Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit 34e63e9f authored by Marco Nelissen's avatar Marco Nelissen
Browse files

Validate resolution and stride 

Now that integer overflow protection has been turned on, we need to validate
some values a little earlier.

Bug: 22885421
Change-Id: I5398f3961eaa74f0702511a748b99114840efade
parent 1277aea8

media/libstagefright/ACodec.cpp

+9 −2
Original line number Diff line number Diff line
@@ -808,6 +808,10 @@ status_t ACodec::allocateBuffersOnPort(OMX_U32 portIndex) { 
                    def.nBufferCountActual, bufSize, allottedSize, def.nBufferSize, asString(type),

                    portIndex == kPortIndexInput ? "input" : "output");



            if (bufSize == 0 || def.nBufferCountActual > SIZE_MAX / bufSize) {

                ALOGE("b/22885421");

                return NO_MEMORY;

            }

            size_t totalSize = def.nBufferCountActual * bufSize;

            mDealer[portIndex] = new MemoryDealer(totalSize, "ACodec");
@@ -3852,8 +3856,11 @@ bool ACodec::describeDefaultColorFormat(DescribeColorFormatParams &params) { 
        params.nSliceHeight = params.nFrameHeight;

    }



    // we need stride and slice-height to be non-zero

    if (params.nStride == 0 || params.nSliceHeight == 0) {

    // we need stride and slice-height to be non-zero and sensible. These values were chosen to

    // prevent integer overflows further down the line, and do not indicate support for

    // 32kx32k video.

    if (params.nStride == 0 || params.nSliceHeight == 0

            || params.nStride > 32768 || params.nSliceHeight > 32768) {

        ALOGW("cannot describe color format 0x%x = %d with stride=%u and sliceHeight=%u",

                fmt, fmt, params.nStride, params.nSliceHeight);

        return false;

media/libstagefright/omx/SoftVideoDecoderOMXComponent.cpp

+8 −0
Original line number Diff line number Diff line
@@ -388,6 +388,14 @@ OMX_ERRORTYPE SoftVideoDecoderOMXComponent::internalSetParameter( 
            uint32_t oldHeight = def->format.video.nFrameHeight;

            uint32_t newWidth = video_def->nFrameWidth;

            uint32_t newHeight = video_def->nFrameHeight;

            // We need width, height, stride and slice-height to be non-zero and sensible.

            // These values were chosen to prevent integer overflows further down the line, and do

            // not indicate support for 32kx32k video.

            if (newWidth > 32768 || newHeight > 32768

                    || video_def->nStride > 32768 || video_def->nSliceHeight > 32768) {

                ALOGE("b/22885421");

                return OMX_ErrorBadParameter;

            }

            if (newWidth != oldWidth || newHeight != oldHeight) {

                bool outputPort = (newParams->nPortIndex == kOutputPortIndex);

                if (outputPort) {