Fix a couple of nasty heap corruption bugs. (8ee91625) · Commits · e / os / android_frameworks_base

include/media/stagefright/OMXCodec.h

+2 −0

+14 −0

Original line number	Diff line number	Diff line
		@@ -2207,6 +2207,8 @@ status_t OMXCodec::allocateBuffersOnPort(OMX_U32 portIndex) {
		BufferInfo info;
		info.mData = NULL;
		info.mSize = def.nBufferSize;
		info.mAllocatedBuffer = NULL;
		info.mAllocatedSize = 0;

		IOMX::buffer_id buffer;
		if (portIndex == kPortIndexInput
		@@ -3518,6 +3520,12 @@ status_t OMXCodec::freeBuffer(OMX_U32 portIndex, size_t bufIndex) {

		BufferInfo *info = &buffers->editItemAt(bufIndex);

		if (info->mAllocatedBuffer != NULL) {
		OMX_BUFFERHEADERTYPE header = (OMX_BUFFERHEADERTYPE ) info->mBuffer;
		header->pBuffer = info->mAllocatedBuffer;
		header->nAllocLen = info->mAllocatedSize;
		}

		status_t err = mOMX->freeBuffer(mNode, portIndex, info->mBuffer);

		if (err == OK && info->mMediaBuffer != NULL) {
		@@ -3897,8 +3905,14 @@ bool OMXCodec::drainInputBuffer(BufferInfo *info) {
		//for encoder
		CHECK(header->pBuffer == info->mData);

		if (info->mAllocatedBuffer == NULL) {
		info->mAllocatedBuffer = header->pBuffer;
		info->mAllocatedSize = header->nAllocLen;
		}

		header->pBuffer =
		(OMX_U8 *)srcBuffer->data() + srcBuffer->range_offset();
		header->nAllocLen = srcBuffer->size() - srcBuffer->range_offset();

		releaseBuffer = false;
		info->mMediaBuffer = srcBuffer;