diff options
| author | Joshua J. Drake <android-open-source@qoop.org> | 2015-04-08 22:21:53 -0500 |
|---|---|---|
| committer | Paul Kocialkowski <contact@paulk.fr> | 2015-08-31 00:22:02 +0200 |
| commit | dfaac4ee7320db3ae4b0149f262bd9f9d5397e96 (patch) | |
| tree | 89c36ccccfb3c1a8d9c29a6bfac585b69647dbb2 | |
| parent | 38ea49cc5f6dd9e15f3dd7d1357c599e8fbcf7e4 (diff) | |
| download | frameworks_av-dfaac4ee7320db3ae4b0149f262bd9f9d5397e96.zip frameworks_av-dfaac4ee7320db3ae4b0149f262bd9f9d5397e96.tar.gz frameworks_av-dfaac4ee7320db3ae4b0149f262bd9f9d5397e96.tar.bz2 | |
Fix null-pointer-dereferences accessing the SampleTable
While processing various sample table related FourCC values, methods are called
on a NULL mLastTrack or sampleTable object. This leads to undefined behavior
which typically results in a crash (denial of service condition).
Bug: 20139950
Change-Id: I39a894f8709d9937a0456ae5b3a201f7ecf12ed0
Signed-off-by: Joshua J. Drake <android-open-source@qoop.org>
Tested-by: Moritz Bandemer <replicant@posteo.mx>
| -rw-r--r-- | media/libstagefright/MPEG4Extractor.cpp | 18 |
1 files changed, 18 insertions, 0 deletions
diff --git a/media/libstagefright/MPEG4Extractor.cpp b/media/libstagefright/MPEG4Extractor.cpp index 7bd9b29..92135ea 100644 --- a/media/libstagefright/MPEG4Extractor.cpp +++ b/media/libstagefright/MPEG4Extractor.cpp @@ -1092,6 +1092,9 @@ status_t MPEG4Extractor::parseChunk(off64_t *offset, int depth) { case FOURCC('s', 't', 'c', 'o'): case FOURCC('c', 'o', '6', '4'): { + if (!mLastTrack || !mLastTrack->sampleTable.get()) + return ERROR_MALFORMED; + status_t err = mLastTrack->sampleTable->setChunkOffsetParams( chunk_type, data_offset, chunk_data_size); @@ -1106,6 +1109,9 @@ status_t MPEG4Extractor::parseChunk(off64_t *offset, int depth) { case FOURCC('s', 't', 's', 'c'): { + if (!mLastTrack || !mLastTrack->sampleTable.get()) + return ERROR_MALFORMED; + status_t err = mLastTrack->sampleTable->setSampleToChunkParams( data_offset, chunk_data_size); @@ -1121,6 +1127,9 @@ status_t MPEG4Extractor::parseChunk(off64_t *offset, int depth) { case FOURCC('s', 't', 's', 'z'): case FOURCC('s', 't', 'z', '2'): { + if (!mLastTrack || !mLastTrack->sampleTable.get()) + return ERROR_MALFORMED; + status_t err = mLastTrack->sampleTable->setSampleSizeParams( chunk_type, data_offset, chunk_data_size); @@ -1163,6 +1172,9 @@ status_t MPEG4Extractor::parseChunk(off64_t *offset, int depth) { case FOURCC('s', 't', 't', 's'): { + if (!mLastTrack || !mLastTrack->sampleTable.get()) + return ERROR_MALFORMED; + status_t err = mLastTrack->sampleTable->setTimeToSampleParams( data_offset, chunk_data_size); @@ -1177,6 +1189,9 @@ status_t MPEG4Extractor::parseChunk(off64_t *offset, int depth) { case FOURCC('c', 't', 't', 's'): { + if (!mLastTrack || !mLastTrack->sampleTable.get()) + return ERROR_MALFORMED; + status_t err = mLastTrack->sampleTable->setCompositionTimeToSampleParams( data_offset, chunk_data_size); @@ -1191,6 +1206,9 @@ status_t MPEG4Extractor::parseChunk(off64_t *offset, int depth) { case FOURCC('s', 't', 's', 's'): { + if (!mLastTrack || !mLastTrack->sampleTable.get()) + return ERROR_MALFORMED; + status_t err = mLastTrack->sampleTable->setSyncSampleParams( data_offset, chunk_data_size); |