diff options
| -rw-r--r-- | media/libstagefright/omx/OMXNodeInstance.cpp | 6 |
1 files changed, 6 insertions, 0 deletions
diff --git a/media/libstagefright/omx/OMXNodeInstance.cpp b/media/libstagefright/omx/OMXNodeInstance.cpp index e41b342..3c51885 100644 --- a/media/libstagefright/omx/OMXNodeInstance.cpp +++ b/media/libstagefright/omx/OMXNodeInstance.cpp @@ -637,6 +637,12 @@ status_t OMXNodeInstance::emptyBuffer( Mutex::Autolock autoLock(mLock); OMX_BUFFERHEADERTYPE *header = (OMX_BUFFERHEADERTYPE *)buffer; + // rangeLength and rangeOffset must be a subset of the allocated data in the buffer. + // corner case: we permit rangeOffset == end-of-buffer with rangeLength == 0. + if (rangeOffset > header->nAllocLen + || rangeLength > header->nAllocLen - rangeOffset) { + return BAD_VALUE; + } header->nFilledLen = rangeLength; header->nOffset = rangeOffset; header->nFlags = flags; |