DO NOT MERGE - SoftwareRenderer: sanity check buffer size before copying data.
Bug: 21443020
Change-Id: I63cf86217b8201fb41809c23e4b752b845a93ee2
(cherry picked from commit 760f92f8b6da9c9cf128cb18fe3c09402fdde6cd)
diff --git a/media/libstagefright/colorconversion/SoftwareRenderer.cpp b/media/libstagefright/colorconversion/SoftwareRenderer.cpp
index 4e75250..04467b9 100644
--- a/media/libstagefright/colorconversion/SoftwareRenderer.cpp
+++ b/media/libstagefright/colorconversion/SoftwareRenderer.cpp
@@ -181,7 +181,7 @@
}
void SoftwareRenderer::render(
- const void *data, size_t /*size*/, int64_t timestampNs,
+ const void *data, size_t size, int64_t timestampNs,
void* /*platformPrivate*/, const sp<AMessage>& format) {
resetFormatIfChanged(format);
@@ -210,6 +210,9 @@
buf->stride, buf->height,
0, 0, mCropWidth - 1, mCropHeight - 1);
} else if (mColorFormat == OMX_COLOR_FormatYUV420Planar) {
+ if ((size_t)mWidth * mHeight * 3 / 2 > size) {
+ goto skip_copying;
+ }
const uint8_t *src_y = (const uint8_t *)data;
const uint8_t *src_u = (const uint8_t *)data + mWidth * mHeight;
const uint8_t *src_v = src_u + (mWidth / 2 * mHeight / 2);
@@ -239,6 +242,10 @@
}
} else if (mColorFormat == OMX_TI_COLOR_FormatYUV420PackedSemiPlanar
|| mColorFormat == OMX_COLOR_FormatYUV420SemiPlanar) {
+ if ((size_t)mWidth * mHeight * 3 / 2 > size) {
+ goto skip_copying;
+ }
+
const uint8_t *src_y =
(const uint8_t *)data;
@@ -275,6 +282,7 @@
LOG_ALWAYS_FATAL("bad color format %#x", mColorFormat);
}
+skip_copying:
CHECK_EQ(0, mapper.unlock(buf->handle));
if ((err = native_window_set_buffers_timestamp(mNativeWindow.get(),
