Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit a5f50e98 authored by Wei Jia's avatar Wei Jia
Browse files

DO NOT MERGE - SoftwareRenderer: sanity check buffer size before copying data. 

Bug: 21443020
Change-Id: I63cf86217b8201fb41809c23e4b752b845a93ee2
(cherry picked from commit 760f92f8)
parent af7e33f6

media/libstagefright/colorconversion/SoftwareRenderer.cpp

+7 −0
Original line number Diff line number Diff line
@@ -164,6 +164,9 @@ void SoftwareRenderer::render( 
                buf->stride, buf->height,

                0, 0, mCropWidth - 1, mCropHeight - 1);

    } else if (mColorFormat == OMX_COLOR_FormatYUV420Planar) {

        if ((size_t)mWidth * mHeight * 3 / 2 > size) {

            goto skip_copying;

        }

        const uint8_t *src_y = (const uint8_t *)data;

        const uint8_t *src_u = (const uint8_t *)data + mWidth * mHeight;

        const uint8_t *src_v = src_u + (mWidth / 2 * mHeight / 2);
@@ -193,6 +196,9 @@ void SoftwareRenderer::render( 
        }

    } else {

        CHECK_EQ(mColorFormat, OMX_TI_COLOR_FormatYUV420PackedSemiPlanar);

        if ((size_t)mWidth * mHeight * 3 / 2 > size) {

            goto skip_copying;

        }



        const uint8_t *src_y =

            (const uint8_t *)data;
@@ -228,6 +234,7 @@ void SoftwareRenderer::render( 
        }

    }



skip_copying:

    CHECK_EQ(0, mapper.unlock(buf->handle));



    if ((err = mNativeWindow->queueBuffer(mNativeWindow.get(), buf,