Correcting Offset and size checks while queing

Bug: 336058761 Bug: 333622829 Bug: 336058293 Test: android.mediav2.cts.CodecEncoderBlockModelMultiAccessUnitTest#testSimpleEncode Test: android.mediav2.cts.CodecUnitTest$TestApi#testQueueInputBuffersInUnInitState Change-Id: I4ce7fd2872ce3b4734050b68e5bf2c9b0519c898
author: Arun Johnson <arunjohnson@google.com> 2024-04-22 18:37:31 +0000
committer: Arun Johnson <arunjohnson@google.com> 2024-04-23 17:07:00 +0000
commit: 09b8310348d31fe1e1169266c2ec804e0e669d1c (patch)
tree: 6208227aaa89d3ee460f93e26db2d02239afa5fb /media
parent: 3454253222ec1cbdf92ac72736c500715715c7c3 (diff)
download: base-09b8310348d31fe1e1169266c2ec804e0e669d1c.tar.gz
1 files changed, 12 insertions, 16 deletions
diff --git a/media/jni/android_media_MediaCodec.cpp b/media/jni/android_media_MediaCodec.cpp
index 8a13c034995d..4492c858c084 100644
--- a/media/jni/android_media_MediaCodec.cpp
+++ b/media/jni/android_media_MediaCodec.cpp
@@ -2088,31 +2088,27 @@ static status_t extractInfosFromObject(
             }
             return BAD_VALUE;
         }
-        size_t offset = static_cast<size_t>(env->GetIntField(param, gFields.bufferInfoOffset));
-        size_t size = static_cast<size_t>(env->GetIntField(param, gFields.bufferInfoSize));
+        ssize_t offset = static_cast<ssize_t>(env->GetIntField(param, gFields.bufferInfoOffset));
+        ssize_t size = static_cast<ssize_t>(env->GetIntField(param, gFields.bufferInfoSize));
         uint32_t flags = static_cast<uint32_t>(env->GetIntField(param, gFields.bufferInfoFlags));
-        if (flags == 0 && size == 0) {
-            if (errorDetailMsg) {
-                *errorDetailMsg = "Error: Queuing an empty BufferInfo";
-            }
-            return BAD_VALUE;
-        }
         if (i == 0) {
             *initialOffset = offset;
-            if (CC_UNLIKELY(*initialOffset < 0)) {
-                if (errorDetailMsg) {
-                    *errorDetailMsg = "Error: offset/size in BufferInfo";
-                }
-                return BAD_VALUE;
-            }
         }
-        if (CC_UNLIKELY(((ssize_t)(UINT32_MAX - offset) < (ssize_t)size)
-                || ((offset - *initialOffset) != *totalSize))) {
+        if (CC_UNLIKELY((offset < 0)
+                || (size < 0)
+                || ((INT32_MAX - offset) < size)
+                || ((offset - (*initialOffset)) != *totalSize))) {
             if (errorDetailMsg) {
                 *errorDetailMsg = "Error: offset/size in BufferInfo";
             }
             return BAD_VALUE;
         }
+        if (flags == 0 && size == 0) {
+            if (errorDetailMsg) {
+                *errorDetailMsg = "Error: Queuing an empty BufferInfo";
+            }
+            return BAD_VALUE;
+        }
         infos->emplace_back(
                 flags,
                 size,
author	Arun Johnson <arunjohnson@google.com>	2024-04-22 18:37:31 +0000
committer	Arun Johnson <arunjohnson@google.com>	2024-04-23 17:07:00 +0000
commit	09b8310348d31fe1e1169266c2ec804e0e669d1c (patch)
tree	6208227aaa89d3ee460f93e26db2d02239afa5fb /media
parent	3454253222ec1cbdf92ac72736c500715715c7c3 (diff)
download	base-09b8310348d31fe1e1169266c2ec804e0e669d1c.tar.gz