Correcting Offset and size checks while queing (09b83103) · Commits · e / os / android_frameworks_base

media/jni/android_media_MediaCodec.cpp

+12 −16

Original line number	Diff line number	Diff line
		@@ -2088,28 +2088,24 @@ static status_t extractInfosFromObject(
		}
		return BAD_VALUE;
		}
		size_t offset = static_cast<size_t>(env->GetIntField(param, gFields.bufferInfoOffset));
		size_t size = static_cast<size_t>(env->GetIntField(param, gFields.bufferInfoSize));
		ssize_t offset = static_cast<ssize_t>(env->GetIntField(param, gFields.bufferInfoOffset));
		ssize_t size = static_cast<ssize_t>(env->GetIntField(param, gFields.bufferInfoSize));
		uint32_t flags = static_cast<uint32_t>(env->GetIntField(param, gFields.bufferInfoFlags));
		if (flags == 0 && size == 0) {
		if (errorDetailMsg) {
		*errorDetailMsg = "Error: Queuing an empty BufferInfo";
		}
		return BAD_VALUE;
		}
		if (i == 0) {
		*initialOffset = offset;
		if (CC_UNLIKELY(*initialOffset < 0)) {
		}
		if (CC_UNLIKELY((offset < 0)
		\|\| (size < 0)
		\|\| ((INT32_MAX - offset) < size)
		\|\| ((offset - (initialOffset)) != totalSize))) {
		if (errorDetailMsg) {
		*errorDetailMsg = "Error: offset/size in BufferInfo";
		}
		return BAD_VALUE;
		}
		}
		if (CC_UNLIKELY(((ssize_t)(UINT32_MAX - offset) < (ssize_t)size)
		\|\| ((offset - initialOffset) != totalSize))) {
		if (flags == 0 && size == 0) {
		if (errorDetailMsg) {
		*errorDetailMsg = "Error: offset/size in BufferInfo";
		*errorDetailMsg = "Error: Queuing an empty BufferInfo";
		}
		return BAD_VALUE;
		}