Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Unverified Commit 9a059d59 authored by Michael Bestas's avatar Michael Bestas
Browse files

Merge tag 'android-12.0.0_r29' into staging/lineage-19.0_merge-android-12.0.0_r29 

Android 12.0.0 Release 29 (SQ1D.220205.003)

# -----BEGIN PGP SIGNATURE-----
#
# iF0EABECAB0WIQRDQNE1cO+UXoOBCWTorT+BmrEOeAUCYfzJfAAKCRDorT+BmrEO
# eCoMAJwO9AdgLli7pjox4TpnhzE2+zfKewCaApszP8ibjtFemvYnYhOq5uMJaOo=
# =6jSH
# -----END PGP SIGNATURE-----
# gpg: Signature made Fri Feb  4 08:36:44 2022 EET
# gpg:                using DSA key 4340D13570EF945E83810964E8AD3F819AB10E78
# gpg: Good signature from "The Android Open Source Project <initial-contribution@android.com>" [marginal]
# gpg: initial-contribution@android.com: Verified 1046 signatures in the past
#      3 months.  Encrypted 4 messages in the past 4 weeks.
# gpg: WARNING: This key is not certified with sufficiently trusted signatures!
# gpg:          It is not certain that the signature belongs to the owner.
# Primary key fingerprint: 4340 D135 70EF 945E 8381  0964 E8AD 3F81 9AB1 0E78

# By Ray Essick (2) and Santiago Seifert (1)
# Via Android Build Coastguard Worker
* tag 'android-12.0.0_r29':
  Prevent out-of-bounds read
  Safetynet logging for b/204445255
  Better buffer-overrun prevention

Change-Id: I6de8e88c4f381f79354ce20798dc3c65b25fd132
parents 6046e969 eb631b17

media/libmediametrics/include/media/MediaMetricsItem.h

+6 −5
Original line number Diff line number Diff line
@@ -27,6 +27,7 @@ 
#include <variant>



#include <binder/Parcel.h>

#include <log/log.h>

#include <utils/Errors.h>

#include <utils/Timers.h> // nsecs_t
@@ -469,16 +470,16 @@ protected: 
    template <> // static

    status_t extract(std::string *val, const char **bufferpptr, const char *bufferptrmax) {

        const char *ptr = *bufferpptr;

        while (*ptr != 0) {

        do {

            if (ptr >= bufferptrmax) {

                ALOGE("%s: buffer exceeded", __func__);

                android_errorWriteLog(0x534e4554, "204445255");

                return BAD_VALUE;

            }

            ++ptr;

        }

        const size_t size = (ptr - *bufferpptr) + 1;

        } while (*ptr++ != 0);

        // ptr is terminator+1, == bufferptrmax if we finished entire buffer

        *val = *bufferpptr;

        *bufferpptr += size;

        *bufferpptr = ptr;

        return NO_ERROR;

    }

    template <> // static

media/libstagefright/rtsp/AAVCAssembler.cpp

+4 −0
Original line number Diff line number Diff line
@@ -295,6 +295,10 @@ ARTPAssembler::AssemblyStatus AAVCAssembler::addNALUnit( 
}



void AAVCAssembler::checkSpsUpdated(const sp<ABuffer> &buffer) {

    if (buffer->size() == 0) {

        android_errorWriteLog(0x534e4554, "204077881");

        return;

    }

    const uint8_t *data = buffer->data();

    unsigned nalType = data[0] & 0x1f;

    if (nalType == 0x7) {