Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit ec4ed7d5 authored by Lajos Molnar's avatar Lajos Molnar
Browse files

stagefright: relax check of OMX buffer header - again 

- move check to after FillBufferDone only.
- add support for NULL graphicBuffer - just in case

Bug: 21773260
Change-Id: Ibf03511f1d04425e29b63fe4e560e0d8ba6ea20e
parent 81e998b0

media/libstagefright/omx/OMXNodeInstance.cpp

+23 −8
Original line number Original line Diff line number Diff line
@@ -121,9 +121,10 @@ struct BufferMeta { 
            return;

            return;

        }

        }





        memcpy((OMX_U8 *)mMem->pointer() + header->nOffset,

        // check component returns proper range

                header->pBuffer + header->nOffset,

        sp<ABuffer> codec = getBuffer(header, false /* backup */, true /* limit */);

                header->nFilledLen);



        memcpy((OMX_U8 *)mMem->pointer() + header->nOffset, codec->data(), codec->size());

    }

    }





    void CopyToOMX(const OMX_BUFFERHEADERTYPE *header) {

    void CopyToOMX(const OMX_BUFFERHEADERTYPE *header) {
@@ -137,14 +138,21 @@ struct BufferMeta { 
    }

    }





    // return either the codec or the backup buffer

    // return either the codec or the backup buffer

    sp<ABuffer> getBuffer(const OMX_BUFFERHEADERTYPE *header, bool backup) {

    sp<ABuffer> getBuffer(const OMX_BUFFERHEADERTYPE *header, bool backup, bool limit) {

        sp<ABuffer> buf;

        sp<ABuffer> buf;

        if (backup && mMem != NULL) {

        if (backup && mMem != NULL) {

            buf = new ABuffer(mMem->pointer(), mMem->size());

            buf = new ABuffer(mMem->pointer(), mMem->size());

        } else {

        } else {

            buf = new ABuffer(header->pBuffer, header->nAllocLen);

            buf = new ABuffer(header->pBuffer, header->nAllocLen);

        }

        }

        if (limit) {

            if (header->nOffset + header->nFilledLen > header->nOffset

                    && header->nOffset + header->nFilledLen <= header->nAllocLen) {

                buf->setRange(header->nOffset, header->nFilledLen);

                buf->setRange(header->nOffset, header->nFilledLen);

            } else {

                buf->setRange(0, 0);

            }

        }

        return buf;

        return buf;

    }

    }
@@ -1089,10 +1097,11 @@ status_t OMXNodeInstance::emptyBuffer( 
    OMX_BUFFERHEADERTYPE *header = findBufferHeader(buffer);

    OMX_BUFFERHEADERTYPE *header = findBufferHeader(buffer);

    BufferMeta *buffer_meta =

    BufferMeta *buffer_meta =

        static_cast<BufferMeta *>(header->pAppPrivate);

        static_cast<BufferMeta *>(header->pAppPrivate);

    sp<ABuffer> backup = buffer_meta->getBuffer(header, true /* backup */);

    sp<ABuffer> backup = buffer_meta->getBuffer(header, true /* backup */, false /* limit */);

    sp<ABuffer> codec = buffer_meta->getBuffer(header, false /* backup */);

    sp<ABuffer> codec = buffer_meta->getBuffer(header, false /* backup */, false /* limit */);





    // convert incoming ANW meta buffers if component is configured for gralloc metadata mode

    // convert incoming ANW meta buffers if component is configured for gralloc metadata mode

    // ignore rangeOffset in this case

    if (mMetadataType[kPortIndexInput] == kMetadataBufferTypeGrallocSource

    if (mMetadataType[kPortIndexInput] == kMetadataBufferTypeGrallocSource

            && backup->capacity() >= sizeof(VideoNativeMetadata)

            && backup->capacity() >= sizeof(VideoNativeMetadata)

            && codec->capacity() >= sizeof(VideoGrallocMetadata)

            && codec->capacity() >= sizeof(VideoGrallocMetadata)
@@ -1102,7 +1111,7 @@ status_t OMXNodeInstance::emptyBuffer( 
        VideoGrallocMetadata &codecMeta = *(VideoGrallocMetadata *)codec->base();

        VideoGrallocMetadata &codecMeta = *(VideoGrallocMetadata *)codec->base();

        CLOG_BUFFER(emptyBuffer, "converting ANWB %p to handle %p",

        CLOG_BUFFER(emptyBuffer, "converting ANWB %p to handle %p",

                backupMeta.pBuffer, backupMeta.pBuffer->handle);

                backupMeta.pBuffer, backupMeta.pBuffer->handle);

        codecMeta.pHandle = backupMeta.pBuffer->handle;

        codecMeta.pHandle = backupMeta.pBuffer != NULL ? backupMeta.pBuffer->handle : NULL;

        codecMeta.eType = kMetadataBufferTypeGrallocSource;

        codecMeta.eType = kMetadataBufferTypeGrallocSource;

        header->nFilledLen = rangeLength ? sizeof(codecMeta) : 0;

        header->nFilledLen = rangeLength ? sizeof(codecMeta) : 0;

        header->nOffset = 0;

        header->nOffset = 0;
@@ -1111,6 +1120,7 @@ status_t OMXNodeInstance::emptyBuffer( 
        // corner case: we permit rangeOffset == end-of-buffer with rangeLength == 0.

        // corner case: we permit rangeOffset == end-of-buffer with rangeLength == 0.

        if (rangeOffset > header->nAllocLen

        if (rangeOffset > header->nAllocLen

                || rangeLength > header->nAllocLen - rangeOffset) {

                || rangeLength > header->nAllocLen - rangeOffset) {

            CLOG_ERROR(emptyBuffer, OMX_ErrorBadParameter, FULL_BUFFER(NULL, header, fenceFd));

            if (fenceFd >= 0) {

            if (fenceFd >= 0) {

                ::close(fenceFd);

                ::close(fenceFd);

            }

            }
@@ -1380,6 +1390,11 @@ bool OMXNodeInstance::handleMessage(omx_message &msg) { 
        BufferMeta *buffer_meta =

        BufferMeta *buffer_meta =

            static_cast<BufferMeta *>(buffer->pAppPrivate);

            static_cast<BufferMeta *>(buffer->pAppPrivate);





        if (buffer->nOffset + buffer->nFilledLen < buffer->nOffset

                || buffer->nOffset + buffer->nFilledLen > buffer->nAllocLen) {

            CLOG_ERROR(onFillBufferDone, OMX_ErrorBadParameter,

                    FULL_BUFFER(NULL, buffer, msg.fenceFd));

        }

        buffer_meta->CopyFromOMX(buffer);

        buffer_meta->CopyFromOMX(buffer);





        if (bufferSource != NULL) {

        if (bufferSource != NULL) {