable;
+ } else if (mBitrateControlMode == VPX_CBR) {
+ bitrate->eControlRate = OMX_Video_ControlRateConstant;
+ } else {
+ return OMX_ErrorUnsupportedSetting;
+ }
+ return OMX_ErrorNone;
}
// VP8 specific parameters that use extension headers
@@ -389,33 +393,41 @@
OMX_VIDEO_PARAM_VP8TYPE *vp8Params =
(OMX_VIDEO_PARAM_VP8TYPE *)param;
- if (vp8Params->nPortIndex != kOutputPortIndex) {
- return OMX_ErrorUnsupportedIndex;
- }
+ if (!isValidOMXParam(vp8Params)) {
+ return OMX_ErrorBadParameter;
+ }
- vp8Params->eProfile = OMX_VIDEO_VP8ProfileMain;
- vp8Params->eLevel = mLevel;
- vp8Params->nDCTPartitions = mDCTPartitions;
- vp8Params->bErrorResilientMode = mErrorResilience;
- return OMX_ErrorNone;
+ if (vp8Params->nPortIndex != kOutputPortIndex) {
+ return OMX_ErrorUnsupportedIndex;
+ }
+
+ vp8Params->eProfile = OMX_VIDEO_VP8ProfileMain;
+ vp8Params->eLevel = mLevel;
+ vp8Params->nDCTPartitions = mDCTPartitions;
+ vp8Params->bErrorResilientMode = mErrorResilience;
+ return OMX_ErrorNone;
}
case OMX_IndexParamVideoAndroidVp8Encoder: {
OMX_VIDEO_PARAM_ANDROID_VP8ENCODERTYPE *vp8AndroidParams =
(OMX_VIDEO_PARAM_ANDROID_VP8ENCODERTYPE *)param;
- if (vp8AndroidParams->nPortIndex != kOutputPortIndex) {
- return OMX_ErrorUnsupportedIndex;
- }
+ if (!isValidOMXParam(vp8AndroidParams)) {
+ return OMX_ErrorBadParameter;
+ }
- vp8AndroidParams->nKeyFrameInterval = mKeyFrameInterval;
- vp8AndroidParams->eTemporalPattern = mTemporalPatternType;
- vp8AndroidParams->nTemporalLayerCount = mTemporalLayers;
- vp8AndroidParams->nMinQuantizer = mMinQuantizer;
- vp8AndroidParams->nMaxQuantizer = mMaxQuantizer;
- memcpy(vp8AndroidParams->nTemporalLayerBitrateRatio,
- mTemporalLayerBitrateRatio, sizeof(mTemporalLayerBitrateRatio));
- return OMX_ErrorNone;
+ if (vp8AndroidParams->nPortIndex != kOutputPortIndex) {
+ return OMX_ErrorUnsupportedIndex;
+ }
+
+ vp8AndroidParams->nKeyFrameInterval = mKeyFrameInterval;
+ vp8AndroidParams->eTemporalPattern = mTemporalPatternType;
+ vp8AndroidParams->nTemporalLayerCount = mTemporalLayers;
+ vp8AndroidParams->nMinQuantizer = mMinQuantizer;
+ vp8AndroidParams->nMaxQuantizer = mMaxQuantizer;
+ memcpy(vp8AndroidParams->nTemporalLayerBitrateRatio,
+ mTemporalLayerBitrateRatio, sizeof(mTemporalLayerBitrateRatio));
+ return OMX_ErrorNone;
}
default:
@@ -430,17 +442,38 @@
const int32_t indexFull = index;
switch (indexFull) {
- case OMX_IndexParamVideoBitrate:
- return internalSetBitrateParams(
- (const OMX_VIDEO_PARAM_BITRATETYPE *)param);
+ case OMX_IndexParamVideoBitrate: {
+ const OMX_VIDEO_PARAM_BITRATETYPE *bitRate =
+ (const OMX_VIDEO_PARAM_BITRATETYPE*) param;
- case OMX_IndexParamVideoVp8:
- return internalSetVp8Params(
- (const OMX_VIDEO_PARAM_VP8TYPE *)param);
+ if (!isValidOMXParam(bitRate)) {
+ return OMX_ErrorBadParameter;
+ }
- case OMX_IndexParamVideoAndroidVp8Encoder:
- return internalSetAndroidVp8Params(
- (const OMX_VIDEO_PARAM_ANDROID_VP8ENCODERTYPE *)param);
+ return internalSetBitrateParams(bitRate);
+ }
+
+ case OMX_IndexParamVideoVp8: {
+ const OMX_VIDEO_PARAM_VP8TYPE *vp8Params =
+ (const OMX_VIDEO_PARAM_VP8TYPE*) param;
+
+ if (!isValidOMXParam(vp8Params)) {
+ return OMX_ErrorBadParameter;
+ }
+
+ return internalSetVp8Params(vp8Params);
+ }
+
+ case OMX_IndexParamVideoAndroidVp8Encoder: {
+ const OMX_VIDEO_PARAM_ANDROID_VP8ENCODERTYPE *vp8AndroidParams =
+ (const OMX_VIDEO_PARAM_ANDROID_VP8ENCODERTYPE*) param;
+
+ if (!isValidOMXParam(vp8AndroidParams)) {
+ return OMX_ErrorBadParameter;
+ }
+
+ return internalSetAndroidVp8Params(vp8AndroidParams);
+ }
default:
return SoftVideoEncoderOMXComponent::internalSetParameter(index, param);
@@ -455,6 +488,10 @@
OMX_CONFIG_INTRAREFRESHVOPTYPE *params =
(OMX_CONFIG_INTRAREFRESHVOPTYPE *)_params;
+ if (!isValidOMXParam(params)) {
+ return OMX_ErrorBadParameter;
+ }
+
if (params->nPortIndex != kOutputPortIndex) {
return OMX_ErrorBadPortIndex;
}
@@ -468,6 +505,10 @@
OMX_VIDEO_CONFIG_BITRATETYPE *params =
(OMX_VIDEO_CONFIG_BITRATETYPE *)_params;
+ if (!isValidOMXParam(params)) {
+ return OMX_ErrorBadParameter;
+ }
+
if (params->nPortIndex != kOutputPortIndex) {
return OMX_ErrorBadPortIndex;
}
diff --git a/media/libstagefright/codecs/opus/dec/SoftOpus.cpp b/media/libstagefright/codecs/opus/dec/SoftOpus.cpp
index cb10bce..2afa0ed 100644
--- a/media/libstagefright/codecs/opus/dec/SoftOpus.cpp
+++ b/media/libstagefright/codecs/opus/dec/SoftOpus.cpp
@@ -134,6 +134,10 @@
OMX_AUDIO_PARAM_ANDROID_OPUSTYPE *opusParams =
(OMX_AUDIO_PARAM_ANDROID_OPUSTYPE *)params;
+ if (!isValidOMXParam(opusParams)) {
+ return OMX_ErrorBadParameter;
+ }
+
if (opusParams->nPortIndex != 0) {
return OMX_ErrorUndefined;
}
@@ -156,6 +160,10 @@
OMX_AUDIO_PARAM_PCMMODETYPE *pcmParams =
(OMX_AUDIO_PARAM_PCMMODETYPE *)params;
+ if (!isValidOMXParam(pcmParams)) {
+ return OMX_ErrorBadParameter;
+ }
+
if (pcmParams->nPortIndex != 1) {
return OMX_ErrorUndefined;
}
@@ -191,6 +199,10 @@
const OMX_PARAM_COMPONENTROLETYPE *roleParams =
(const OMX_PARAM_COMPONENTROLETYPE *)params;
+ if (!isValidOMXParam(roleParams)) {
+ return OMX_ErrorBadParameter;
+ }
+
if (strncmp((const char *)roleParams->cRole,
"audio_decoder.opus",
OMX_MAX_STRINGNAME_SIZE - 1)) {
@@ -205,6 +217,10 @@
const OMX_AUDIO_PARAM_ANDROID_OPUSTYPE *opusParams =
(const OMX_AUDIO_PARAM_ANDROID_OPUSTYPE *)params;
+ if (!isValidOMXParam(opusParams)) {
+ return OMX_ErrorBadParameter;
+ }
+
if (opusParams->nPortIndex != 0) {
return OMX_ErrorUndefined;
}
diff --git a/media/libstagefright/codecs/raw/SoftRaw.cpp b/media/libstagefright/codecs/raw/SoftRaw.cpp
index 9d514a6..4f7ae95 100644
--- a/media/libstagefright/codecs/raw/SoftRaw.cpp
+++ b/media/libstagefright/codecs/raw/SoftRaw.cpp
@@ -103,6 +103,10 @@
OMX_AUDIO_PARAM_PCMMODETYPE *pcmParams =
(OMX_AUDIO_PARAM_PCMMODETYPE *)params;
+ if (!isValidOMXParam(pcmParams)) {
+ return OMX_ErrorBadParameter;
+ }
+
if (pcmParams->nPortIndex != 0 && pcmParams->nPortIndex != 1) {
return OMX_ErrorUndefined;
}
@@ -134,6 +138,10 @@
const OMX_PARAM_COMPONENTROLETYPE *roleParams =
(const OMX_PARAM_COMPONENTROLETYPE *)params;
+ if (!isValidOMXParam(roleParams)) {
+ return OMX_ErrorBadParameter;
+ }
+
if (strncmp((const char *)roleParams->cRole,
"audio_decoder.raw",
OMX_MAX_STRINGNAME_SIZE - 1)) {
@@ -148,6 +156,10 @@
const OMX_AUDIO_PARAM_PCMMODETYPE *pcmParams =
(OMX_AUDIO_PARAM_PCMMODETYPE *)params;
+ if (!isValidOMXParam(pcmParams)) {
+ return OMX_ErrorBadParameter;
+ }
+
if (pcmParams->nPortIndex != 0) {
return OMX_ErrorUndefined;
}
diff --git a/media/libstagefright/codecs/vorbis/dec/SoftVorbis.cpp b/media/libstagefright/codecs/vorbis/dec/SoftVorbis.cpp
index c559682..4e1e6a5 100644
--- a/media/libstagefright/codecs/vorbis/dec/SoftVorbis.cpp
+++ b/media/libstagefright/codecs/vorbis/dec/SoftVorbis.cpp
@@ -130,6 +130,10 @@
OMX_AUDIO_PARAM_VORBISTYPE *vorbisParams =
(OMX_AUDIO_PARAM_VORBISTYPE *)params;
+ if (!isValidOMXParam(vorbisParams)) {
+ return OMX_ErrorBadParameter;
+ }
+
if (vorbisParams->nPortIndex != 0) {
return OMX_ErrorUndefined;
}
@@ -161,6 +165,10 @@
OMX_AUDIO_PARAM_PCMMODETYPE *pcmParams =
(OMX_AUDIO_PARAM_PCMMODETYPE *)params;
+ if (!isValidOMXParam(pcmParams)) {
+ return OMX_ErrorBadParameter;
+ }
+
if (pcmParams->nPortIndex != 1) {
return OMX_ErrorUndefined;
}
@@ -197,6 +205,10 @@
const OMX_PARAM_COMPONENTROLETYPE *roleParams =
(const OMX_PARAM_COMPONENTROLETYPE *)params;
+ if (!isValidOMXParam(roleParams)) {
+ return OMX_ErrorBadParameter;
+ }
+
if (strncmp((const char *)roleParams->cRole,
"audio_decoder.vorbis",
OMX_MAX_STRINGNAME_SIZE - 1)) {
@@ -211,6 +223,10 @@
const OMX_AUDIO_PARAM_VORBISTYPE *vorbisParams =
(const OMX_AUDIO_PARAM_VORBISTYPE *)params;
+ if (!isValidOMXParam(vorbisParams)) {
+ return OMX_ErrorBadParameter;
+ }
+
if (vorbisParams->nPortIndex != 0) {
return OMX_ErrorUndefined;
}
diff --git a/media/libstagefright/include/SoftOMXComponent.h b/media/libstagefright/include/SoftOMXComponent.h
index a808611..3ab6f88 100644
--- a/media/libstagefright/include/SoftOMXComponent.h
+++ b/media/libstagefright/include/SoftOMXComponent.h
@@ -168,6 +168,22 @@
DISALLOW_EVIL_CONSTRUCTORS(SoftOMXComponent);
};
+template<typename T>
+bool isValidOMXParam(T *a) {
+ static_assert(offsetof(typeof(*a), nSize) == 0, "nSize not at offset 0");
+ static_assert(std::is_same< decltype(a->nSize), OMX_U32>::value, "nSize has wrong type");
+ static_assert(offsetof(typeof(*a), nVersion) == 4, "nVersion not at offset 4");
+ static_assert(std::is_same< decltype(a->nVersion), OMX_VERSIONTYPE>::value,
+ "nVersion has wrong type");
+
+ if (a->nSize < sizeof(*a)) {
+ ALOGE("b/27207275: need %zu, got %u", sizeof(*a), a->nSize);
+ android_errorWriteLog(0x534e4554, "27207275");
+ return false;
+ }
+ return true;
+}
+
} // namespace android
#endif // SOFT_OMX_COMPONENT_H_
diff --git a/media/libstagefright/omx/SimpleSoftOMXComponent.cpp b/media/libstagefright/omx/SimpleSoftOMXComponent.cpp
index e6a0c49..60c1e2e 100644
--- a/media/libstagefright/omx/SimpleSoftOMXComponent.cpp
+++ b/media/libstagefright/omx/SimpleSoftOMXComponent.cpp
@@ -125,6 +125,10 @@
OMX_PARAM_PORTDEFINITIONTYPE *defParams =
(OMX_PARAM_PORTDEFINITIONTYPE *)params;
+ if (!isValidOMXParam(defParams)) {
+ return OMX_ErrorBadParameter;
+ }
+
if (defParams->nPortIndex >= mPorts.size()
|| defParams->nSize
!= sizeof(OMX_PARAM_PORTDEFINITIONTYPE)) {
@@ -152,6 +156,10 @@
OMX_PARAM_PORTDEFINITIONTYPE *defParams =
(OMX_PARAM_PORTDEFINITIONTYPE *)params;
+ if (!isValidOMXParam(defParams)) {
+ return OMX_ErrorBadParameter;
+ }
+
if (defParams->nPortIndex >= mPorts.size()) {
return OMX_ErrorBadPortIndex;
}
diff --git a/media/libstagefright/omx/SoftVideoDecoderOMXComponent.cpp b/media/libstagefright/omx/SoftVideoDecoderOMXComponent.cpp
index 4ce165b..19dde83 100644
--- a/media/libstagefright/omx/SoftVideoDecoderOMXComponent.cpp
+++ b/media/libstagefright/omx/SoftVideoDecoderOMXComponent.cpp
@@ -264,6 +264,10 @@
OMX_VIDEO_PARAM_PORTFORMATTYPE *formatParams =
(OMX_VIDEO_PARAM_PORTFORMATTYPE *)params;
+ if (!isValidOMXParam(formatParams)) {
+ return OMX_ErrorBadParameter;
+ }
+
if (formatParams->nPortIndex > kMaxPortIndex) {
return OMX_ErrorBadPortIndex;
}
@@ -292,6 +296,10 @@
OMX_VIDEO_PARAM_PROFILELEVELTYPE *profileLevel =
(OMX_VIDEO_PARAM_PROFILELEVELTYPE *) params;
+ if (!isValidOMXParam(profileLevel)) {
+ return OMX_ErrorBadParameter;
+ }
+
if (profileLevel->nPortIndex != kInputPortIndex) {
ALOGE("Invalid port index: %" PRIu32, profileLevel->nPortIndex);
return OMX_ErrorUnsupportedIndex;
@@ -322,6 +330,10 @@
const OMX_PARAM_COMPONENTROLETYPE *roleParams =
(const OMX_PARAM_COMPONENTROLETYPE *)params;
+ if (!isValidOMXParam(roleParams)) {
+ return OMX_ErrorBadParameter;
+ }
+
if (strncmp((const char *)roleParams->cRole,
mComponentRole,
OMX_MAX_STRINGNAME_SIZE - 1)) {
@@ -336,6 +348,10 @@
OMX_VIDEO_PARAM_PORTFORMATTYPE *formatParams =
(OMX_VIDEO_PARAM_PORTFORMATTYPE *)params;
+ if (!isValidOMXParam(formatParams)) {
+ return OMX_ErrorBadParameter;
+ }
+
if (formatParams->nPortIndex > kMaxPortIndex) {
return OMX_ErrorBadPortIndex;
}
@@ -363,6 +379,11 @@
{
const PrepareForAdaptivePlaybackParams* adaptivePlaybackParams =
(const PrepareForAdaptivePlaybackParams *)params;
+
+ if (!isValidOMXParam(adaptivePlaybackParams)) {
+ return OMX_ErrorBadParameter;
+ }
+
mIsAdaptive = adaptivePlaybackParams->bEnable;
if (mIsAdaptive) {
mAdaptiveMaxWidth = adaptivePlaybackParams->nMaxFrameWidth;
@@ -381,6 +402,11 @@
{
OMX_PARAM_PORTDEFINITIONTYPE *newParams =
(OMX_PARAM_PORTDEFINITIONTYPE *)params;
+
+ if (!isValidOMXParam(newParams)) {
+ return OMX_ErrorBadParameter;
+ }
+
OMX_VIDEO_PORTDEFINITIONTYPE *video_def = &newParams->format.video;
OMX_PARAM_PORTDEFINITIONTYPE *def = &editPortInfo(newParams->nPortIndex)->mDef;
@@ -421,6 +447,10 @@
{
OMX_CONFIG_RECTTYPE *rectParams = (OMX_CONFIG_RECTTYPE *)params;
+ if (!isValidOMXParam(rectParams)) {
+ return OMX_ErrorBadParameter;
+ }
+
if (rectParams->nPortIndex != kOutputPortIndex) {
return OMX_ErrorUndefined;
}
