Merge "media.bufferpool2: ensure message-ids are safe from overflow/underflow" into main

media/bufferpool/aidl/default/BufferPool.cpp

@@ -102,11 +102,11 @@ void BufferPool::Invalidation::onBufferInvalidated(
         if (it->isInvalidated(bufferId)) {
             uint32_t msgId = 0;
             if (it->mNeedsAck) {
-                msgId = ++mInvalidationId;
-                if (msgId == 0) {
-                    // wrap happens
-                    msgId = ++mInvalidationId;
+                if (mInvalidationId == UINT_MAX) {
+                    // wrap happens;
+                    mInvalidationId = 0;
                 }
+                msgId = ++mInvalidationId;
             }
             channel.postInvalidation(msgId, it->mFrom, it->mTo);
             it = mPendings.erase(it);
@@ -125,11 +125,11 @@ void BufferPool::Invalidation::onInvalidationRequest(
         const std::shared_ptr<Accessor> &impl) {
         uint32_t msgId = 0;
     if (needsAck) {
-        msgId = ++mInvalidationId;
-        if (msgId == 0) {
-            // wrap happens
-            msgId = ++mInvalidationId;
+        if (mInvalidationId == UINT_MAX) {
+            //wrap happens
+            mInvalidationId = 0;
         }
+        msgId = ++mInvalidationId;
     }
     ALOGV("bufferpool2 invalidation requested and queued");
     if (left == 0) {

media/bufferpool/aidl/default/BufferStatus.cpp

@@ -26,8 +26,17 @@ namespace aidl::android::hardware::media::bufferpool2::implementation {
 
 using aidl::android::hardware::media::bufferpool2::BufferStatus;
 
+uint32_t wrappedMinus(uint32_t a, uint32_t b) {
+    if (a >= b) {
+        return a - b;
+    } else {
+        return ~(b - a) + 1;
+    }
+}
+
 bool isMessageLater(uint32_t curMsgId, uint32_t prevMsgId) {
-    return curMsgId != prevMsgId && curMsgId - prevMsgId < prevMsgId - curMsgId;
+    return curMsgId != prevMsgId &&
+            wrappedMinus(curMsgId, prevMsgId) < wrappedMinus(prevMsgId, curMsgId);
 }
 
 bool isBufferInRange(BufferId from, BufferId to, BufferId bufferId) {