diff options
| author | Robert Shih <robertshih@google.com> | 2015-07-16 15:04:12 -0700 |
|---|---|---|
| committer | Wolfgang Wiedmeyer <wolfgit@wiedmeyer.de> | 2015-10-19 02:43:41 +0200 |
| commit | c941cf0ca5ee0a74f26846cae725088026f50303 (patch) | |
| tree | d88af1d10ef8949148f89fdd90eff461277adcaa /media | |
| parent | 9343dc079d25d194738eabe5e1ca3166417c531f (diff) | |
| download | frameworks_av-c941cf0ca5ee0a74f26846cae725088026f50303.zip frameworks_av-c941cf0ca5ee0a74f26846cae725088026f50303.tar.gz frameworks_av-c941cf0ca5ee0a74f26846cae725088026f50303.tar.bz2 | |
MatroskaExtractor: detect infinite loop when parsing NALs
Bug: 21335999
Change-Id: I76bd34610e52048ffcf16e41aa6175afc8a14ee4
(cherry picked from commit 2dcf6138ebc9c5688aeae151d2fbde55a2826128)
Tested-by: Wolfgang Wiedmeyer <wolfgit@wiedmeyer.de>
Diffstat (limited to 'media')
| -rw-r--r-- | media/libstagefright/matroska/MatroskaExtractor.cpp | 8 |
1 files changed, 7 insertions, 1 deletions
diff --git a/media/libstagefright/matroska/MatroskaExtractor.cpp b/media/libstagefright/matroska/MatroskaExtractor.cpp index 8f7d12b..4897ee7 100644 --- a/media/libstagefright/matroska/MatroskaExtractor.cpp +++ b/media/libstagefright/matroska/MatroskaExtractor.cpp @@ -23,6 +23,7 @@ #include "mkvparser.hpp" #include <media/stagefright/foundation/ADebug.h> +#include <media/stagefright/foundation/AUtils.h> #include <media/stagefright/foundation/hexdump.h> #include <media/stagefright/DataSource.h> #include <media/stagefright/MediaBuffer.h> @@ -563,7 +564,12 @@ status_t MatroskaSource::read( TRESPASS(); } - if (srcOffset + mNALSizeLen + NALsize > srcSize) { + if (srcOffset + mNALSizeLen + NALsize <= srcOffset + mNALSizeLen) { + frame->release(); + frame = NULL; + + return ERROR_MALFORMED; + } else if (srcOffset + mNALSizeLen + NALsize > srcSize) { break; } |