Android-x86
Fork
Donation

  • R/O
  • HTTP
  • SSH
  • HTTPS

frameworks-av: Commit

frameworks/av


Commit MetaInfo

Revisiona08f2bda2d4583bd9773a87943f3d1fe185e6f72 (tree)
Time2017-01-10 23:06:17
AuthorChih-Wei Huang <cwhuang@linu...>
CommiterChih-Wei Huang

Log Message

Android 6.0.1 release 74
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iEYEABECAAYFAlgczssACgkQ6K0/gZqxDniZ/wCfc1tsgiiSQV9j8C594TN329rH
QjcAnjfSfAlZcTDNEjaXx8pfaAbJ2wva
=kF4O
-----END PGP SIGNATURE-----

Merge tag 'android-6.0.1_r74' into marshmallow-x86

Android 6.0.1 release 74

Change Summary

Incremental Difference

--- a/include/media/IOMX.h
+++ b/include/media/IOMX.h
@@ -107,7 +107,7 @@ public:
107107 // Use |params| as an OMX buffer, but limit the size of the OMX buffer to |allottedSize|.
108108 virtual status_t useBuffer(
109109 node_id node, OMX_U32 port_index, const sp<IMemory> &params,
110- buffer_id *buffer, OMX_U32 allottedSize) = 0;
110+ buffer_id *buffer, OMX_U32 allottedSize, OMX_BOOL crossProcess = OMX_FALSE) = 0;
111111
112112 virtual status_t useGraphicBuffer(
113113 node_id node, OMX_U32 port_index,
@@ -149,7 +149,7 @@ public:
149149 // may be larger.
150150 virtual status_t allocateBufferWithBackup(
151151 node_id node, OMX_U32 port_index, const sp<IMemory> &params,
152- buffer_id *buffer, OMX_U32 allottedSize) = 0;
152+ buffer_id *buffer, OMX_U32 allottedSize, OMX_BOOL crossProcess = OMX_FALSE) = 0;
153153
154154 virtual status_t freeBuffer(
155155 node_id node, OMX_U32 port_index, buffer_id buffer) = 0;
--- a/include/radio/Radio.h
+++ b/include/radio/Radio.h
@@ -75,7 +75,7 @@ public:
7575 private:
7676 Radio(radio_handle_t handle,
7777 const sp<RadioCallback>&);
78- static const sp<IRadioService>& getRadioService();
78+ static const sp<IRadioService> getRadioService();
7979
8080 Mutex mLock;
8181 sp<IRadio> mIRadio;
--- a/include/soundtrigger/SoundTrigger.h
+++ b/include/soundtrigger/SoundTrigger.h
@@ -68,7 +68,7 @@ public:
6868 private:
6969 SoundTrigger(sound_trigger_module_handle_t module,
7070 const sp<SoundTriggerCallback>&);
71- static const sp<ISoundTriggerHwService>& getSoundTriggerHwService();
71+ static const sp<ISoundTriggerHwService> getSoundTriggerHwService();
7272
7373 Mutex mLock;
7474 sp<ISoundTrigger> mISoundTrigger;
--- a/media/libeffects/visualizer/EffectVisualizer.cpp
+++ b/media/libeffects/visualizer/EffectVisualizer.cpp
@@ -25,6 +25,7 @@
2525 #include <time.h>
2626 #include <math.h>
2727 #include <audio_effects/effect_visualizer.h>
28+#include <cutils/log.h>
2829
2930
3031 extern "C" {
@@ -599,6 +600,14 @@ int Visualizer_command(effect_handle_t self, uint32_t cmdCode, uint32_t cmdSize,
599600 } break;
600601
601602 case VISUALIZER_CMD_MEASURE: {
603+ if (pReplyData == NULL || replySize == NULL ||
604+ *replySize < (sizeof(int32_t) * MEASUREMENT_COUNT)) {
605+ ALOGV("VISUALIZER_CMD_MEASURE() error *replySize %" PRIu32
606+ " < (sizeof(int32_t) * MEASUREMENT_COUNT) %" PRIu32, *replySize,
607+ sizeof(int32_t) * MEASUREMENT_COUNT);
608+ android_errorWriteLog(0x534e4554, "30229821");
609+ return -EINVAL;
610+ }
602611 uint16_t peakU16 = 0;
603612 float sumRmsSquared = 0.0f;
604613 uint8_t nbValidMeasurements = 0;
--- a/media/libmedia/IDrm.cpp
+++ b/media/libmedia/IDrm.cpp
@@ -912,7 +912,7 @@ status_t BnDrm::onTransact(
912912 readVector(data, keyId);
913913 readVector(data, message);
914914 readVector(data, signature);
915- bool match;
915+ bool match = false;
916916 uint32_t result = verify(sessionId, keyId, message, signature, match);
917917 reply->writeInt32(match);
918918 reply->writeInt32(result);
--- a/media/libmedia/IOMX.cpp
+++ b/media/libmedia/IOMX.cpp
@@ -248,7 +248,7 @@ public:
248248
249249 virtual status_t useBuffer(
250250 node_id node, OMX_U32 port_index, const sp<IMemory> &params,
251- buffer_id *buffer, OMX_U32 allottedSize) {
251+ buffer_id *buffer, OMX_U32 allottedSize, OMX_BOOL /* crossProcess */) {
252252 Parcel data, reply;
253253 data.writeInterfaceToken(IOMX::getInterfaceDescriptor());
254254 data.writeInt32((int32_t)node);
@@ -481,7 +481,7 @@ public:
481481
482482 virtual status_t allocateBufferWithBackup(
483483 node_id node, OMX_U32 port_index, const sp<IMemory> &params,
484- buffer_id *buffer, OMX_U32 allottedSize) {
484+ buffer_id *buffer, OMX_U32 allottedSize, OMX_BOOL /* crossProcess */) {
485485 Parcel data, reply;
486486 data.writeInterfaceToken(IOMX::getInterfaceDescriptor());
487487 data.writeInt32((int32_t)node);
@@ -733,31 +733,35 @@ status_t BnOMX::onTransact(
733733 // mark the last page as inaccessible, to avoid exploitation
734734 // of codecs that access past the end of the allocation because
735735 // they didn't check the size
736- mprotect((char*)params + allocSize - pageSize, pageSize, PROT_NONE);
737- switch (code) {
738- case GET_PARAMETER:
739- err = getParameter(node, index, params, size);
740- break;
741- case SET_PARAMETER:
742- err = setParameter(node, index, params, size);
743- break;
744- case GET_CONFIG:
745- err = getConfig(node, index, params, size);
746- break;
747- case SET_CONFIG:
748- err = setConfig(node, index, params, size);
749- break;
750- case SET_INTERNAL_OPTION:
751- {
752- InternalOptionType type =
753- (InternalOptionType)data.readInt32();
754-
755- err = setInternalOption(node, index, type, params, size);
756- break;
736+ if (mprotect((char*)params + allocSize - pageSize, pageSize,
737+ PROT_NONE) != 0) {
738+ ALOGE("mprotect failed: %s", strerror(errno));
739+ } else {
740+ switch (code) {
741+ case GET_PARAMETER:
742+ err = getParameter(node, index, params, size);
743+ break;
744+ case SET_PARAMETER:
745+ err = setParameter(node, index, params, size);
746+ break;
747+ case GET_CONFIG:
748+ err = getConfig(node, index, params, size);
749+ break;
750+ case SET_CONFIG:
751+ err = setConfig(node, index, params, size);
752+ break;
753+ case SET_INTERNAL_OPTION:
754+ {
755+ InternalOptionType type =
756+ (InternalOptionType)data.readInt32();
757+
758+ err = setInternalOption(node, index, type, params, size);
759+ break;
760+ }
761+
762+ default:
763+ TRESPASS();
757764 }
758-
759- default:
760- TRESPASS();
761765 }
762766 }
763767 }
@@ -834,7 +838,8 @@ status_t BnOMX::onTransact(
834838 OMX_U32 allottedSize = data.readInt32();
835839
836840 buffer_id buffer;
837- status_t err = useBuffer(node, port_index, params, &buffer, allottedSize);
841+ status_t err = useBuffer(
842+ node, port_index, params, &buffer, allottedSize, OMX_TRUE /* crossProcess */);
838843 reply->writeInt32(err);
839844
840845 if (err == OK) {
@@ -969,7 +974,10 @@ status_t BnOMX::onTransact(
969974 OMX_BOOL enable = (OMX_BOOL)data.readInt32();
970975
971976 MetadataBufferType type = kMetadataBufferTypeInvalid;
972- status_t err = storeMetaDataInBuffers(node, port_index, enable, &type);
977+ status_t err =
978+ // only control output metadata via Binder
979+ port_index != 1 /* kOutputPortIndex */ ? BAD_VALUE :
980+ storeMetaDataInBuffers(node, port_index, enable, &type);
973981
974982 reply->writeInt32(type);
975983 reply->writeInt32(err);
@@ -1054,7 +1062,7 @@ status_t BnOMX::onTransact(
10541062
10551063 buffer_id buffer;
10561064 status_t err = allocateBufferWithBackup(
1057- node, port_index, params, &buffer, allottedSize);
1065+ node, port_index, params, &buffer, allottedSize, OMX_TRUE /* crossProcess */);
10581066
10591067 reply->writeInt32(err);
10601068
--- a/media/libmediaplayerservice/MediaPlayerService.cpp
+++ b/media/libmediaplayerservice/MediaPlayerService.cpp
@@ -559,6 +559,12 @@ void MediaPlayerService::removeClient(wp<Client> client)
559559 mClients.remove(client);
560560 }
561561
562+bool MediaPlayerService::hasClient(wp<Client> client)
563+{
564+ Mutex::Autolock lock(mLock);
565+ return mClients.indexOf(client) != NAME_NOT_FOUND;
566+}
567+
562568 MediaPlayerService::Client::Client(
563569 const sp<MediaPlayerService>& service, pid_t pid,
564570 int32_t connId, const sp<IMediaPlayerClient>& client,
@@ -1056,6 +1062,10 @@ status_t MediaPlayerService::Client::setNextPlayer(const sp<IMediaPlayer>& playe
10561062 ALOGV("setNextPlayer");
10571063 Mutex::Autolock l(mLock);
10581064 sp<Client> c = static_cast<Client*>(player.get());
1065+ if (c != NULL && !mService->hasClient(c)) {
1066+ return BAD_VALUE;
1067+ }
1068+
10591069 mNextClient = c;
10601070
10611071 if (c != NULL) {
--- a/media/libmediaplayerservice/MediaPlayerService.h
+++ b/media/libmediaplayerservice/MediaPlayerService.h
@@ -226,6 +226,7 @@ public:
226226 virtual status_t dump(int fd, const Vector<String16>& args);
227227
228228 void removeClient(wp<Client> client);
229+ bool hasClient(wp<Client> client);
229230
230231 // For battery usage tracking purpose
231232 struct BatteryUsageInfo {
--- a/media/libstagefright/ACodec.cpp
+++ b/media/libstagefright/ACodec.cpp
@@ -1655,7 +1655,10 @@ status_t ACodec::configureCodec(
16551655 ALOGE("[%s] storeMetaDataInBuffers (input) failed w/ err %d",
16561656 mComponentName.c_str(), err);
16571657
1658- return err;
1658+ if (mOMX->livesLocally(mNode, getpid())) {
1659+ return err;
1660+ }
1661+ ALOGI("ignoring failure to use internal MediaCodec key.");
16591662 }
16601663 // For this specific case we could be using camera source even if storeMetaDataInBuffers
16611664 // returns Gralloc source. Pretend that we are; this will force us to use nBufferSize.
--- a/media/libstagefright/MPEG4Extractor.cpp
+++ b/media/libstagefright/MPEG4Extractor.cpp
@@ -50,6 +50,12 @@
5050
5151 namespace android {
5252
53+enum {
54+ // maximum size of an atom. Some atoms can be bigger according to the spec,
55+ // but we only allow up to this size.
56+ kMaxAtomSize = 64 * 1024 * 1024,
57+};
58+
5359 class MPEG4Source : public MediaSource {
5460 public:
5561 // Caller retains ownership of both "dataSource" and "sampleTable".
@@ -836,6 +842,13 @@ status_t MPEG4Extractor::parseChunk(off64_t *offset, int depth) {
836842 PathAdder autoAdder(&mPath, chunk_type);
837843
838844 off64_t chunk_data_size = *offset + chunk_size - data_offset;
845+ if (chunk_type != FOURCC('m', 'd', 'a', 't') && chunk_data_size > kMaxAtomSize) {
846+ char errMsg[100];
847+ sprintf(errMsg, "%s atom has size %" PRId64, chunk, chunk_data_size);
848+ ALOGE("%s (b/28615448)", errMsg);
849+ android_errorWriteWithInfoLog(0x534e4554, "28615448", -1, errMsg, strlen(errMsg));
850+ return ERROR_MALFORMED;
851+ }
839852
840853 if (chunk_type != FOURCC('c', 'p', 'r', 't')
841854 && chunk_type != FOURCC('c', 'o', 'v', 'r')
--- a/media/libstagefright/OMXClient.cpp
+++ b/media/libstagefright/OMXClient.cpp
@@ -90,7 +90,7 @@ struct MuxOMX : public IOMX {
9090
9191 virtual status_t useBuffer(
9292 node_id node, OMX_U32 port_index, const sp<IMemory> &params,
93- buffer_id *buffer, OMX_U32 allottedSize);
93+ buffer_id *buffer, OMX_U32 allottedSize, OMX_BOOL crossProcess);
9494
9595 virtual status_t useGraphicBuffer(
9696 node_id node, OMX_U32 port_index,
@@ -120,7 +120,7 @@ struct MuxOMX : public IOMX {
120120
121121 virtual status_t allocateBufferWithBackup(
122122 node_id node, OMX_U32 port_index, const sp<IMemory> &params,
123- buffer_id *buffer, OMX_U32 allottedSize);
123+ buffer_id *buffer, OMX_U32 allottedSize, OMX_BOOL crossProcess);
124124
125125 virtual status_t freeBuffer(
126126 node_id node, OMX_U32 port_index, buffer_id buffer);
@@ -322,8 +322,9 @@ status_t MuxOMX::getGraphicBufferUsage(
322322
323323 status_t MuxOMX::useBuffer(
324324 node_id node, OMX_U32 port_index, const sp<IMemory> &params,
325- buffer_id *buffer, OMX_U32 allottedSize) {
326- return getOMX(node)->useBuffer(node, port_index, params, buffer, allottedSize);
325+ buffer_id *buffer, OMX_U32 allottedSize, OMX_BOOL /* crossProcess */) {
326+ return getOMX(node)->useBuffer(
327+ node, port_index, params, buffer, allottedSize, OMX_FALSE /* crossProcess */);
327328 }
328329
329330 status_t MuxOMX::useGraphicBuffer(
@@ -375,9 +376,9 @@ status_t MuxOMX::allocateBuffer(
375376
376377 status_t MuxOMX::allocateBufferWithBackup(
377378 node_id node, OMX_U32 port_index, const sp<IMemory> &params,
378- buffer_id *buffer, OMX_U32 allottedSize) {
379+ buffer_id *buffer, OMX_U32 allottedSize, OMX_BOOL /* crossProcess */) {
379380 return getOMX(node)->allocateBufferWithBackup(
380- node, port_index, params, buffer, allottedSize);
381+ node, port_index, params, buffer, allottedSize, OMX_FALSE /* crossProcess */);
381382 }
382383
383384 status_t MuxOMX::freeBuffer(
--- a/media/libstagefright/SampleIterator.cpp
+++ b/media/libstagefright/SampleIterator.cpp
@@ -94,8 +94,6 @@ status_t SampleIterator::seekTo(uint32_t sampleIndex) {
9494 + mFirstChunk;
9595
9696 if (!mInitialized || chunk != mCurrentChunkIndex) {
97- mCurrentChunkIndex = chunk;
98-
9997 status_t err;
10098 if ((err = getChunkOffset(chunk, &mCurrentChunkOffset)) != OK) {
10199 ALOGE("getChunkOffset return error");
@@ -106,18 +104,21 @@ status_t SampleIterator::seekTo(uint32_t sampleIndex) {
106104
107105 uint32_t firstChunkSampleIndex =
108106 mFirstChunkSampleIndex
109- + mSamplesPerChunk * (mCurrentChunkIndex - mFirstChunk);
107+ + mSamplesPerChunk * (chunk - mFirstChunk);
110108
111109 for (uint32_t i = 0; i < mSamplesPerChunk; ++i) {
112110 size_t sampleSize;
113111 if ((err = getSampleSizeDirect(
114112 firstChunkSampleIndex + i, &sampleSize)) != OK) {
115113 ALOGE("getSampleSizeDirect return error");
114+ mCurrentChunkSampleSizes.clear();
116115 return err;
117116 }
118117
119118 mCurrentChunkSampleSizes.push(sampleSize);
120119 }
120+
121+ mCurrentChunkIndex = chunk;
121122 }
122123
123124 uint32_t chunkRelativeSampleIndex =
--- a/media/libstagefright/codecs/m4v_h263/dec/SoftMPEG4.cpp
+++ b/media/libstagefright/codecs/m4v_h263/dec/SoftMPEG4.cpp
@@ -216,8 +216,17 @@ void SoftMPEG4::onQueueFilled(OMX_U32 /* portIndex */) {
216216 PortInfo *port = editPortInfo(1);
217217 OMX_BUFFERHEADERTYPE *outHeader = port->mBuffers.editItemAt(1).mHeader;
218218
219+ OMX_U32 yFrameSize = sizeof(uint8) * mHandle->size;
220+ if ((outHeader->nAllocLen < yFrameSize) ||
221+ (outHeader->nAllocLen - yFrameSize < yFrameSize / 2)) {
222+ ALOGE("Too small output buffer for reference frame: %lu bytes",
223+ (unsigned long)outHeader->nAllocLen);
224+ android_errorWriteLog(0x534e4554, "30033990");
225+ notify(OMX_EventError, OMX_ErrorUndefined, 0, NULL);
226+ mSignalledError = true;
227+ return;
228+ }
219229 PVSetReferenceYUV(mHandle, outHeader->pBuffer);
220-
221230 mFramesConfigured = true;
222231 }
223232
@@ -235,7 +244,16 @@ void SoftMPEG4::onQueueFilled(OMX_U32 /* portIndex */) {
235244 int32_t bufferSize = inHeader->nFilledLen;
236245 int32_t tmp = bufferSize;
237246
238- OMX_U32 frameSize = (mWidth * mHeight * 3) / 2;
247+ OMX_U32 frameSize;
248+ OMX_U64 yFrameSize = (OMX_U64)mWidth * (OMX_U64)mHeight;
249+ if (yFrameSize > ((OMX_U64)UINT32_MAX / 3) * 2) {
250+ ALOGE("Frame size too large");
251+ notify(OMX_EventError, OMX_ErrorUndefined, 0, NULL);
252+ mSignalledError = true;
253+ return;
254+ }
255+ frameSize = (OMX_U32)(yFrameSize + (yFrameSize / 2));
256+
239257 if (outHeader->nAllocLen < frameSize) {
240258 android_errorWriteLog(0x534e4554, "27833616");
241259 ALOGE("Insufficient output buffer size");
--- a/media/libstagefright/codecs/m4v_h263/enc/SoftMPEG4Encoder.cpp
+++ b/media/libstagefright/codecs/m4v_h263/enc/SoftMPEG4Encoder.cpp
@@ -116,6 +116,10 @@ OMX_ERRORTYPE SoftMPEG4Encoder::initEncParams() {
116116 ALOGE("Failed to get default encoding parameters");
117117 return OMX_ErrorUndefined;
118118 }
119+ if (mFramerate == 0) {
120+ ALOGE("Framerate should not be 0");
121+ return OMX_ErrorUndefined;
122+ }
119123 mEncParams->encMode = mEncodeMode;
120124 mEncParams->encWidth[0] = mWidth;
121125 mEncParams->encHeight[0] = mHeight;
--- a/media/libstagefright/id3/ID3.cpp
+++ b/media/libstagefright/id3/ID3.cpp
@@ -77,7 +77,10 @@ ID3::ID3(const uint8_t *data, size_t size, bool ignoreV1)
7777 mFirstFrameOffset(0),
7878 mVersion(ID3_UNKNOWN),
7979 mRawSize(0) {
80- sp<MemorySource> source = new MemorySource(data, size);
80+ sp<MemorySource> source = new (std::nothrow) MemorySource(data, size);
81+
82+ if (source == NULL)
83+ return;
8184
8285 mIsValid = parseV2(source, 0);
8386
@@ -542,6 +545,10 @@ void ID3::Iterator::getstring(String8 *id, bool otherdata) const {
542545 n -= skipped;
543546 }
544547
548+ if (n <= 0) {
549+ return;
550+ }
551+
545552 if (encoding == 0x00) {
546553 // supposedly ISO 8859-1
547554 id->setTo((const char*)frameData + 1, n);
@@ -555,11 +562,16 @@ void ID3::Iterator::getstring(String8 *id, bool otherdata) const {
555562 const char16_t *framedata = (const char16_t *) (frameData + 1);
556563 char16_t *framedatacopy = NULL;
557564 #if BYTE_ORDER == LITTLE_ENDIAN
558- framedatacopy = new char16_t[len];
559- for (int i = 0; i < len; i++) {
560- framedatacopy[i] = bswap_16(framedata[i]);
565+ if (len > 0) {
566+ framedatacopy = new (std::nothrow) char16_t[len];
567+ if (framedatacopy == NULL) {
568+ return;
569+ }
570+ for (int i = 0; i < len; i++) {
571+ framedatacopy[i] = bswap_16(framedata[i]);
572+ }
573+ framedata = framedatacopy;
561574 }
562- framedata = framedatacopy;
563575 #endif
564576 id->setTo(framedata, len);
565577 if (framedatacopy != NULL) {
@@ -572,15 +584,26 @@ void ID3::Iterator::getstring(String8 *id, bool otherdata) const {
572584 const char16_t *framedata = (const char16_t *) (frameData + 1);
573585 char16_t *framedatacopy = NULL;
574586 if (*framedata == 0xfffe) {
575- // endianness marker doesn't match host endianness, convert
576- framedatacopy = new char16_t[len];
587+ // endianness marker != host endianness, convert & skip
588+ if (len <= 1) {
589+ return; // nothing after the marker
590+ }
591+ framedatacopy = new (std::nothrow) char16_t[len];
592+ if (framedatacopy == NULL) {
593+ return;
594+ }
577595 for (int i = 0; i < len; i++) {
578596 framedatacopy[i] = bswap_16(framedata[i]);
579597 }
580598 framedata = framedatacopy;
581- }
582- // If the string starts with an endianness marker, skip it
583- if (*framedata == 0xfeff) {
599+ // and skip over the marker
600+ framedata++;
601+ len--;
602+ } else if (*framedata == 0xfeff) {
603+ // endianness marker == host endianness, skip it
604+ if (len <= 1) {
605+ return; // nothing after the marker
606+ }
584607 framedata++;
585608 len--;
586609 }
@@ -595,12 +618,16 @@ void ID3::Iterator::getstring(String8 *id, bool otherdata) const {
595618 }
596619 if (eightBit) {
597620 // collapse to 8 bit, then let the media scanner client figure out the real encoding
598- char *frame8 = new char[len];
599- for (int i = 0; i < len; i++) {
600- frame8[i] = framedata[i];
621+ char *frame8 = new (std::nothrow) char[len];
622+ if (frame8 != NULL) {
623+ for (int i = 0; i < len; i++) {
624+ frame8[i] = framedata[i];
625+ }
626+ id->setTo(frame8, len);
627+ delete [] frame8;
628+ } else {
629+ id->setTo(framedata, len);
601630 }
602- id->setTo(frame8, len);
603- delete [] frame8;
604631 } else {
605632 id->setTo(framedata, len);
606633 }
--- a/media/libstagefright/include/OMX.h
+++ b/media/libstagefright/include/OMX.h
@@ -81,7 +81,7 @@ public:
8181
8282 virtual status_t useBuffer(
8383 node_id node, OMX_U32 port_index, const sp<IMemory> &params,
84- buffer_id *buffer, OMX_U32 allottedSize);
84+ buffer_id *buffer, OMX_U32 allottedSize, OMX_BOOL crossProcess);
8585
8686 virtual status_t useGraphicBuffer(
8787 node_id node, OMX_U32 port_index,
@@ -113,7 +113,7 @@ public:
113113
114114 virtual status_t allocateBufferWithBackup(
115115 node_id node, OMX_U32 port_index, const sp<IMemory> &params,
116- buffer_id *buffer, OMX_U32 allottedSize);
116+ buffer_id *buffer, OMX_U32 allottedSize, OMX_BOOL crossProcess);
117117
118118 virtual status_t freeBuffer(
119119 node_id node, OMX_U32 port_index, buffer_id buffer);
--- a/media/libstagefright/include/OMXNodeInstance.h
+++ b/media/libstagefright/include/OMXNodeInstance.h
@@ -21,6 +21,7 @@
2121 #include "OMX.h"
2222
2323 #include <utils/RefBase.h>
24+#include <utils/SortedVector.h>
2425 #include <utils/threads.h>
2526
2627 namespace android {
@@ -71,7 +72,7 @@ struct OMXNodeInstance {
7172
7273 status_t useBuffer(
7374 OMX_U32 portIndex, const sp<IMemory> &params,
74- OMX::buffer_id *buffer, OMX_U32 allottedSize);
75+ OMX::buffer_id *buffer, OMX_U32 allottedSize, OMX_BOOL crossProcess);
7576
7677 status_t useGraphicBuffer(
7778 OMX_U32 portIndex, const sp<GraphicBuffer> &graphicBuffer,
@@ -101,7 +102,7 @@ struct OMXNodeInstance {
101102
102103 status_t allocateBufferWithBackup(
103104 OMX_U32 portIndex, const sp<IMemory> &params,
104- OMX::buffer_id *buffer, OMX_U32 allottedSize);
105+ OMX::buffer_id *buffer, OMX_U32 allottedSize, OMX_BOOL crossProcess);
105106
106107 status_t freeBuffer(OMX_U32 portIndex, OMX::buffer_id buffer);
107108
@@ -146,6 +147,9 @@ private:
146147 OMX_HANDLETYPE mHandle;
147148 sp<IOMXObserver> mObserver;
148149 bool mDying;
150+ bool mSailed; // configuration is set (no more meta-mode changes)
151+ bool mQueriedProhibitedExtensions;
152+ SortedVector<OMX_INDEXTYPE> mProhibitedExtensions;
149153 bool mIsSecure;
150154
151155 // Lock only covers mGraphicBufferSource. We can't always use mLock
@@ -191,6 +195,8 @@ private:
191195 OMX::buffer_id findBufferID(OMX_BUFFERHEADERTYPE *bufferHeader);
192196 void invalidateBufferID(OMX::buffer_id buffer);
193197
198+ bool isProhibitedIndex_l(OMX_INDEXTYPE index);
199+
194200 status_t useGraphicBuffer2_l(
195201 OMX_U32 portIndex, const sp<GraphicBuffer> &graphicBuffer,
196202 OMX::buffer_id *buffer);
--- a/media/libstagefright/omx/OMX.cpp
+++ b/media/libstagefright/omx/OMX.cpp
@@ -368,9 +368,9 @@ status_t OMX::configureVideoTunnelMode(
368368
369369 status_t OMX::useBuffer(
370370 node_id node, OMX_U32 port_index, const sp<IMemory> &params,
371- buffer_id *buffer, OMX_U32 allottedSize) {
371+ buffer_id *buffer, OMX_U32 allottedSize, OMX_BOOL crossProcess) {
372372 return findInstance(node)->useBuffer(
373- port_index, params, buffer, allottedSize);
373+ port_index, params, buffer, allottedSize, crossProcess);
374374 }
375375
376376 status_t OMX::useGraphicBuffer(
@@ -421,9 +421,9 @@ status_t OMX::allocateBuffer(
421421
422422 status_t OMX::allocateBufferWithBackup(
423423 node_id node, OMX_U32 port_index, const sp<IMemory> &params,
424- buffer_id *buffer, OMX_U32 allottedSize) {
424+ buffer_id *buffer, OMX_U32 allottedSize, OMX_BOOL crossProcess) {
425425 return findInstance(node)->allocateBufferWithBackup(
426- port_index, params, buffer, allottedSize);
426+ port_index, params, buffer, allottedSize, crossProcess);
427427 }
428428
429429 status_t OMX::freeBuffer(node_id node, OMX_U32 port_index, buffer_id buffer) {
--- a/media/libstagefright/omx/OMXNodeInstance.cpp
+++ b/media/libstagefright/omx/OMXNodeInstance.cpp
@@ -101,26 +101,34 @@ static void InitOMXParams(T *params) {
101101 namespace android {
102102
103103 struct BufferMeta {
104- BufferMeta(const sp<IMemory> &mem, OMX_U32 portIndex, bool is_backup = false)
104+ BufferMeta(
105+ const sp<IMemory> &mem, OMX_U32 portIndex, bool copyToOmx,
106+ bool copyFromOmx, OMX_U8 *backup)
105107 : mMem(mem),
106- mIsBackup(is_backup),
107- mPortIndex(portIndex) {
108+ mCopyFromOmx(copyFromOmx),
109+ mCopyToOmx(copyToOmx),
110+ mPortIndex(portIndex),
111+ mBackup(backup) {
108112 }
109113
110114 BufferMeta(size_t size, OMX_U32 portIndex)
111115 : mSize(size),
112- mIsBackup(false),
113- mPortIndex(portIndex) {
116+ mCopyFromOmx(false),
117+ mCopyToOmx(false),
118+ mPortIndex(portIndex),
119+ mBackup(NULL) {
114120 }
115121
116122 BufferMeta(const sp<GraphicBuffer> &graphicBuffer, OMX_U32 portIndex)
117123 : mGraphicBuffer(graphicBuffer),
118- mIsBackup(false),
119- mPortIndex(portIndex) {
124+ mCopyFromOmx(false),
125+ mCopyToOmx(false),
126+ mPortIndex(portIndex),
127+ mBackup(NULL) {
120128 }
121129
122130 void CopyFromOMX(const OMX_BUFFERHEADERTYPE *header) {
123- if (!mIsBackup) {
131+ if (!mCopyFromOmx) {
124132 return;
125133 }
126134
@@ -131,7 +139,7 @@ struct BufferMeta {
131139 }
132140
133141 void CopyToOMX(const OMX_BUFFERHEADERTYPE *header) {
134- if (!mIsBackup) {
142+ if (!mCopyToOmx) {
135143 return;
136144 }
137145
@@ -159,6 +167,10 @@ struct BufferMeta {
159167 return buf;
160168 }
161169
170+ bool copyToOmx() const {
171+ return mCopyToOmx;
172+ }
173+
162174 void setGraphicBuffer(const sp<GraphicBuffer> &graphicBuffer) {
163175 mGraphicBuffer = graphicBuffer;
164176 }
@@ -167,12 +179,18 @@ struct BufferMeta {
167179 return mPortIndex;
168180 }
169181
182+ ~BufferMeta() {
183+ delete[] mBackup;
184+ }
185+
170186 private:
171187 sp<GraphicBuffer> mGraphicBuffer;
172188 sp<IMemory> mMem;
173189 size_t mSize;
174- bool mIsBackup;
190+ bool mCopyFromOmx;
191+ bool mCopyToOmx;
175192 OMX_U32 mPortIndex;
193+ OMX_U8 *mBackup;
176194
177195 BufferMeta(const BufferMeta &);
178196 BufferMeta &operator=(const BufferMeta &);
@@ -199,6 +217,8 @@ OMXNodeInstance::OMXNodeInstance(
199217 mHandle(NULL),
200218 mObserver(observer),
201219 mDying(false),
220+ mSailed(false),
221+ mQueriedProhibitedExtensions(false),
202222 mBufferIDCount(0)
203223 {
204224 mName = ADebug::GetDebugName(name);
@@ -370,7 +390,11 @@ status_t OMXNodeInstance::freeNode(OMXMaster *master) {
370390
371391 status_t OMXNodeInstance::sendCommand(
372392 OMX_COMMANDTYPE cmd, OMX_S32 param) {
373- const sp<GraphicBufferSource>& bufferSource(getGraphicBufferSource());
393+ if (cmd == OMX_CommandStateSet) {
394+ // There are no configurations past first StateSet command.
395+ mSailed = true;
396+ }
397+ const sp<GraphicBufferSource> bufferSource(getGraphicBufferSource());
374398 if (bufferSource != NULL && cmd == OMX_CommandStateSet) {
375399 if (param == OMX_StateIdle) {
376400 // Initiating transition from Executing -> Idle
@@ -403,10 +427,57 @@ status_t OMXNodeInstance::sendCommand(
403427 return StatusFromOMXError(err);
404428 }
405429
430+bool OMXNodeInstance::isProhibitedIndex_l(OMX_INDEXTYPE index) {
431+ // these extensions can only be used from OMXNodeInstance, not by clients directly.
432+ static const char *restricted_extensions[] = {
433+ "OMX.google.android.index.storeMetaDataInBuffers",
434+ "OMX.google.android.index.storeANWBufferInMetadata",
435+ "OMX.google.android.index.prepareForAdaptivePlayback",
436+ "OMX.google.android.index.configureVideoTunnelMode",
437+ "OMX.google.android.index.useAndroidNativeBuffer2",
438+ "OMX.google.android.index.useAndroidNativeBuffer",
439+ "OMX.google.android.index.enableAndroidNativeBuffers",
440+ "OMX.google.android.index.allocateNativeHandle",
441+ "OMX.google.android.index.getAndroidNativeBufferUsage",
442+ };
443+
444+ if ((index > OMX_IndexComponentStartUnused && index <= OMX_IndexParamStandardComponentRole)
445+ || (index > OMX_IndexPortStartUnused && index <= OMX_IndexParamCompBufferSupplier)
446+ || (index > OMX_IndexAudioStartUnused && index <= OMX_IndexConfigAudioChannelVolume)
447+ || (index > OMX_IndexVideoStartUnused && index <= OMX_IndexConfigVideoNalSize)
448+ || (index > OMX_IndexCommonStartUnused
449+ && index <= OMX_IndexConfigCommonTransitionEffect)
450+ || (index > (OMX_INDEXTYPE)OMX_IndexExtAudioStartUnused
451+ && index <= (OMX_INDEXTYPE)OMX_IndexParamAudioAndroidEac3)
452+ || (index > (OMX_INDEXTYPE)OMX_IndexExtVideoStartUnused
453+ && index <= (OMX_INDEXTYPE)OMX_IndexParamSliceSegments)
454+ || (index > (OMX_INDEXTYPE)OMX_IndexExtOtherStartUnused
455+ && index <= (OMX_INDEXTYPE)OMX_IndexParamConsumerUsageBits)) {
456+ return false;
457+ }
458+
459+ if (!mQueriedProhibitedExtensions) {
460+ for (size_t i = 0; i < NELEM(restricted_extensions); ++i) {
461+ OMX_INDEXTYPE ext;
462+ if (OMX_GetExtensionIndex(mHandle, (OMX_STRING)restricted_extensions[i], &ext) == OMX_ErrorNone) {
463+ mProhibitedExtensions.add(ext);
464+ }
465+ }
466+ mQueriedProhibitedExtensions = true;
467+ }
468+
469+ return mProhibitedExtensions.indexOf(index) >= 0;
470+}
471+
406472 status_t OMXNodeInstance::getParameter(
407473 OMX_INDEXTYPE index, void *params, size_t /* size */) {
408474 Mutex::Autolock autoLock(mLock);
409475
476+ if (isProhibitedIndex_l(index)) {
477+ android_errorWriteLog(0x534e4554, "29422020");
478+ return BAD_INDEX;
479+ }
480+
410481 OMX_ERRORTYPE err = OMX_GetParameter(mHandle, index, params);
411482 OMX_INDEXEXTTYPE extIndex = (OMX_INDEXEXTTYPE)index;
412483 // some errors are expected for getParameter
@@ -422,6 +493,11 @@ status_t OMXNodeInstance::setParameter(
422493 OMX_INDEXEXTTYPE extIndex = (OMX_INDEXEXTTYPE)index;
423494 CLOG_CONFIG(setParameter, "%s(%#x), %zu@%p)", asString(extIndex), index, size, params);
424495
496+ if (isProhibitedIndex_l(index)) {
497+ android_errorWriteLog(0x534e4554, "29422020");
498+ return BAD_INDEX;
499+ }
500+
425501 OMX_ERRORTYPE err = OMX_SetParameter(
426502 mHandle, index, const_cast<void *>(params));
427503 CLOG_IF_ERROR(setParameter, err, "%s(%#x)", asString(extIndex), index);
@@ -432,6 +508,11 @@ status_t OMXNodeInstance::getConfig(
432508 OMX_INDEXTYPE index, void *params, size_t /* size */) {
433509 Mutex::Autolock autoLock(mLock);
434510
511+ if (isProhibitedIndex_l(index)) {
512+ android_errorWriteLog(0x534e4554, "29422020");
513+ return BAD_INDEX;
514+ }
515+
435516 OMX_ERRORTYPE err = OMX_GetConfig(mHandle, index, params);
436517 OMX_INDEXEXTTYPE extIndex = (OMX_INDEXEXTTYPE)index;
437518 // some errors are expected for getConfig
@@ -447,6 +528,11 @@ status_t OMXNodeInstance::setConfig(
447528 OMX_INDEXEXTTYPE extIndex = (OMX_INDEXEXTTYPE)index;
448529 CLOG_CONFIG(setConfig, "%s(%#x), %zu@%p)", asString(extIndex), index, size, params);
449530
531+ if (isProhibitedIndex_l(index)) {
532+ android_errorWriteLog(0x534e4554, "29422020");
533+ return BAD_INDEX;
534+ }
535+
450536 OMX_ERRORTYPE err = OMX_SetConfig(
451537 mHandle, index, const_cast<void *>(params));
452538 CLOG_IF_ERROR(setConfig, err, "%s(%#x)", asString(extIndex), index);
@@ -526,6 +612,10 @@ status_t OMXNodeInstance::storeMetaDataInBuffers(
526612
527613 status_t OMXNodeInstance::storeMetaDataInBuffers_l(
528614 OMX_U32 portIndex, OMX_BOOL enable, MetadataBufferType *type) {
615+ if (mSailed) {
616+ android_errorWriteLog(0x534e4554, "29422020");
617+ return INVALID_OPERATION;
618+ }
529619 if (portIndex != kPortIndexInput && portIndex != kPortIndexOutput) {
530620 android_errorWriteLog(0x534e4554, "26324358");
531621 return BAD_VALUE;
@@ -593,6 +683,10 @@ status_t OMXNodeInstance::prepareForAdaptivePlayback(
593683 OMX_U32 portIndex, OMX_BOOL enable, OMX_U32 maxFrameWidth,
594684 OMX_U32 maxFrameHeight) {
595685 Mutex::Autolock autolock(mLock);
686+ if (mSailed) {
687+ android_errorWriteLog(0x534e4554, "29422020");
688+ return INVALID_OPERATION;
689+ }
596690 CLOG_CONFIG(prepareForAdaptivePlayback, "%s:%u en=%d max=%ux%u",
597691 portString(portIndex), portIndex, enable, maxFrameWidth, maxFrameHeight);
598692
@@ -623,6 +717,10 @@ status_t OMXNodeInstance::configureVideoTunnelMode(
623717 OMX_U32 portIndex, OMX_BOOL tunneled, OMX_U32 audioHwSync,
624718 native_handle_t **sidebandHandle) {
625719 Mutex::Autolock autolock(mLock);
720+ if (mSailed) {
721+ android_errorWriteLog(0x534e4554, "29422020");
722+ return INVALID_OPERATION;
723+ }
626724 CLOG_CONFIG(configureVideoTunnelMode, "%s:%u tun=%d sync=%u",
627725 portString(portIndex), portIndex, tunneled, audioHwSync);
628726
@@ -663,23 +761,48 @@ status_t OMXNodeInstance::configureVideoTunnelMode(
663761
664762 status_t OMXNodeInstance::useBuffer(
665763 OMX_U32 portIndex, const sp<IMemory> &params,
666- OMX::buffer_id *buffer, OMX_U32 allottedSize) {
764+ OMX::buffer_id *buffer, OMX_U32 allottedSize, OMX_BOOL crossProcess) {
667765 Mutex::Autolock autoLock(mLock);
668- if (allottedSize > params->size()) {
766+ if (allottedSize > params->size() || portIndex >= NELEM(mNumPortBuffers)) {
669767 return BAD_VALUE;
670768 }
671769
672- BufferMeta *buffer_meta = new BufferMeta(params, portIndex);
770+ // metadata buffers are not connected cross process
771+ BufferMeta *buffer_meta;
772+ bool isMeta = mMetadataType[portIndex] != kMetadataBufferTypeInvalid;
773+ bool useBackup = crossProcess && isMeta; // use a backup buffer instead of the actual buffer
774+ OMX_U8 *data = static_cast<OMX_U8 *>(params->pointer());
775+ // allocate backup buffer
776+ if (useBackup) {
777+ data = new (std::nothrow) OMX_U8[allottedSize];
778+ if (data == NULL) {
779+ return NO_MEMORY;
780+ }
781+ memset(data, 0, allottedSize);
782+
783+ // if we are not connecting the buffers, the sizes must match
784+ if (allottedSize != params->size()) {
785+ CLOG_ERROR(useBuffer, BAD_VALUE, SIMPLE_BUFFER(portIndex, (size_t)allottedSize, data));
786+ delete[] data;
787+ return BAD_VALUE;
788+ }
789+
790+ buffer_meta = new BufferMeta(
791+ params, portIndex, false /* copyToOmx */, false /* copyFromOmx */, data);
792+ } else {
793+ buffer_meta = new BufferMeta(
794+ params, portIndex, false /* copyToOmx */, false /* copyFromOmx */, NULL);
795+ }
673796
674797 OMX_BUFFERHEADERTYPE *header;
675798
676799 OMX_ERRORTYPE err = OMX_UseBuffer(
677800 mHandle, &header, portIndex, buffer_meta,
678- allottedSize, static_cast<OMX_U8 *>(params->pointer()));
801+ allottedSize, data);
679802
680803 if (err != OMX_ErrorNone) {
681804 CLOG_ERROR(useBuffer, err, SIMPLE_BUFFER(
682- portIndex, (size_t)allottedSize, params->pointer()));
805+ portIndex, (size_t)allottedSize, data));
683806
684807 delete buffer_meta;
685808 buffer_meta = NULL;
@@ -864,7 +987,16 @@ status_t OMXNodeInstance::createGraphicBufferSource(
864987 OMX_U32 portIndex, sp<IGraphicBufferConsumer> bufferConsumer, MetadataBufferType *type) {
865988 status_t err;
866989
867- const sp<GraphicBufferSource>& surfaceCheck = getGraphicBufferSource();
990+ // only allow graphic source on input port, when there are no allocated buffers yet
991+ if (portIndex != kPortIndexInput) {
992+ android_errorWriteLog(0x534e4554, "29422020");
993+ return BAD_VALUE;
994+ } else if (mNumPortBuffers[portIndex] > 0) {
995+ android_errorWriteLog(0x534e4554, "29422020");
996+ return INVALID_OPERATION;
997+ }
998+
999+ const sp<GraphicBufferSource> surfaceCheck = getGraphicBufferSource();
8681000 if (surfaceCheck != NULL) {
8691001 if (portIndex < NELEM(mMetadataType) && type != NULL) {
8701002 *type = mMetadataType[portIndex];
@@ -1020,13 +1152,21 @@ status_t OMXNodeInstance::allocateBuffer(
10201152
10211153 status_t OMXNodeInstance::allocateBufferWithBackup(
10221154 OMX_U32 portIndex, const sp<IMemory> &params,
1023- OMX::buffer_id *buffer, OMX_U32 allottedSize) {
1155+ OMX::buffer_id *buffer, OMX_U32 allottedSize, OMX_BOOL crossProcess) {
10241156 Mutex::Autolock autoLock(mLock);
1025- if (allottedSize > params->size()) {
1157+ if (allottedSize > params->size() || portIndex >= NELEM(mNumPortBuffers)) {
10261158 return BAD_VALUE;
10271159 }
10281160
1029- BufferMeta *buffer_meta = new BufferMeta(params, portIndex, true);
1161+ // metadata buffers are not connected cross process
1162+ bool isMeta = mMetadataType[portIndex] != kMetadataBufferTypeInvalid;
1163+ bool copy = !(crossProcess && isMeta);
1164+
1165+ BufferMeta *buffer_meta = new BufferMeta(
1166+ params, portIndex,
1167+ (portIndex == kPortIndexInput) && copy /* copyToOmx */,
1168+ (portIndex == kPortIndexOutput) && copy /* copyFromOmx */,
1169+ NULL /* data */);
10301170
10311171 OMX_BUFFERHEADERTYPE *header;
10321172
@@ -1122,6 +1262,12 @@ status_t OMXNodeInstance::emptyBuffer(
11221262 OMX_U32 flags, OMX_TICKS timestamp, int fenceFd) {
11231263 Mutex::Autolock autoLock(mLock);
11241264
1265+ // no emptybuffer if using input surface
1266+ if (getGraphicBufferSource() != NULL) {
1267+ android_errorWriteLog(0x534e4554, "29422020");
1268+ return INVALID_OPERATION;
1269+ }
1270+
11251271 OMX_BUFFERHEADERTYPE *header = findBufferHeader(buffer, kPortIndexInput);
11261272 if (header == NULL) {
11271273 return BAD_VALUE;
@@ -1133,7 +1279,8 @@ status_t OMXNodeInstance::emptyBuffer(
11331279
11341280 // convert incoming ANW meta buffers if component is configured for gralloc metadata mode
11351281 // ignore rangeOffset in this case
1136- if (mMetadataType[kPortIndexInput] == kMetadataBufferTypeGrallocSource
1282+ if (buffer_meta->copyToOmx()
1283+ && mMetadataType[kPortIndexInput] == kMetadataBufferTypeGrallocSource
11371284 && backup->capacity() >= sizeof(VideoNativeMetadata)
11381285 && codec->capacity() >= sizeof(VideoGrallocMetadata)
11391286 && ((VideoNativeMetadata *)backup->base())->eType
@@ -1540,6 +1687,13 @@ void OMXNodeInstance::onEvent(
15401687 && arg2 == OMX_StateExecuting) {
15411688 bufferSource->omxExecuting();
15421689 }
1690+
1691+ // allow configuration if we return to the loaded state
1692+ if (event == OMX_EventCmdComplete
1693+ && arg1 == OMX_CommandStateSet
1694+ && arg2 == OMX_StateLoaded) {
1695+ mSailed = false;
1696+ }
15431697 }
15441698
15451699 // static
--- a/radio/Radio.cpp
+++ b/radio/Radio.cpp
@@ -55,7 +55,7 @@ namespace {
5555 sp<DeathNotifier> gDeathNotifier;
5656 }; // namespace anonymous
5757
58-const sp<IRadioService>& Radio::getRadioService()
58+const sp<IRadioService> Radio::getRadioService()
5959 {
6060 Mutex::Autolock _l(gLock);
6161 if (gRadioService.get() == 0) {
@@ -84,7 +84,7 @@ status_t Radio::listModules(struct radio_properties *properties,
8484 uint32_t *numModules)
8585 {
8686 ALOGV("listModules()");
87- const sp<IRadioService>& service = getRadioService();
87+ const sp<IRadioService> service = getRadioService();
8888 if (service == 0) {
8989 return NO_INIT;
9090 }
@@ -98,7 +98,7 @@ sp<Radio> Radio::attach(radio_handle_t handle,
9898 {
9999 ALOGV("attach()");
100100 sp<Radio> radio;
101- const sp<IRadioService>& service = getRadioService();
101+ const sp<IRadioService> service = getRadioService();
102102 if (service == 0) {
103103 return radio;
104104 }
--- a/services/audioflinger/Effects.cpp
+++ b/services/audioflinger/Effects.cpp
@@ -543,6 +543,13 @@ status_t AudioFlinger::EffectModule::remove_effect_from_hal_l()
543543 return NO_ERROR;
544544 }
545545
546+// round up delta valid if value and divisor are positive.
547+template <typename T>
548+static T roundUpDelta(const T &value, const T &divisor) {
549+ T remainder = value % divisor;
550+ return remainder == 0 ? 0 : divisor - remainder;
551+}
552+
546553 status_t AudioFlinger::EffectModule::command(uint32_t cmdCode,
547554 uint32_t cmdSize,
548555 void *pCmdData,
@@ -564,6 +571,22 @@ status_t AudioFlinger::EffectModule::command(uint32_t cmdCode,
564571 android_errorWriteLog(0x534e4554, "29251553");
565572 return -EINVAL;
566573 }
574+ if ((cmdCode == EFFECT_CMD_SET_PARAM
575+ || cmdCode == EFFECT_CMD_SET_PARAM_DEFERRED) && // DEFERRED not generally used
576+ (sizeof(effect_param_t) > cmdSize
577+ || ((effect_param_t *)pCmdData)->psize > cmdSize
578+ - sizeof(effect_param_t)
579+ || ((effect_param_t *)pCmdData)->vsize > cmdSize
580+ - sizeof(effect_param_t)
581+ - ((effect_param_t *)pCmdData)->psize
582+ || roundUpDelta(((effect_param_t *)pCmdData)->psize, (uint32_t)sizeof(int)) >
583+ cmdSize
584+ - sizeof(effect_param_t)
585+ - ((effect_param_t *)pCmdData)->psize
586+ - ((effect_param_t *)pCmdData)->vsize)) {
587+ android_errorWriteLog(0x534e4554, "30204301");
588+ return -EINVAL;
589+ }
567590 status_t status = (*mEffectInterface)->command(mEffectInterface,
568591 cmdCode,
569592 cmdSize,
--- a/services/soundtrigger/SoundTriggerHwService.cpp
+++ b/services/soundtrigger/SoundTriggerHwService.cpp
@@ -534,6 +534,22 @@ status_t SoundTriggerHwService::Module::loadSoundModel(const sp<IMemory>& modelM
534534 struct sound_trigger_sound_model *sound_model =
535535 (struct sound_trigger_sound_model *)modelMemory->pointer();
536536
537+ size_t structSize;
538+ if (sound_model->type == SOUND_MODEL_TYPE_KEYPHRASE) {
539+ structSize = sizeof(struct sound_trigger_phrase_sound_model);
540+ } else {
541+ structSize = sizeof(struct sound_trigger_sound_model);
542+ }
543+
544+ if (sound_model->data_offset < structSize ||
545+ sound_model->data_size > (UINT_MAX - sound_model->data_offset) ||
546+ modelMemory->size() < sound_model->data_offset ||
547+ sound_model->data_size > (modelMemory->size() - sound_model->data_offset)) {
548+ android_errorWriteLog(0x534e4554, "30148546");
549+ ALOGE("loadSoundModel() data_size is too big");
550+ return BAD_VALUE;
551+ }
552+
537553 AutoMutex lock(mLock);
538554
539555 if (mModels.size() >= mDescriptor.properties.max_sound_models) {
@@ -603,11 +619,23 @@ status_t SoundTriggerHwService::Module::startRecognition(sound_model_handle_t ha
603619 return PERMISSION_DENIED;
604620 }
605621
606- if (dataMemory != 0 && dataMemory->pointer() == NULL) {
607- ALOGE("startRecognition() dataMemory is non-0 but has NULL pointer()");
622+ if (dataMemory == 0 || dataMemory->pointer() == NULL) {
623+ ALOGE("startRecognition() dataMemory is 0 or has NULL pointer()");
608624 return BAD_VALUE;
609625
610626 }
627+
628+ struct sound_trigger_recognition_config *config =
629+ (struct sound_trigger_recognition_config *)dataMemory->pointer();
630+
631+ if (config->data_offset < sizeof(struct sound_trigger_recognition_config) ||
632+ config->data_size > (UINT_MAX - config->data_offset) ||
633+ dataMemory->size() < config->data_offset ||
634+ config->data_size > (dataMemory->size() - config->data_offset)) {
635+ ALOGE("startRecognition() data_size is too big");
636+ return BAD_VALUE;
637+ }
638+
611639 AutoMutex lock(mLock);
612640 if (mServiceState == SOUND_TRIGGER_STATE_DISABLED) {
613641 return INVALID_OPERATION;
@@ -616,17 +644,11 @@ status_t SoundTriggerHwService::Module::startRecognition(sound_model_handle_t ha
616644 if (model == 0) {
617645 return BAD_VALUE;
618646 }
619- if ((dataMemory == 0) ||
620- (dataMemory->size() < sizeof(struct sound_trigger_recognition_config))) {
621- return BAD_VALUE;
622- }
623647
624648 if (model->mState == Model::STATE_ACTIVE) {
625649 return INVALID_OPERATION;
626650 }
627651
628- struct sound_trigger_recognition_config *config =
629- (struct sound_trigger_recognition_config *)dataMemory->pointer();
630652
631653 //TODO: get capture handle and device from audio policy service
632654 config->capture_handle = model->mCaptureIOHandle;
--- a/soundtrigger/SoundTrigger.cpp
+++ b/soundtrigger/SoundTrigger.cpp
@@ -55,7 +55,7 @@ namespace {
5555 sp<DeathNotifier> gDeathNotifier;
5656 }; // namespace anonymous
5757
58-const sp<ISoundTriggerHwService>& SoundTrigger::getSoundTriggerHwService()
58+const sp<ISoundTriggerHwService> SoundTrigger::getSoundTriggerHwService()
5959 {
6060 Mutex::Autolock _l(gLock);
6161 if (gSoundTriggerHwService.get() == 0) {
@@ -84,7 +84,7 @@ status_t SoundTrigger::listModules(struct sound_trigger_module_descriptor *modul
8484 uint32_t *numModules)
8585 {
8686 ALOGV("listModules()");
87- const sp<ISoundTriggerHwService>& service = getSoundTriggerHwService();
87+ const sp<ISoundTriggerHwService> service = getSoundTriggerHwService();
8888 if (service == 0) {
8989 return NO_INIT;
9090 }
@@ -96,7 +96,7 @@ sp<SoundTrigger> SoundTrigger::attach(const sound_trigger_module_handle_t module
9696 {
9797 ALOGV("attach()");
9898 sp<SoundTrigger> soundTrigger;
99- const sp<ISoundTriggerHwService>& service = getSoundTriggerHwService();
99+ const sp<ISoundTriggerHwService> service = getSoundTriggerHwService();
100100 if (service == 0) {
101101 return soundTrigger;
102102 }
@@ -116,7 +116,7 @@ sp<SoundTrigger> SoundTrigger::attach(const sound_trigger_module_handle_t module
116116 status_t SoundTrigger::setCaptureState(bool active)
117117 {
118118 ALOGV("setCaptureState(%d)", active);
119- const sp<ISoundTriggerHwService>& service = getSoundTriggerHwService();
119+ const sp<ISoundTriggerHwService> service = getSoundTriggerHwService();
120120 if (service == 0) {
121121 return NO_INIT;
122122 }
Show on old repository browser