Merge "Correcting Offset and size checks while queing" into main

author: Arun Johnson <arunjohnson@google.com> 2024-04-24 00:53:00 +0000
committer: Gerrit Code Review <noreply-gerritcodereview@google.com> 2024-04-24 00:53:00 +0000
commit: 3376c75176f34d4fc7db943f0df47eee57a35213 (patch)
tree: 5b6bc67eaf7421e945c6894a56f038ba03911403
parent: 2ad6d539c2b3e3d1cf0fb43a3f1cff70106d19c2 (diff)
parent: 09b8310348d31fe1e1169266c2ec804e0e669d1c (diff)
download: base-3376c75176f34d4fc7db943f0df47eee57a35213.tar.gz
1 files changed, 12 insertions, 16 deletions
diff --git a/media/jni/android_media_MediaCodec.cpp b/media/jni/android_media_MediaCodec.cpp
index 8a13c034995d..4492c858c084 100644
--- a/media/jni/android_media_MediaCodec.cpp
+++ b/media/jni/android_media_MediaCodec.cpp
@@ -2088,31 +2088,27 @@ static status_t extractInfosFromObject(
             }
             return BAD_VALUE;
         }
-        size_t offset = static_cast<size_t>(env->GetIntField(param, gFields.bufferInfoOffset));
-        size_t size = static_cast<size_t>(env->GetIntField(param, gFields.bufferInfoSize));
+        ssize_t offset = static_cast<ssize_t>(env->GetIntField(param, gFields.bufferInfoOffset));
+        ssize_t size = static_cast<ssize_t>(env->GetIntField(param, gFields.bufferInfoSize));
         uint32_t flags = static_cast<uint32_t>(env->GetIntField(param, gFields.bufferInfoFlags));
-        if (flags == 0 && size == 0) {
-            if (errorDetailMsg) {
-                *errorDetailMsg = "Error: Queuing an empty BufferInfo";
-            }
-            return BAD_VALUE;
-        }
         if (i == 0) {
             *initialOffset = offset;
-            if (CC_UNLIKELY(*initialOffset < 0)) {
-                if (errorDetailMsg) {
-                    *errorDetailMsg = "Error: offset/size in BufferInfo";
-                }
-                return BAD_VALUE;
-            }
         }
-        if (CC_UNLIKELY(((ssize_t)(UINT32_MAX - offset) < (ssize_t)size)
-                || ((offset - *initialOffset) != *totalSize))) {
+        if (CC_UNLIKELY((offset < 0)
+                || (size < 0)
+                || ((INT32_MAX - offset) < size)
+                || ((offset - (*initialOffset)) != *totalSize))) {
             if (errorDetailMsg) {
                 *errorDetailMsg = "Error: offset/size in BufferInfo";
             }
             return BAD_VALUE;
         }
+        if (flags == 0 && size == 0) {
+            if (errorDetailMsg) {
+                *errorDetailMsg = "Error: Queuing an empty BufferInfo";
+            }
+            return BAD_VALUE;
+        }
         infos->emplace_back(
                 flags,
                 size,
author	Arun Johnson <arunjohnson@google.com>	2024-04-24 00:53:00 +0000
committer	Gerrit Code Review <noreply-gerritcodereview@google.com>	2024-04-24 00:53:00 +0000
commit	3376c75176f34d4fc7db943f0df47eee57a35213 (patch)
tree	5b6bc67eaf7421e945c6894a56f038ba03911403
parent	2ad6d539c2b3e3d1cf0fb43a3f1cff70106d19c2 (diff)
parent	09b8310348d31fe1e1169266c2ec804e0e669d1c (diff)
download	base-3376c75176f34d4fc7db943f0df47eee57a35213.tar.gz