mm-video-v4l2: vdec: Fix sending invalid FBD length buffer to client

Fix corner case scenario in which omx client receives FBD buffer with filledlen greater than alloclen and crashes. So precautionary check is added before sending buffer to client. Change-Id: Ie584d79a77dd63e98b58792e6e09a46cb95602ac
author: Vasantha Balla <vballa@codeaurora.org> 2020-07-02 10:32:42 +0530
committer: Gerrit - the friendly Code Review server <code-review@localhost> 2020-07-28 03:39:42 -0700
commit: 289750a8a6e832142bbd2d0fff416eac656d9080 (patch)
tree: 457e6d6f1097c6bb33f1a5b7abe617a3828774c9
parent: 30742eff9871ade149e22bad937e0292d4065e5f (diff)
1 files changed, 4 insertions, 0 deletions
diff --git a/mm-video-v4l2/vidc/vdec/src/omx_vdec_v4l2.cpp b/mm-video-v4l2/vidc/vdec/src/omx_vdec_v4l2.cpp
index fe0a264e..98cffcc5 100644
--- a/mm-video-v4l2/vidc/vdec/src/omx_vdec_v4l2.cpp
+++ b/mm-video-v4l2/vidc/vdec/src/omx_vdec_v4l2.cpp
@@ -12686,6 +12686,10 @@ OMX_BUFFERHEADERTYPE* omx_vdec::allocate_color_convert_buf::get_il_buf_hdr
             } else {
                 unsigned int filledLen = 0;
                 c2dcc.getBuffFilledLen(C2D_OUTPUT, filledLen);
+                if (filledLen > omx->m_out_mem_ptr[index].nAllocLen) {
+                    DEBUG_PRINT_ERROR("Invalid C2D FBD length filledLen = %d alloclen = %d ",filledLen,omx->m_out_mem_ptr[index].nAllocLen);
+                    filledLen = 0;
+                }
                 m_out_mem_ptr_client[index].nFilledLen = filledLen;
                 omx->m_out_mem_ptr[index].nFilledLen = filledLen;
             }
author	Vasantha Balla <vballa@codeaurora.org>	2020-07-02 10:32:42 +0530
committer	Gerrit - the friendly Code Review server <code-review@localhost>	2020-07-28 03:39:42 -0700
commit	289750a8a6e832142bbd2d0fff416eac656d9080 (patch)
tree	457e6d6f1097c6bb33f1a5b7abe617a3828774c9
parent	30742eff9871ade149e22bad937e0292d4065e5f (diff)