diff options
| -rw-r--r-- | media/jni/android_media_MediaCodec.cpp | 28 |
1 files changed, 12 insertions, 16 deletions
diff --git a/media/jni/android_media_MediaCodec.cpp b/media/jni/android_media_MediaCodec.cpp index 8a13c034995d..4492c858c084 100644 --- a/media/jni/android_media_MediaCodec.cpp +++ b/media/jni/android_media_MediaCodec.cpp @@ -2088,31 +2088,27 @@ static status_t extractInfosFromObject( } return BAD_VALUE; } - size_t offset = static_cast<size_t>(env->GetIntField(param, gFields.bufferInfoOffset)); - size_t size = static_cast<size_t>(env->GetIntField(param, gFields.bufferInfoSize)); + ssize_t offset = static_cast<ssize_t>(env->GetIntField(param, gFields.bufferInfoOffset)); + ssize_t size = static_cast<ssize_t>(env->GetIntField(param, gFields.bufferInfoSize)); uint32_t flags = static_cast<uint32_t>(env->GetIntField(param, gFields.bufferInfoFlags)); - if (flags == 0 && size == 0) { - if (errorDetailMsg) { - *errorDetailMsg = "Error: Queuing an empty BufferInfo"; - } - return BAD_VALUE; - } if (i == 0) { *initialOffset = offset; - if (CC_UNLIKELY(*initialOffset < 0)) { - if (errorDetailMsg) { - *errorDetailMsg = "Error: offset/size in BufferInfo"; - } - return BAD_VALUE; - } } - if (CC_UNLIKELY(((ssize_t)(UINT32_MAX - offset) < (ssize_t)size) - || ((offset - *initialOffset) != *totalSize))) { + if (CC_UNLIKELY((offset < 0) + || (size < 0) + || ((INT32_MAX - offset) < size) + || ((offset - (*initialOffset)) != *totalSize))) { if (errorDetailMsg) { *errorDetailMsg = "Error: offset/size in BufferInfo"; } return BAD_VALUE; } + if (flags == 0 && size == 0) { + if (errorDetailMsg) { + *errorDetailMsg = "Error: Queuing an empty BufferInfo"; + } + return BAD_VALUE; + } infos->emplace_back( flags, size, |