diff options
| author | android-build-team Robot <android-build-team-robot@google.com> | 2018-09-14 20:50:20 +0000 |
|---|---|---|
| committer | android-build-team Robot <android-build-team-robot@google.com> | 2018-09-14 20:50:20 +0000 |
| commit | c751c202a6f1b7ed008cfd6a311781e9ce218fc4 (patch) | |
| tree | 98f8c5ea790e78a0796b731662dcb2d45bb9bcce | |
| parent | 7486c93b95caa3be4a618f3be286c985d2041e39 (diff) | |
| parent | a98e94f367af466e0b544c0f8ca7a50b631f38af (diff) | |
| download | av-c751c202a6f1b7ed008cfd6a311781e9ce218fc4.tar.gz | |
Merge cherrypicks of [5027797, 5027798, 5029209, 5030032, 5023135, 5028893, 5028915, 5028916, 5028917, 5028948, 5028949, 5028950, 5030131, 5030132, 5030133, 5030134, 5030135, 5028894, 5028918, 5030033, 5023136, 5030136, 5029210, 5030171, 5030172, 5030173, 5030174, 5030175, 5030176, 5030177, 5030178, 5030179, 5030180, 5029076, 5029077, 5029078, 5029079, 5029080, 5029081, 5029082, 5029083, 5029084, 5029085, 5029086, 5029087, 5029088, 5029089, 5029090, 5030211, 5030212, 5030213, 5030214, 5030215, 5030216, 5030217, 5020440, 5020441, 5020442, 5030137, 5030034, 5020443, 5030138, 5029124, 5027799, 5029125, 5029126, 5029127, 5023137, 5030139, 5030140, 5029132, 5030141, 5030142, 5030143, 5030181, 5030182, 5030183, 5030184, 5030185, 5030186, 5030187, 5030188, 5030189, 5030190, 5030231, 5030232, 5030233, 5030234, 5030235, 5030236, 5030237, 5030238, 5030239, 5030240, 5030241, 5030242, 5030243, 5030244, 5030245, 5030246, 5030247, 5030248, 5030249, 5030250, 5030271, 5030272, 5030273, 5030274, 5030275, 5030276, 5030277, 5030278, 5030279, 5030280, 5030281, 5020444, 5027800, 5030144] into nyc-bugfix-release
Change-Id: I099e833f0cbfa6a0b44dc015cc58d6ecba56801e
| -rw-r--r-- | include/media/IAudioPolicyService.h | 2 | ||||
| -rw-r--r-- | media/libmedia/IAudioPolicyService.cpp | 67 | ||||
| -rw-r--r-- | media/libmedia/ICrypto.cpp | 9 | ||||
| -rw-r--r-- | media/libstagefright/VideoFrameScheduler.cpp | 5 | ||||
| -rw-r--r-- | media/libstagefright/codecs/mp3dec/src/pvmp3_decode_header.cpp | 2 | ||||
| -rw-r--r-- | media/libstagefright/httplive/M3UParser.cpp | 37 | ||||
| -rw-r--r-- | media/libstagefright/httplive/M3UParser.h | 1 | ||||
| -rw-r--r-- | media/libstagefright/id3/ID3.cpp | 24 | ||||
| -rw-r--r-- | media/libstagefright/mpeg2ts/ESQueue.cpp | 9 | ||||
| -rw-r--r-- | media/ndk/NdkMediaCodec.cpp | 8 | ||||
| -rw-r--r-- | services/audiopolicy/common/managerdefinitions/src/AudioPort.cpp | 1 |
11 files changed, 129 insertions, 36 deletions
diff --git a/include/media/IAudioPolicyService.h b/include/media/IAudioPolicyService.h index de6e5ce27a..9ffcc77f0e 100644 --- a/include/media/IAudioPolicyService.h +++ b/include/media/IAudioPolicyService.h @@ -183,6 +183,8 @@ public: uint32_t flags = 0); private: void sanetizeAudioAttributes(audio_attributes_t* attr); + status_t sanitizeEffectDescriptor(effect_descriptor_t* desc); + status_t sanitizeAudioPortConfig(struct audio_port_config* config); }; // ---------------------------------------------------------------------------- diff --git a/media/libmedia/IAudioPolicyService.cpp b/media/libmedia/IAudioPolicyService.cpp index 294b8f6bf8..b4b8c32de8 100644 --- a/media/libmedia/IAudioPolicyService.cpp +++ b/media/libmedia/IAudioPolicyService.cpp @@ -873,7 +873,7 @@ status_t BnAudioPolicyService::onTransact( audio_output_flags_t flags = static_cast <audio_output_flags_t>(data.readInt32()); bool hasOffloadInfo = data.readInt32() != 0; - audio_offload_info_t offloadInfo; + audio_offload_info_t offloadInfo = {}; if (hasOffloadInfo) { data.read(&offloadInfo, sizeof(audio_offload_info_t)); } @@ -889,7 +889,7 @@ status_t BnAudioPolicyService::onTransact( case GET_OUTPUT_FOR_ATTR: { CHECK_INTERFACE(IAudioPolicyService, data, reply); - audio_attributes_t attr; + audio_attributes_t attr = {}; bool hasAttributes = data.readInt32() != 0; if (hasAttributes) { data.read(&attr, sizeof(audio_attributes_t)); @@ -909,7 +909,7 @@ status_t BnAudioPolicyService::onTransact( static_cast <audio_output_flags_t>(data.readInt32()); audio_port_handle_t selectedDeviceId = data.readInt32(); bool hasOffloadInfo = data.readInt32() != 0; - audio_offload_info_t offloadInfo; + audio_offload_info_t offloadInfo = {}; if (hasOffloadInfo) { data.read(&offloadInfo, sizeof(audio_offload_info_t)); } @@ -959,7 +959,7 @@ status_t BnAudioPolicyService::onTransact( case GET_INPUT_FOR_ATTR: { CHECK_INTERFACE(IAudioPolicyService, data, reply); - audio_attributes_t attr; + audio_attributes_t attr = {}; data.read(&attr, sizeof(audio_attributes_t)); sanetizeAudioAttributes(&attr); audio_session_t session = (audio_session_t)data.readInt32(); @@ -1057,8 +1057,11 @@ status_t BnAudioPolicyService::onTransact( case GET_OUTPUT_FOR_EFFECT: { CHECK_INTERFACE(IAudioPolicyService, data, reply); - effect_descriptor_t desc; - data.read(&desc, sizeof(effect_descriptor_t)); + effect_descriptor_t desc = {}; + if (data.read(&desc, sizeof(desc)) != NO_ERROR) { + android_errorWriteLog(0x534e4554, "73126106"); + } + (void)sanitizeEffectDescriptor(&desc); audio_io_handle_t output = getOutputForEffect(&desc); reply->writeInt32(static_cast <int>(output)); return NO_ERROR; @@ -1066,8 +1069,11 @@ status_t BnAudioPolicyService::onTransact( case REGISTER_EFFECT: { CHECK_INTERFACE(IAudioPolicyService, data, reply); - effect_descriptor_t desc; - data.read(&desc, sizeof(effect_descriptor_t)); + effect_descriptor_t desc = {}; + if (data.read(&desc, sizeof(desc)) != NO_ERROR) { + android_errorWriteLog(0x534e4554, "73126106"); + } + (void)sanitizeEffectDescriptor(&desc); audio_io_handle_t io = data.readInt32(); uint32_t strategy = data.readInt32(); audio_session_t session = (audio_session_t) data.readInt32(); @@ -1126,7 +1132,7 @@ status_t BnAudioPolicyService::onTransact( count = AudioEffect::kMaxPreProcessing; } uint32_t retCount = count; - effect_descriptor_t *descriptors = new effect_descriptor_t[count]; + effect_descriptor_t *descriptors = new effect_descriptor_t[count]{}; status_t status = queryDefaultPreProcessing(audioSession, descriptors, &retCount); reply->writeInt32(status); if (status != NO_ERROR && status != NO_MEMORY) { @@ -1145,7 +1151,7 @@ status_t BnAudioPolicyService::onTransact( case IS_OFFLOAD_SUPPORTED: { CHECK_INTERFACE(IAudioPolicyService, data, reply); - audio_offload_info_t info; + audio_offload_info_t info = {}; data.read(&info, sizeof(audio_offload_info_t)); bool isSupported = isOffloadSupported(info); reply->writeInt32(isSupported); @@ -1200,7 +1206,7 @@ status_t BnAudioPolicyService::onTransact( case CREATE_AUDIO_PATCH: { CHECK_INTERFACE(IAudioPolicyService, data, reply); - struct audio_patch patch; + struct audio_patch patch = {}; data.read(&patch, sizeof(struct audio_patch)); audio_patch_handle_t handle = AUDIO_PATCH_HANDLE_NONE; if (data.read(&handle, sizeof(audio_patch_handle_t)) != NO_ERROR) { @@ -1216,7 +1222,7 @@ status_t BnAudioPolicyService::onTransact( case RELEASE_AUDIO_PATCH: { CHECK_INTERFACE(IAudioPolicyService, data, reply); - audio_patch_handle_t handle; + audio_patch_handle_t handle = {}; data.read(&handle, sizeof(audio_patch_handle_t)); status_t status = releaseAudioPatch(handle); reply->writeInt32(status); @@ -1255,8 +1261,9 @@ status_t BnAudioPolicyService::onTransact( case SET_AUDIO_PORT_CONFIG: { CHECK_INTERFACE(IAudioPolicyService, data, reply); - struct audio_port_config config; + struct audio_port_config config = {}; data.read(&config, sizeof(struct audio_port_config)); + (void)sanitizeAudioPortConfig(&config); status_t status = setAudioPortConfig(&config); reply->writeInt32(status); return NO_ERROR; @@ -1330,9 +1337,10 @@ status_t BnAudioPolicyService::onTransact( case START_AUDIO_SOURCE: { CHECK_INTERFACE(IAudioPolicyService, data, reply); - struct audio_port_config source; + struct audio_port_config source = {}; data.read(&source, sizeof(struct audio_port_config)); - audio_attributes_t attributes; + (void)sanitizeAudioPortConfig(&source); + audio_attributes_t attributes = {}; data.read(&attributes, sizeof(audio_attributes_t)); sanetizeAudioAttributes(&attributes); audio_io_handle_t handle = {}; @@ -1374,6 +1382,14 @@ status_t BnAudioPolicyService::onTransact( } } +/** returns true if string overflow was prevented by zero termination */ +template <size_t size> +static bool preventStringOverflow(char (&s)[size]) { + if (strnlen(s, size) < size) return false; + s[size - 1] = '\0'; + return true; +} + void BnAudioPolicyService::sanetizeAudioAttributes(audio_attributes_t* attr) { const size_t tagsMaxSize = AUDIO_ATTRIBUTES_TAGS_MAX_SIZE; @@ -1383,6 +1399,27 @@ void BnAudioPolicyService::sanetizeAudioAttributes(audio_attributes_t* attr) attr->tags[tagsMaxSize - 1] = '\0'; } +/** returns BAD_VALUE if sanitization was required. */ +status_t BnAudioPolicyService::sanitizeEffectDescriptor(effect_descriptor_t* desc) +{ + if (preventStringOverflow(desc->name) + | /* always */ preventStringOverflow(desc->implementor)) { + android_errorWriteLog(0x534e4554, "73126106"); // SafetyNet logging + return BAD_VALUE; + } + return NO_ERROR; +} + +/** returns BAD_VALUE if sanitization was required. */ +status_t BnAudioPolicyService::sanitizeAudioPortConfig(struct audio_port_config* config) +{ + if (config->type == AUDIO_PORT_TYPE_DEVICE && + preventStringOverflow(config->ext.device.address)) { + return BAD_VALUE; + } + return NO_ERROR; +} + // ---------------------------------------------------------------------------- } // namespace android diff --git a/media/libmedia/ICrypto.cpp b/media/libmedia/ICrypto.cpp index 26dd2c95bf..0ccf169ecf 100644 --- a/media/libmedia/ICrypto.cpp +++ b/media/libmedia/ICrypto.cpp @@ -199,8 +199,13 @@ IMPLEMENT_META_INTERFACE(Crypto, "android.hardware.ICrypto"); void BnCrypto::readVector(const Parcel &data, Vector<uint8_t> &vector) const { uint32_t size = data.readInt32(); - vector.insertAt((size_t)0, size); - data.read(vector.editArray(), size); + if (vector.insertAt((size_t)0, size) < 0) { + vector.clear(); + } + if (data.read(vector.editArray(), size) != NO_ERROR) { + vector.clear(); + android_errorWriteWithInfoLog(0x534e4554, "62872384", -1, NULL, 0); + } } void BnCrypto::writeVector(Parcel *reply, Vector<uint8_t> const &vector) const { diff --git a/media/libstagefright/VideoFrameScheduler.cpp b/media/libstagefright/VideoFrameScheduler.cpp index 03226c753e..6819bba40c 100644 --- a/media/libstagefright/VideoFrameScheduler.cpp +++ b/media/libstagefright/VideoFrameScheduler.cpp @@ -129,6 +129,11 @@ bool VideoFrameScheduler::PLL::fit( numSamplesToUse = mNumSamples; } + if ((period >> kPrecision) == 0 ) { + ALOGW("Period is 0, or after including precision is 0 - would cause div0, returning"); + return false; + } + int64_t sumX = 0; int64_t sumXX = 0; int64_t sumXY = 0; diff --git a/media/libstagefright/codecs/mp3dec/src/pvmp3_decode_header.cpp b/media/libstagefright/codecs/mp3dec/src/pvmp3_decode_header.cpp index d443b7ccfe..bc5fd79526 100644 --- a/media/libstagefright/codecs/mp3dec/src/pvmp3_decode_header.cpp +++ b/media/libstagefright/codecs/mp3dec/src/pvmp3_decode_header.cpp @@ -184,7 +184,7 @@ ERROR_CODE pvmp3_decode_header(tmp3Bits *inputStream, info->emphasis = (temp << 30) >> 30; /* 2 */ - if (!info->bitrate_index || info->sampling_frequency == 3) + if (!info->bitrate_index || info->bitrate_index == 15 || info->sampling_frequency == 3) { err = UNSUPPORTED_FREE_BITRATE; } diff --git a/media/libstagefright/httplive/M3UParser.cpp b/media/libstagefright/httplive/M3UParser.cpp index 1242c9548d..d7bfbb348b 100644 --- a/media/libstagefright/httplive/M3UParser.cpp +++ b/media/libstagefright/httplive/M3UParser.cpp @@ -56,7 +56,7 @@ struct M3UParser::MediaGroup : public RefBase { const char *language, uint32_t flags); - bool getActiveURI(AString *uri) const; + bool getActiveURI(AString *uri, const char *baseURL) const; void pickRandomMediaItems(); status_t selectTrack(size_t index, bool select); @@ -75,6 +75,7 @@ private: AString mURI; AString mLanguage; uint32_t mFlags; + AString makeURL(const char *baseURL) const; }; Type mType; @@ -227,12 +228,16 @@ sp<AMessage> M3UParser::MediaGroup::getTrackInfo(size_t index) const { return format; } -bool M3UParser::MediaGroup::getActiveURI(AString *uri) const { +bool M3UParser::MediaGroup::getActiveURI(AString *uri, const char *baseURL) const { for (size_t i = 0; i < mMediaItems.size(); ++i) { if (mSelectedIndex >= 0 && i == (size_t)mSelectedIndex) { const Media &item = mMediaItems.itemAt(i); - *uri = item.mURI; + if (item.mURI.empty()) { + *uri = ""; + } else { + *uri = item.makeURL(baseURL); + } return true; } } @@ -321,7 +326,7 @@ bool M3UParser::itemAt(size_t index, AString *uri, sp<AMessage> *meta) { } if (uri) { - *uri = mItems.itemAt(index).mURI; + *uri = mItems.itemAt(index).makeURL(mBaseURI.c_str()); } if (meta) { @@ -427,7 +432,7 @@ bool M3UParser::getTypeURI(size_t index, const char *key, AString *uri) const { AString groupID; if (!meta->findString(key, &groupID)) { if (uri != NULL) { - *uri = mItems.itemAt(index).mURI; + *uri = mItems.itemAt(index).makeURL(mBaseURI.c_str()); } AString codecs; @@ -458,12 +463,12 @@ bool M3UParser::getTypeURI(size_t index, const char *key, AString *uri) const { // don't care about the active URI (or if there is an active one) if (uri != NULL) { sp<MediaGroup> group = mMediaGroups.valueFor(groupID); - if (!group->getActiveURI(uri)) { + if (!group->getActiveURI(uri, mBaseURI.c_str())) { return false; } if ((*uri).empty()) { - *uri = mItems.itemAt(index).mURI; + *uri = mItems.itemAt(index).makeURL(mBaseURI.c_str()); } } @@ -544,6 +549,18 @@ static bool MakeURL(const char *baseURL, const char *url, AString *out) { return true; } +AString M3UParser::Item::makeURL(const char *baseURL) const { + AString out; + CHECK(MakeURL(baseURL, mURI.c_str(), &out)); + return out; +} + +AString M3UParser::MediaGroup::Media::makeURL(const char *baseURL) const { + AString out; + CHECK(MakeURL(baseURL, mURI.c_str(), &out)); + return out; +} + status_t M3UParser::parse(const void *_data, size_t size) { int32_t lineNo = 0; @@ -674,7 +691,7 @@ status_t M3UParser::parse(const void *_data, size_t size) { mItems.push(); Item *item = &mItems.editItemAt(mItems.size() - 1); - CHECK(MakeURL(mBaseURI.c_str(), line.c_str(), &item->mURI)); + item->mURI = line; item->mMeta = itemMeta; @@ -1186,9 +1203,7 @@ status_t M3UParser::parseMedia(const AString &line) { AString tmp(val, 1, val.size() - 2); - if (!MakeURL(mBaseURI.c_str(), tmp.c_str(), &groupURI)) { - ALOGI("Failed to make absolute URI from '%s'.", tmp.c_str()); - } + groupURI = tmp; haveGroupURI = true; } diff --git a/media/libstagefright/httplive/M3UParser.h b/media/libstagefright/httplive/M3UParser.h index fa648ed7d3..c85335abc2 100644 --- a/media/libstagefright/httplive/M3UParser.h +++ b/media/libstagefright/httplive/M3UParser.h @@ -64,6 +64,7 @@ private: struct Item { AString mURI; sp<AMessage> mMeta; + AString makeURL(const char *baseURL) const; }; status_t mInitCheck; diff --git a/media/libstagefright/id3/ID3.cpp b/media/libstagefright/id3/ID3.cpp index c21097b4dc..ca2be5488a 100644 --- a/media/libstagefright/id3/ID3.cpp +++ b/media/libstagefright/id3/ID3.cpp @@ -328,12 +328,25 @@ struct id3_header { } void ID3::removeUnsynchronization() { - for (size_t i = 0; i + 1 < mSize; ++i) { - if (mData[i] == 0xff && mData[i + 1] == 0x00) { - memmove(&mData[i + 1], &mData[i + 2], mSize - i - 2); - --mSize; + + // This file has "unsynchronization", so we have to replace occurrences + // of 0xff 0x00 with just 0xff in order to get the real data. + + size_t writeOffset = 1; + for (size_t readOffset = 1; readOffset < mSize; ++readOffset) { + if (mData[readOffset - 1] == 0xff && mData[readOffset] == 0x00) { + continue; } + // Only move data if there's actually something to move. + // This handles the special case of the data being only [0xff, 0x00] + // which should be converted to just 0xff if unsynchronization is on. + mData[writeOffset++] = mData[readOffset]; + } + + if (writeOffset < mSize) { + mSize = writeOffset; } + } static void WriteSyncsafeInteger(uint8_t *dst, size_t x) { @@ -590,6 +603,9 @@ void ID3::Iterator::getstring(String8 *id, bool otherdata) const { // UCS-2 // API wants number of characters, not number of bytes... int len = n / 2; + if (len == 0) { + return; + } const char16_t *framedata = (const char16_t *) (frameData + 1); char16_t *framedatacopy = NULL; if (*framedata == 0xfffe) { diff --git a/media/libstagefright/mpeg2ts/ESQueue.cpp b/media/libstagefright/mpeg2ts/ESQueue.cpp index 7599c13fd7..c454a0e49b 100644 --- a/media/libstagefright/mpeg2ts/ESQueue.cpp +++ b/media/libstagefright/mpeg2ts/ESQueue.cpp @@ -1202,7 +1202,9 @@ static ssize_t getNextChunkSize( const uint8_t *data, size_t size) { static const char kStartCode[] = "\x00\x00\x01"; - if (size < 3) { + // per ISO/IEC 14496-2 6.2.1, a chunk has a 3-byte prefix + 1-byte start code + // we need at least <prefix><start><next prefix> to successfully scan + if (size < 3 + 1 + 3) { return -EAGAIN; } @@ -1210,7 +1212,7 @@ static ssize_t getNextChunkSize( return -EAGAIN; } - size_t offset = 3; + size_t offset = 4; while (offset + 2 < size) { if (!memcmp(&data[offset], kStartCode, 3)) { return offset; @@ -1261,6 +1263,9 @@ sp<ABuffer> ElementaryStreamQueue::dequeueAccessUnitMPEG4Video() { state = EXPECT_VISUAL_OBJECT_START; } else { discard = true; + offset += chunkSize; + ALOGW("b/74114680, advance to next chunk"); + android_errorWriteLog(0x534e4554, "74114680"); } break; } diff --git a/media/ndk/NdkMediaCodec.cpp b/media/ndk/NdkMediaCodec.cpp index 50b490d457..73e733e77b 100644 --- a/media/ndk/NdkMediaCodec.cpp +++ b/media/ndk/NdkMediaCodec.cpp @@ -447,7 +447,13 @@ AMediaCodecCryptoInfo *AMediaCodecCryptoInfo_new( size_t *encryptedbytes) { // size needed to store all the crypto data - size_t cryptosize = sizeof(AMediaCodecCryptoInfo) + sizeof(size_t) * numsubsamples * 2; + size_t cryptosize; + // = sizeof(AMediaCodecCryptoInfo) + sizeof(size_t) * numsubsamples * 2; + if (__builtin_mul_overflow(sizeof(size_t) * 2, numsubsamples, &cryptosize) || + __builtin_add_overflow(cryptosize, sizeof(AMediaCodecCryptoInfo), &cryptosize)) { + ALOGE("crypto size overflow"); + return NULL; + } AMediaCodecCryptoInfo *ret = (AMediaCodecCryptoInfo*) malloc(cryptosize); if (!ret) { ALOGE("couldn't allocate %zu bytes", cryptosize); diff --git a/services/audiopolicy/common/managerdefinitions/src/AudioPort.cpp b/services/audiopolicy/common/managerdefinitions/src/AudioPort.cpp index 17ed537fc9..ce9bdc2125 100644 --- a/services/audiopolicy/common/managerdefinitions/src/AudioPort.cpp +++ b/services/audiopolicy/common/managerdefinitions/src/AudioPort.cpp @@ -384,6 +384,7 @@ AudioPortConfig::AudioPortConfig() mSamplingRate = 0; mChannelMask = AUDIO_CHANNEL_NONE; mFormat = AUDIO_FORMAT_INVALID; + memset(&mGain, 0, sizeof(struct audio_gain_config)); mGain.index = -1; } |