From dfaac4ee7320db3ae4b0149f262bd9f9d5397e96 Mon Sep 17 00:00:00 2001
From: "Joshua J. Drake" <android-open-source@qoop.org>
Date: Wed, 8 Apr 2015 22:21:53 -0500
Subject: Fix null-pointer-dereferences accessing the SampleTable

While processing various sample table related FourCC values, methods are called
on a NULL mLastTrack or sampleTable object. This leads to undefined behavior
which typically results in a crash (denial of service condition).

Bug: 20139950
Change-Id: I39a894f8709d9937a0456ae5b3a201f7ecf12ed0

Signed-off-by: Joshua J. Drake <android-open-source@qoop.org>
Tested-by: Moritz Bandemer <replicant@posteo.mx>
---
 media/libstagefright/MPEG4Extractor.cpp | 18 ++++++++++++++++++
 1 file changed, 18 insertions(+)

diff --git a/media/libstagefright/MPEG4Extractor.cpp b/media/libstagefright/MPEG4Extractor.cpp
index 7bd9b29..92135ea 100644
--- a/media/libstagefright/MPEG4Extractor.cpp
+++ b/media/libstagefright/MPEG4Extractor.cpp
@@ -1092,6 +1092,9 @@ status_t MPEG4Extractor::parseChunk(off64_t *offset, int depth) {
         case FOURCC('s', 't', 'c', 'o'):
         case FOURCC('c', 'o', '6', '4'):
         {
+            if (!mLastTrack || !mLastTrack->sampleTable.get())
+                return ERROR_MALFORMED;
+
             status_t err =
                 mLastTrack->sampleTable->setChunkOffsetParams(
                         chunk_type, data_offset, chunk_data_size);
@@ -1106,6 +1109,9 @@ status_t MPEG4Extractor::parseChunk(off64_t *offset, int depth) {
 
         case FOURCC('s', 't', 's', 'c'):
         {
+            if (!mLastTrack || !mLastTrack->sampleTable.get())
+                return ERROR_MALFORMED;
+
             status_t err =
                 mLastTrack->sampleTable->setSampleToChunkParams(
                         data_offset, chunk_data_size);
@@ -1121,6 +1127,9 @@ status_t MPEG4Extractor::parseChunk(off64_t *offset, int depth) {
         case FOURCC('s', 't', 's', 'z'):
         case FOURCC('s', 't', 'z', '2'):
         {
+            if (!mLastTrack || !mLastTrack->sampleTable.get())
+                return ERROR_MALFORMED;
+
             status_t err =
                 mLastTrack->sampleTable->setSampleSizeParams(
                         chunk_type, data_offset, chunk_data_size);
@@ -1163,6 +1172,9 @@ status_t MPEG4Extractor::parseChunk(off64_t *offset, int depth) {
 
         case FOURCC('s', 't', 't', 's'):
         {
+            if (!mLastTrack || !mLastTrack->sampleTable.get())
+                return ERROR_MALFORMED;
+
             status_t err =
                 mLastTrack->sampleTable->setTimeToSampleParams(
                         data_offset, chunk_data_size);
@@ -1177,6 +1189,9 @@ status_t MPEG4Extractor::parseChunk(off64_t *offset, int depth) {
 
         case FOURCC('c', 't', 't', 's'):
         {
+            if (!mLastTrack || !mLastTrack->sampleTable.get())
+                return ERROR_MALFORMED;
+
             status_t err =
                 mLastTrack->sampleTable->setCompositionTimeToSampleParams(
                         data_offset, chunk_data_size);
@@ -1191,6 +1206,9 @@ status_t MPEG4Extractor::parseChunk(off64_t *offset, int depth) {
 
         case FOURCC('s', 't', 's', 's'):
         {
+            if (!mLastTrack || !mLastTrack->sampleTable.get())
+                return ERROR_MALFORMED;
+
             status_t err =
                 mLastTrack->sampleTable->setSyncSampleParams(
                         data_offset, chunk_data_size);
-- 
cgit v1.1