IOMX: Add buffer range check to emptyBuffer

Bug: 20634516 Change-Id: If351dbd573bb4aeb6968bfa33f6d407225bc752c (cherry picked from commit d971df0)
CyanogenMod · Aug 12, 2015 · bbf542d · bbf542d
1 parent 626ad26
commit bbf542d
Showing 1 changed file with 6 additions and 0 deletions.
diff --git a/media/libstagefright/omx/OMXNodeInstance.cpp b/media/libstagefright/omx/OMXNodeInstance.cpp
@@ -876,6 +876,12 @@ status_t OMXNodeInstance::emptyBuffer(
     Mutex::Autolock autoLock(mLock);
 
     OMX_BUFFERHEADERTYPE *header = findBufferHeader(buffer);
+    // rangeLength and rangeOffset must be a subset of the allocated data in the buffer.
+    // corner case: we permit rangeOffset == end-of-buffer with rangeLength == 0.
+    if (rangeOffset > header->nAllocLen
+            || rangeLength > header->nAllocLen - rangeOffset) {
+        return BAD_VALUE;
+    }
     header->nFilledLen = rangeLength;
     header->nOffset = rangeOffset;
     header->nFlags = flags;