diff options
author | Wolfgang Wiedmeyer <wolfgit@wiedmeyer.de> | 2016-03-18 02:08:46 +0100 |
---|---|---|
committer | Wolfgang Wiedmeyer <wolfgit@wiedmeyer.de> | 2016-03-18 02:08:46 +0100 |
commit | 185e2110a53feb7720d91b6f8366ad27402f21cc (patch) | |
tree | a265317b5846eec34d7c87b494ede81857e6c2d3 /media/libstagefright/MPEG4Extractor.cpp | |
parent | d4590dda7776ec99e4e879c47b3372a5f4b13dcd (diff) | |
parent | 8c2e9d8867ccaba1a617f133b37103e2ac77e871 (diff) | |
download | frameworks_av-185e2110a53feb7720d91b6f8366ad27402f21cc.zip frameworks_av-185e2110a53feb7720d91b6f8366ad27402f21cc.tar.gz frameworks_av-185e2110a53feb7720d91b6f8366ad27402f21cc.tar.bz2 |
Merge branch 'cm-13.0' of https://github.com/CyanogenMod/android_frameworks_av into replicant-6.0replicant-6.0-alpha-0005replicant-6.0-alpha-0004
Signed-off-by: Wolfgang Wiedmeyer <wolfgit@wiedmeyer.de>
Diffstat (limited to 'media/libstagefright/MPEG4Extractor.cpp')
-rwxr-xr-x | media/libstagefright/MPEG4Extractor.cpp | 22 |
1 files changed, 16 insertions, 6 deletions
diff --git a/media/libstagefright/MPEG4Extractor.cpp b/media/libstagefright/MPEG4Extractor.cpp index c928495..c7c238e 100755 --- a/media/libstagefright/MPEG4Extractor.cpp +++ b/media/libstagefright/MPEG4Extractor.cpp @@ -3325,11 +3325,13 @@ MPEG4Source::MPEG4Source( const uint8_t *ptr = (const uint8_t *)data; - CHECK(size >= 7); - CHECK_EQ((unsigned)ptr[0], 1u); // configurationVersion == 1 - - // The number of bytes used to encode the length of a NAL unit. - mNALLengthSize = 1 + (ptr[4] & 3); + if (size < 7 || ptr[0] != 1) { + ALOGE("Invalid AVCC atom, size %zu, configurationVersion: %d", + size, ptr[0]); + } else { + // The number of bytes used to encode the length of a NAL unit. + mNALLengthSize = 1 + (ptr[4] & 3); + } } else if (mIsHEVC) { uint32_t type; const void *data; @@ -4573,7 +4575,15 @@ status_t MPEG4Source::fragmentedRead( continue; } - CHECK(dstOffset + 4 <= mBuffer->size()); + if (dstOffset > SIZE_MAX - 4 || + dstOffset + 4 > SIZE_MAX - nalLength || + dstOffset + 4 + nalLength > mBuffer->size()) { + ALOGE("b/26365349 : %zu %zu", dstOffset, mBuffer->size()); + android_errorWriteLog(0x534e4554, "26365349"); + mBuffer->release(); + mBuffer = NULL; + return ERROR_MALFORMED; + } dstData[dstOffset++] = 0; dstData[dstOffset++] = 0; |