Merge "Correcting Offset and size checks while queing" into main am: 3376c75176 am: 812270543b

Original change: https://android-review.googlesource.com/c/platform/frameworks/base/+/3052882 Change-Id: I98950057e25b71cf2313552a343fdc6c453f15b0 Signed-off-by: Automerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com>
author: Arun Johnson <arunjohnson@google.com> 2024-04-24 01:21:31 +0000
committer: Automerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com> 2024-04-24 01:21:31 +0000
commit: 0f8282e3dbb2c25c791d675715f3141b76e48d75 (patch)
tree: 6c04176e614591e2577faff6f4b02d7ca80b10f8
parent: 48556f26f527380ab033bac07a46894d883fc1eb (diff)
parent: 812270543b8d6dd8e5cc6009e2d5f2d38a832410 (diff)
1 files changed, 12 insertions, 16 deletions
diff --git a/media/jni/android_media_MediaCodec.cpp b/media/jni/android_media_MediaCodec.cpp
index 8a13c034995d..4492c858c084 100644
--- a/media/jni/android_media_MediaCodec.cpp
+++ b/media/jni/android_media_MediaCodec.cpp
@@ -2088,31 +2088,27 @@ static status_t extractInfosFromObject(
             }
             return BAD_VALUE;
         }
-        size_t offset = static_cast<size_t>(env->GetIntField(param, gFields.bufferInfoOffset));
-        size_t size = static_cast<size_t>(env->GetIntField(param, gFields.bufferInfoSize));
+        ssize_t offset = static_cast<ssize_t>(env->GetIntField(param, gFields.bufferInfoOffset));
+        ssize_t size = static_cast<ssize_t>(env->GetIntField(param, gFields.bufferInfoSize));
         uint32_t flags = static_cast<uint32_t>(env->GetIntField(param, gFields.bufferInfoFlags));
-        if (flags == 0 && size == 0) {
-            if (errorDetailMsg) {
-                *errorDetailMsg = "Error: Queuing an empty BufferInfo";
-            }
-            return BAD_VALUE;
-        }
         if (i == 0) {
             *initialOffset = offset;
-            if (CC_UNLIKELY(*initialOffset < 0)) {
-                if (errorDetailMsg) {
-                    *errorDetailMsg = "Error: offset/size in BufferInfo";
-                }
-                return BAD_VALUE;
-            }
         }
-        if (CC_UNLIKELY(((ssize_t)(UINT32_MAX - offset) < (ssize_t)size)
-                || ((offset - *initialOffset) != *totalSize))) {
+        if (CC_UNLIKELY((offset < 0)
+                || (size < 0)
+                || ((INT32_MAX - offset) < size)
+                || ((offset - (*initialOffset)) != *totalSize))) {
             if (errorDetailMsg) {
                 *errorDetailMsg = "Error: offset/size in BufferInfo";
             }
             return BAD_VALUE;
         }
+        if (flags == 0 && size == 0) {
+            if (errorDetailMsg) {
+                *errorDetailMsg = "Error: Queuing an empty BufferInfo";
+            }
+            return BAD_VALUE;
+        }
         infos->emplace_back(
                 flags,
                 size,
author	Arun Johnson <arunjohnson@google.com>	2024-04-24 01:21:31 +0000
committer	Automerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com>	2024-04-24 01:21:31 +0000
commit	0f8282e3dbb2c25c791d675715f3141b76e48d75 (patch)
tree	6c04176e614591e2577faff6f4b02d7ca80b10f8
parent	48556f26f527380ab033bac07a46894d883fc1eb (diff)
parent	812270543b8d6dd8e5cc6009e2d5f2d38a832410 (diff)