Merge cherrypicks of [2310196, 2310339, 2310340, 2310175, 2310320, 2310321, 2310322, 2310323, 2310217, 2310311, 2310349, 2310313, 2310331, 2310314, 2310286, 2310368, 2310383, 2310272, 2310439, 2310317, 2310318, 2310370, 2310352, 2310459, 2310287, 2310384, 2310237, 2310422, 2310440, 2310372, 2310289, 2310374, 2310355, 2310461, 2310423, 2310375, 2310376, 2310385, 2310386, 2310275, 2310462, 2310442, 2310443, 2310539, 2310378, 2310445, 2310238, 2310446, 2310540, 2310335, 2310582, 2310454, 2310659, 2310392, 2310393, 2310437, 2310679, 2310626] into nyc-mr2-releaseandroid-7.1.2_r28 android-7.1.2_r19 android-7.1.2_r18 nougat-mr2-release

Change-Id: I3668a478f381c4a9cd9c20ebd8dc032a3af63910
author: android-build-team Robot <android-build-team-robot@google.com> 2017-05-24 22:12:34 +0000
committer: android-build-team Robot <android-build-team-robot@google.com> 2017-05-24 22:12:34 +0000
commit: 4e66c9502bc47323f785e6121b37aac3e58de1ff (patch)
tree: 3b2aeb489a89efdf9800f46caffa112e14da7d34
parent: a98943dd4aece3024f023f00256607d50dcbcd1e (diff)
parent: bd4c825d8fc5dd48f5c602e673ae210909b31fd0 (diff)
download: libgdx-nougat-mr2-release.tar.gz
4 files changed, 104 insertions, 16 deletions
diff --git a/gdx/jni/com.badlogic.gdx.graphics.glutils.ETC1.cpp b/gdx/jni/com.badlogic.gdx.graphics.glutils.ETC1.cpp
index 94dc321f9..0c6eabdca 100644
--- a/gdx/jni/com.badlogic.gdx.graphics.glutils.ETC1.cpp
+++ b/gdx/jni/com.badlogic.gdx.graphics.glutils.ETC1.cpp
@@ -1,4 +1,7 @@
 #include <com.badlogic.gdx.graphics.glutils.ETC1.h>
+#include <android/log.h>
+
+#define APP_LOG "GDX"
 
 //@line:196
 
@@ -86,9 +89,29 @@ JNIEXPORT void JNICALL Java_com_badlogic_gdx_graphics_glutils_ETC1_decodeImage(J
 
 //@line:249
 
-		etc1_decode_image((etc1_byte*)compressedData + offset, (etc1_byte*)decodedData + offsetDec, width, height, pixelSize, width * pixelSize);
-	
-
+	// Nothing to decode, or no target
+	if (compressedData == 0 || decodedData == 0) {
+		__android_log_print(ANDROID_LOG_VERBOSE, APP_LOG, "Invalid buffers, null pointer.");
+		return;
+	}
+
+	/// Verify if requested bounds are valid
+	jlong compressedLength = env->GetDirectBufferCapacity(obj_compressedData);
+	jlong decodedLength = env->GetDirectBufferCapacity(obj_decodedData);
+	if (offset < 0 || compressedLength - offset > decodedLength - offsetDec) {
+		__android_log_print(ANDROID_LOG_VERBOSE,
+			APP_LOG, "Invalid buffers, would cause heap overflow. %lu > %lu",
+			compressedLength - offset,
+			decodedLength - offsetDec);
+		return;
+	}
+
+	etc1_decode_image((etc1_byte*)compressedData + offset,
+		(etc1_byte*)decodedData + offsetDec,
+		width,
+		height,
+		pixelSize,
+		width * pixelSize);
 }
 
 static inline jobject wrapped_Java_com_badlogic_gdx_graphics_glutils_ETC1_encodeImage
diff --git a/gdx/jni/gdx2d/gdx2d.c b/gdx/jni/gdx2d/gdx2d.c
index 13ceba23b..70cfc7d98 100644
--- a/gdx/jni/gdx2d/gdx2d.c
+++ b/gdx/jni/gdx2d/gdx2d.c
@@ -17,6 +17,9 @@
 #include "stb_image.h"
 #include "jpgd_c.h"
 
+#include <android/log.h>
+#define APP_LOG "GDX"
+
 static uint32_t gdx2d_blend = GDX2D_BLEND_NONE;
 static uint32_t gdx2d_scale = GDX2D_SCALE_NEAREST;
 
@@ -358,9 +361,25 @@ static inline void clear_RGBA4444(const gdx2d_pixmap* pixmap, uint32_t col) {
 	}
 }
 
-void gdx2d_clear(const gdx2d_pixmap* pixmap, uint32_t col) {	
+void gdx2d_clear(const gdx2d_pixmap* pixmap, uint32_t col) {
+	if (pixmap == 0)
+		return;
+
 	col = to_format(pixmap->format, col);
 
+	// Check for malformed Pixmap
+	size_t requestedSize = pixmap->width * pixmap->height * sizeof(col);
+	size_t pixelsSize = sizeof(pixmap->pixels);
+	if (requestedSize > pixelsSize) {
+		__android_log_print(ANDROID_LOG_VERBOSE,
+		APP_LOG, "Invalid pixmap. %ix%i - Size should be %u but found %u",
+		pixmap->width,
+		pixmap->height,
+		requestedSize,
+		pixelsSize);
+		return;
+	}
+
 	switch(pixmap->format) {
 		case GDX2D_FORMAT_ALPHA:
 			clear_alpha(pixmap, col);
diff --git a/gdx/jni/gdx2d/jpgd.cpp b/gdx/jni/gdx2d/jpgd.cpp
index 4c84a3321..d76e930ea 100644
--- a/gdx/jni/gdx2d/jpgd.cpp
+++ b/gdx/jni/gdx2d/jpgd.cpp
@@ -29,6 +29,10 @@
 #define JPGD_MAX(a,b) (((a)>(b)) ? (a) : (b))
 #define JPGD_MIN(a,b) (((a)<(b)) ? (a) : (b))
 
+// TODO: Move to header and use these constants when declaring the arrays.
+#define JPGD_HUFF_TREE_MAX_LENGTH 512
+#define JPGD_HUFF_CODE_SIZE_MAX_LENGTH 256
+
 namespace jpgd {
 
 static inline void *jpgd_malloc(size_t nSize) { return malloc(nSize); }
@@ -493,8 +497,9 @@ inline uint jpeg_decoder::get_bits_no_markers(int num_bits)
 // Decodes a Huffman encoded symbol.
 inline int jpeg_decoder::huff_decode(huff_tables *pH)
 {
-  int symbol;
+  JPGD_ASSERT(pH);
 
+  int symbol;
   // Check first 8-bits: do we have a complete symbol?
   if ((symbol = pH->look_up[m_bit_buf >> 24]) < 0)
   {
@@ -502,14 +507,19 @@ inline int jpeg_decoder::huff_decode(huff_tables *pH)
     int ofs = 23;
     do
     {
-      symbol = pH->tree[-(int)(symbol + ((m_bit_buf >> ofs) & 1))];
+      unsigned int idx = -(int)(symbol + ((m_bit_buf >> ofs) & 1));
+      JPGD_ASSERT(idx < JPGD_HUFF_TREE_MAX_LENGTH);
+      symbol = pH->tree[idx];
       ofs--;
     } while (symbol < 0);
 
     get_bits_no_markers(8 + (23 - ofs));
   }
   else
+  {
+    JPGD_ASSERT(symbol < JPGD_HUFF_CODE_SIZE_MAX_LENGTH);
     get_bits_no_markers(pH->code_size[symbol]);
+  }
 
   return symbol;
 }
@@ -519,6 +529,8 @@ inline int jpeg_decoder::huff_decode(huff_tables *pH, int& extra_bits)
 {
   int symbol;
 
+  JPGD_ASSERT(pH);
+
   // Check first 8-bits: do we have a complete symbol?
   if ((symbol = pH->look_up2[m_bit_buf >> 24]) < 0)
   {
@@ -526,7 +538,9 @@ inline int jpeg_decoder::huff_decode(huff_tables *pH, int& extra_bits)
     int ofs = 23;
     do
     {
-      symbol = pH->tree[-(int)(symbol + ((m_bit_buf >> ofs) & 1))];
+      unsigned int idx = -(int)(symbol + ((m_bit_buf >> ofs) & 1));
+      JPGD_ASSERT(idx < JPGD_HUFF_TREE_MAX_LENGTH);
+      symbol = pH->tree[idx];
       ofs--;
     } while (symbol < 0);
 
@@ -1497,6 +1511,12 @@ void jpeg_decoder::fix_in_buffer()
 void jpeg_decoder::transform_mcu(int mcu_row)
 {
   jpgd_block_t* pSrc_ptr = m_pMCU_coefficients;
+  if (m_freq_domain_chroma_upsample) {
+     JPGD_ASSERT(mcu_row * m_blocks_per_mcu < m_expanded_blocks_per_row);
+  }
+  else {
+     JPGD_ASSERT(mcu_row * m_blocks_per_mcu < m_max_blocks_per_row);
+  }
   uint8* pDst_ptr = m_pSample_buf + mcu_row * m_blocks_per_mcu * 64;
 
   for (int mcu_block = 0; mcu_block < m_blocks_per_mcu; mcu_block++)
@@ -1652,6 +1672,7 @@ void jpeg_decoder::load_next_row()
     for (mcu_block = 0; mcu_block < m_blocks_per_mcu; mcu_block++)
     {
       component_id = m_mcu_org[mcu_block];
+      JPGD_ASSERT(m_comp_quant[component_id] < JPGD_MAX_QUANT_TABLES);
       q = m_quant[m_comp_quant[component_id]];
 
       p = m_pMCU_coefficients + 64 * mcu_block;
@@ -1772,6 +1793,7 @@ void jpeg_decoder::decode_next_row()
     for (int mcu_block = 0; mcu_block < m_blocks_per_mcu; mcu_block++, p += 64)
     {
       int component_id = m_mcu_org[mcu_block];
+      JPGD_ASSERT(m_comp_quant[component_id] < JPGD_MAX_QUANT_TABLES);
       jpgd_quant_t* q = m_quant[m_comp_quant[component_id]];
 
       int r, s;
@@ -2281,7 +2303,8 @@ void jpeg_decoder::make_huff_table(int index, huff_tables *pH)
 
       for (l = 1 << (8 - code_size); l > 0; l--)
       {
-        JPGD_ASSERT(i < 256);
+        JPGD_ASSERT(i < JPGD_HUFF_CODE_SIZE_MAX_LENGTH);
+        JPGD_ASSERT(code < JPGD_HUFF_CODE_SIZE_MAX_LENGTH);
 
         pH->look_up[code] = i;
 
@@ -2331,16 +2354,19 @@ void jpeg_decoder::make_huff_table(int index, huff_tables *pH)
         if ((code & 0x8000) == 0)
           currententry--;
 
-        if (pH->tree[-currententry - 1] == 0)
+        unsigned int idx = -currententry - 1;
+        JPGD_ASSERT(idx < JPGD_HUFF_TREE_MAX_LENGTH);
+        if (pH->tree[idx] == 0)
         {
-          pH->tree[-currententry - 1] = nextfreeentry;
+          pH->tree[idx] = nextfreeentry;
 
           currententry = nextfreeentry;
 
           nextfreeentry -= 2;
         }
-        else
-          currententry = pH->tree[-currententry - 1];
+        else {
+          currententry = pH->tree[idx];
+        }
 
         code <<= 1;
       }
@@ -2642,7 +2668,9 @@ void jpeg_decoder::decode_block_ac_first(jpeg_decoder *pD, int component_id, int
 
   for (k = pD->m_spectral_start; k <= pD->m_spectral_end; k++)
   {
-    s = pD->huff_decode(pD->m_pHuff_tabs[pD->m_comp_ac_tab[component_id]]);
+    unsigned int idx = pD->m_comp_ac_tab[component_id];
+    JPGD_ASSERT(idx < JPGD_MAX_HUFF_TABLES);
+    s = pD->huff_decode(pD->m_pHuff_tabs[idx]);
 
     r = s >> 4;
     s &= 15;
@@ -2685,7 +2713,6 @@ void jpeg_decoder::decode_block_ac_refine(jpeg_decoder *pD, int component_id, in
   int p1 = 1 << pD->m_successive_low;
   int m1 = (-1) << pD->m_successive_low;
   jpgd_block_t *p = pD->coeff_buf_getp(pD->m_ac_coeffs[component_id], block_x, block_y);
-  
   JPGD_ASSERT(pD->m_spectral_end <= 63);
   
   k = pD->m_spectral_start;
@@ -2694,7 +2721,9 @@ void jpeg_decoder::decode_block_ac_refine(jpeg_decoder *pD, int component_id, in
   {
     for ( ; k <= pD->m_spectral_end; k++)
     {
-      s = pD->huff_decode(pD->m_pHuff_tabs[pD->m_comp_ac_tab[component_id]]);
+      unsigned int idx = pD->m_comp_ac_tab[component_id];
+      JPGD_ASSERT(idx < JPGD_MAX_HUFF_TABLES);
+      s = pD->huff_decode(pD->m_pHuff_tabs[idx]);
 
       r = s >> 4;
       s &= 15;
diff --git a/gdx/jni/gdx2d/stb_image.h b/gdx/jni/gdx2d/stb_image.h
index a9d338a2a..1e48cc40d 100644
--- a/gdx/jni/gdx2d/stb_image.h
+++ b/gdx/jni/gdx2d/stb_image.h
@@ -965,6 +965,9 @@ static unsigned char *stbi__load_main(stbi__context *s, int *x, int *y, int *com
    #ifndef STBI_NO_HDR
    if (stbi__hdr_test(s)) {
       float *hdr = stbi__hdr_load(s, x,y,comp,req_comp);
+      if (hdr == NULL) {
+         return NULL;
+      }
       return stbi__hdr_to_ldr(hdr, *x, *y, req_comp ? req_comp : *comp);
    }
    #endif
@@ -6046,7 +6049,11 @@ static float *stbi__hdr_load(stbi__context *s, int *x, int *y, int *comp, int re
          }
          len <<= 8;
          len |= stbi__get8(s);
-         if (len != width) { STBI_FREE(hdr_data); STBI_FREE(scanline); return stbi__errpf("invalid decoded scanline length", "corrupt HDR"); }
+         if (len != width) {
+            STBI_FREE(hdr_data);
+            STBI_FREE(scanline);
+            return stbi__errpf("invalid decoded scanline length", "corrupt HDR");
+         }
          if (scanline == NULL) scanline = (stbi_uc *) stbi__malloc(width * 4);
 
          for (k = 0; k < 4; ++k) {
@@ -6057,9 +6064,19 @@ static float *stbi__hdr_load(stbi__context *s, int *x, int *y, int *comp, int re
                   // Run
                   value = stbi__get8(s);
                   count -= 128;
+                  if (count >= width - i) {
+                     STBI_FREE(hdr_data);
+                     STBI_FREE(scanline);
+                     return stbi__errpf("invalid buffer size", "corrupt HDR");
+                  }
                   for (z = 0; z < count; ++z)
                      scanline[i++ * 4 + k] = value;
                } else {
+                  if (count >= width - i) {
+                     STBI_FREE(hdr_data);
+                     STBI_FREE(scanline);
+                     return stbi__errpf("invalid buffer size", "corrupt HDR");
+                  }
                   // Dump
                   for (z = 0; z < count; ++z)
                      scanline[i++ * 4 + k] = stbi__get8(s);
author	android-build-team Robot <android-build-team-robot@google.com>	2017-05-24 22:12:34 +0000
committer	android-build-team Robot <android-build-team-robot@google.com>	2017-05-24 22:12:34 +0000
commit	4e66c9502bc47323f785e6121b37aac3e58de1ff (patch)
tree	3b2aeb489a89efdf9800f46caffa112e14da7d34
parent	a98943dd4aece3024f023f00256607d50dcbcd1e (diff)
parent	bd4c825d8fc5dd48f5c602e673ae210909b31fd0 (diff)
download	libgdx-nougat-mr2-release.tar.gz