SoftAMR: check input buffer size to avoid overflow.

Bug: 27662364
Change-Id: I47380545ea7d85845e141e722b0d84f498d27145

Author: Wei Jia

media/libstagefright/codecs/amrnb/dec/SoftAMR.cpp

@@ -286,6 +286,13 @@ void SoftAMR::onQueueFilled(OMX_U32 portIndex) {
         BufferInfo *inInfo = *inQueue.begin();
         OMX_BUFFERHEADERTYPE *inHeader = inInfo->mHeader;
 
+        if (inHeader->nFilledLen == 0) {
+            inInfo->mOwnedByUs = false;
+            inQueue.erase(inQueue.begin());
+            notifyEmptyBufferDone(inHeader);
+            continue;
+        }
+
         BufferInfo *outInfo = *outQueue.begin();
         OMX_BUFFERHEADERTYPE *outHeader = outInfo->mHeader;
 
@@ -321,6 +328,17 @@ void SoftAMR::onQueueFilled(OMX_U32 portIndex) {
                 return;
             }
 
+            int16 mode = ((inputPtr[0] >> 3) & 0x0f);
+            // for WMF since MIME_IETF is used when calling AMRDecode.
+            size_t frameSize = WmfDecBytesPerFrame[mode] + 1;
+
+            if (inHeader->nFilledLen < frameSize) {
+                ALOGE("b/27662364: expected %zu bytes vs %u", frameSize, inHeader->nFilledLen);
+                notify(OMX_EventError, OMX_ErrorStreamCorrupt, 0, NULL);
+                mSignalledError = true;
+                return;
+            }
+
             numBytesRead =
                 AMRDecode(mState,
                   (Frame_Type_3GPP)((inputPtr[0] >> 3) & 0x0f),
@@ -371,10 +389,8 @@ void SoftAMR::onQueueFilled(OMX_U32 portIndex) {
 
             size_t frameSize = getFrameSize(mode);
             if (inHeader->nFilledLen < frameSize) {
-                ALOGE("Filled length vs frameSize %d vs %d. Corrupt clip?",
-                   inHeader->nFilledLen, frameSize);
-
-                notify(OMX_EventError, OMX_ErrorUndefined, 0, NULL);
+                ALOGE("b/27662364: expected %zu bytes vs %u", frameSize, inHeader->nFilledLen);
+                notify(OMX_EventError, OMX_ErrorStreamCorrupt, 0, NULL);
                 mSignalledError = true;
                 return;
             }

media/libstagefright/codecs/amrnb/dec/src/amrdecode.h

@@ -104,7 +104,6 @@ terms listed above has been obtained from the copyright holder.
 ; INCLUDES
 ----------------------------------------------------------------------------*/
 #include    "typedef.h"
-#include    "mode.h"
 #include    "frame_type_3gpp.h"
 
 /*--------------------------------------------------------------------------*/

media/libstagefright/codecs/amrnb/dec/src/gsmamr_dec.h

@@ -87,6 +87,7 @@ terms listed above has been obtained from the copyright holder.
 
 #include "gsm_amr_typedefs.h"
 #include "frame_type_3gpp.h"
+#include "amrdecode.h"
 
 /*--------------------------------------------------------------------------*/
 #ifdef __cplusplus
@@ -135,19 +136,6 @@ extern "C"
     Word16 GSMInitDecode(void **state_data,
                          Word8 *id);
 
-    /*
-     * AMRDecode steps into the part of the library that decodes the raw data
-     * speech bits for the decoding process. It returns the address offset of
-     * the next frame to be decoded.
-     */
-    Word16 AMRDecode(
-        void                      *state_data,
-        enum Frame_Type_3GPP      frame_type,
-        UWord8                    *speech_bits_ptr,
-        Word16                    *raw_pcm_buffer,
-        Word16                    input_format
-    );
-
     /*
      * This function resets the state memory used by the GSM AMR decoder. This
      * function returns zero. It will return negative one if there is an error.