RESTRICT AUTOMERGE Check the buffer index from acquireBuffer
Test: Run the POC
Test: Small CtsMediaTestCases
Bug: 37563942
Change-Id: I8ddfbc91a08d96de1f732e6776d6f90997042f6b
(cherry picked from commit 77e1eb5988ed2b9abff0fec19663d1ec094af192)
diff --git a/media/libstagefright/omx/GraphicBufferSource.cpp b/media/libstagefright/omx/GraphicBufferSource.cpp
index 89ec4a9..8b6c591 100644
--- a/media/libstagefright/omx/GraphicBufferSource.cpp
+++ b/media/libstagefright/omx/GraphicBufferSource.cpp
@@ -398,7 +398,7 @@
int id = codecBuffer.mSlot;
sp<Fence> fence = new Fence(fenceFd);
if (mBufferSlot[id] != NULL &&
- mBufferSlot[id]->handle == codecBuffer.mGraphicBuffer->handle) {
+ mBufferSlot[id]->handle == codecBuffer.mGraphicBuffer->handle) {
mBufferUseCount[id]--;
ALOGV("codecBufferEmptied: slot=%d, cbi=%d, useCount=%d, handle=%p",
@@ -488,6 +488,12 @@
} else if (err != OK) {
ALOGW("suspend: acquireBuffer returned err=%d", err);
break;
+ } else if (item.mSlot < 0 ||
+ item.mSlot >= BufferQueue::NUM_BUFFER_SLOTS) {
+ // Invalid buffer index
+ ALOGW("suspend: corrupted buffer index (%d)",
+ item.mSlot);
+ break;
}
++mNumBufferAcquired;
@@ -609,6 +615,10 @@
// now what? fake end-of-stream?
ALOGW("fillCodecBuffer_l: acquireBuffer returned err=%d", err);
return false;
+ } else if (item.mSlot < 0 || item.mSlot >= BufferQueue::NUM_BUFFER_SLOTS) {
+ // Invalid buffer index
+ ALOGW("fillCodecBuffer_l: corrupted buffer index (%d)", item.mSlot);
+ return false;
}
mNumBufferAcquired++;
@@ -982,8 +992,14 @@
BufferItem item;
status_t err = mConsumer->acquireBuffer(&item, 0);
if (err == OK) {
+ if (item.mSlot < 0 ||
+ item.mSlot >= BufferQueue::NUM_BUFFER_SLOTS) {
+ // Invalid buffer index
+ ALOGW("onFrameAvailable: corrupted buffer index (%d)",
+ item.mSlot);
+ return;
+ }
mNumBufferAcquired++;
-
// If this is the first time we're seeing this buffer, add it to our
// slot table.
if (item.mGraphicBuffer != NULL) {