Check the buffer index from acquireBuffer

Test: Run the POC
Test: Small CtsMediaTestCases
Bug: 37563942
Merged-In: I8ddfbc91a08d96de1f732e6776d6f90997042f6b
Change-Id: I8ddfbc91a08d96de1f732e6776d6f90997042f6b
(cherry picked from commit 4b0d94aa0c2293fee85a2149ade12ef8d8afe796)
diff --git a/media/libstagefright/omx/GraphicBufferSource.cpp b/media/libstagefright/omx/GraphicBufferSource.cpp
index 126e94b..aa7252b 100644
--- a/media/libstagefright/omx/GraphicBufferSource.cpp
+++ b/media/libstagefright/omx/GraphicBufferSource.cpp
@@ -398,7 +398,7 @@
     int id = codecBuffer.mSlot;
     sp<Fence> fence = new Fence(fenceFd);
     if (mBufferSlot[id] != NULL &&
-        mBufferSlot[id]->handle == codecBuffer.mGraphicBuffer->handle) {
+            mBufferSlot[id]->handle == codecBuffer.mGraphicBuffer->handle) {
         ALOGV("cbi %d matches bq slot %d, handle=%p",
                 cbi, id, mBufferSlot[id]->handle);
 
@@ -484,6 +484,12 @@
             } else if (err != OK) {
                 ALOGW("suspend: acquireBuffer returned err=%d", err);
                 break;
+            } else if (item.mSlot < 0 ||
+                    item.mSlot >= BufferQueue::NUM_BUFFER_SLOTS) {
+                // Invalid buffer index
+                ALOGW("suspend: corrupted buffer index (%d)",
+                        item.mSlot);
+                break;
             }
 
             ++mNumBufferAcquired;
@@ -605,6 +611,10 @@
         // now what? fake end-of-stream?
         ALOGW("fillCodecBuffer_l: acquireBuffer returned err=%d", err);
         return false;
+    } else if (item.mSlot < 0 || item.mSlot >= BufferQueue::NUM_BUFFER_SLOTS) {
+        // Invalid buffer index
+        ALOGW("fillCodecBuffer_l: corrupted buffer index (%d)", item.mSlot);
+        return false;
     }
 
     mNumBufferAcquired++;
@@ -964,8 +974,14 @@
         BufferItem item;
         status_t err = mConsumer->acquireBuffer(&item, 0);
         if (err == OK) {
+            if (item.mSlot < 0 ||
+                    item.mSlot >= BufferQueue::NUM_BUFFER_SLOTS) {
+                // Invalid buffer index
+                ALOGW("onFrameAvailable: corrupted buffer index (%d)",
+                        item.mSlot);
+                return;
+            }
             mNumBufferAcquired++;
-
             // If this is the first time we're seeing this buffer, add it to our
             // slot table.
             if (item.mGraphicBuffer != NULL) {