DO NOT MERGE - SoftwareRenderer: sanity check buffer size before copying data.

Bug: 21443020
Change-Id: I63cf86217b8201fb41809c23e4b752b845a93ee2
(cherry picked from commit 760f92f8b6da9c9cf128cb18fe3c09402fdde6cd)

Signed-off-by: Wolfgang Wiedmeyer <wolfgit@wiedmeyer.de>

1 files changed, 7 insertions, 0 deletions

diff --git a/media/libstagefright/colorconversion/SoftwareRenderer.cpp b/media/libstagefright/colorconversion/SoftwareRenderer.cpp
index 834e6b3..5354f14 100644
--- a/media/libstagefright/colorconversion/SoftwareRenderer.cpp
+++ b/media/libstagefright/colorconversion/SoftwareRenderer.cpp
@@ -173,6 +173,9 @@ void SoftwareRenderer::render(
                 buf->stride, buf->height,
                 0, 0, mCropWidth - 1, mCropHeight - 1);
     } else if (mColorFormat == OMX_COLOR_FormatYUV420Planar) {
+        if ((size_t)mWidth * mHeight * 3 / 2 > size) {
+            goto skip_copying;
+        }
         const uint8_t *src_y = (const uint8_t *)data;
         const uint8_t *src_u = (const uint8_t *)data + mWidth * mHeight;
         const uint8_t *src_v = src_u + (mWidth / 2 * mHeight / 2);
@@ -202,6 +205,9 @@ void SoftwareRenderer::render(
         }
     } else {
         CHECK_EQ(mColorFormat, OMX_TI_COLOR_FormatYUV420PackedSemiPlanar);
+        if ((size_t)mWidth * mHeight * 3 / 2 > size) {
+            goto skip_copying;
+        }
 
         const uint8_t *src_y =
             (const uint8_t *)data;
@@ -249,6 +255,7 @@ void SoftwareRenderer::render(
         }
     }
 
+skip_copying:
     CHECK_EQ(0, mapper.unlock(buf->handle));
 
     if ((err = mNativeWindow->queueBuffer(mNativeWindow.get(), buf,