Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit 62312436 authored by Ray Essick's avatar Ray Essick
Browse files

Add bounds check in SoftAACEncoder2::onQueueFilled() 

Original code blindly copied some header information into the
user-supplied buffer without checking for sufficient space.
The code does check when it gets to filling the data -- it's
just the header copies that weren't checked.

Bug: 34617444
Test: ran POC before/after
Change-Id: I6e80ec90616f6cd02bb8316cd2d6e309b7e4729d
parent 0495c029

media/libstagefright/codecs/aacenc/SoftAACEncoder2.cpp

+9 −0
Original line number Diff line number Diff line
@@ -406,6 +406,15 @@ void SoftAACEncoder2::onQueueFilled(OMX_U32 portIndex) { 


        BufferInfo *outInfo = *outQueue.begin();

        OMX_BUFFERHEADERTYPE *outHeader = outInfo->mHeader;



        if (outHeader->nOffset + encInfo.confSize > outHeader->nAllocLen) {

            ALOGE("b/34617444");

            android_errorWriteLog(0x534e4554,"34617444");

            notify(OMX_EventError, OMX_ErrorUndefined, 0, NULL);

            mSignalledError = true;

            return;

        }



        outHeader->nFilledLen = encInfo.confSize;

        outHeader->nFlags = OMX_BUFFERFLAG_CODECCONFIG;