summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorJoshua J. Drake <android-open-source@qoop.org>2015-04-09 00:46:42 -0500
committerPaul Kocialkowski <contact@paulk.fr>2015-08-31 00:22:02 +0200
commit38ea49cc5f6dd9e15f3dd7d1357c599e8fbcf7e4 (patch)
tree59cdd0bda45a6567dad4a8d234d334330b274382
parente3b0877212dacc0b3e65fce1d4ee4352e8ed9fb3 (diff)
downloadframeworks_av-38ea49cc5f6dd9e15f3dd7d1357c599e8fbcf7e4.zip
frameworks_av-38ea49cc5f6dd9e15f3dd7d1357c599e8fbcf7e4.tar.gz
frameworks_av-38ea49cc5f6dd9e15f3dd7d1357c599e8fbcf7e4.tar.bz2
MPEG4Extractor: still more NULL derefernce fixes
When processing various FourCC values within MP4 media, mLastTrack is accessed without first ensuring that a track has been encoutered. Check for NULL and bail out instead of crashing. Bug: 20139950 Change-Id: I3b86377030d73b3134b8769c590509c4f23d9f19 Signed-off-by: Joshua J. Drake <android-open-source@qoop.org> Tested-by: Moritz Bandemer <replicant@posteo.mx>
-rw-r--r--media/libstagefright/MPEG4Extractor.cpp41
1 files changed, 41 insertions, 0 deletions
diff --git a/media/libstagefright/MPEG4Extractor.cpp b/media/libstagefright/MPEG4Extractor.cpp
index dd1e60b..7bd9b29 100644
--- a/media/libstagefright/MPEG4Extractor.cpp
+++ b/media/libstagefright/MPEG4Extractor.cpp
@@ -729,6 +729,9 @@ status_t MPEG4Extractor::parseChunk(off64_t *offset, int depth) {
}
}
+ if (!mLastTrack)
+ return ERROR_MALFORMED;
+
mLastTrack->sampleTable = new SampleTable(mDataSource);
}
@@ -923,6 +926,10 @@ status_t MPEG4Extractor::parseChunk(off64_t *offset, int depth) {
// multiple text display formats. These formats will be used to
// display the timed text.
const char *mime;
+
+ if (!mLastTrack)
+ return ERROR_MALFORMED;
+
CHECK(mLastTrack->meta->findCString(kKeyMIMEType, &mime));
if (strcasecmp(mime, MEDIA_MIMETYPE_TEXT_3GPP)) {
// For now we only support a single type of media per track.
@@ -979,6 +986,9 @@ status_t MPEG4Extractor::parseChunk(off64_t *offset, int depth) {
uint16_t sample_size = U16_AT(&buffer[18]);
uint32_t sample_rate = U32_AT(&buffer[24]) >> 16;
+ if (!mLastTrack)
+ return ERROR_MALFORMED;
+
if (!strcasecmp(MEDIA_MIMETYPE_AUDIO_AMR_NB,
FourCC2MIME(chunk_type))) {
// AMR NB audio is always mono, 8kHz
@@ -1057,6 +1067,9 @@ status_t MPEG4Extractor::parseChunk(off64_t *offset, int depth) {
// printf("*** coding='%s' width=%d height=%d\n",
// chunk, width, height);
+ if (!mLastTrack)
+ return ERROR_MALFORMED;
+
mLastTrack->meta->setCString(kKeyMIMEType, FourCC2MIME(chunk_type));
mLastTrack->meta->setInt32(kKeyWidth, width);
mLastTrack->meta->setInt32(kKeyHeight, height);
@@ -1292,6 +1305,9 @@ status_t MPEG4Extractor::parseChunk(off64_t *offset, int depth) {
return ERROR_IO;
}
+ if (!mLastTrack)
+ return ERROR_MALFORMED;
+
mLastTrack->meta->setData(
kKeyAVCC, kTypeAVCC, buffer, chunk_data_size);
@@ -1324,6 +1340,9 @@ status_t MPEG4Extractor::parseChunk(off64_t *offset, int depth) {
return ERROR_IO;
}
+ if (!mLastTrack)
+ return ERROR_MALFORMED;
+
mLastTrack->meta->setData(kKeyD263, kTypeD263, buffer, chunk_data_size);
*offset += chunk_size;
@@ -1437,6 +1456,9 @@ status_t MPEG4Extractor::parseChunk(off64_t *offset, int depth) {
return ERROR_IO;
}
+ if (!mLastTrack)
+ return ERROR_MALFORMED;
+
uint32_t type = ntohl(buffer);
// For the 3GPP file format, the handler-type within the 'hdlr' box
// shall be 'text'. We also want to support 'sbtl' handler type
@@ -1451,6 +1473,9 @@ status_t MPEG4Extractor::parseChunk(off64_t *offset, int depth) {
case FOURCC('t', 'x', '3', 'g'):
{
+ if (!mLastTrack)
+ return ERROR_MALFORMED;
+
uint32_t type;
const void *data;
size_t size = 0;
@@ -1565,6 +1590,9 @@ status_t MPEG4Extractor::parseTrackHeader(
duration = U32_AT(&buffer[20]);
}
+ if (!mLastTrack)
+ return ERROR_MALFORMED;
+
mLastTrack->meta->setInt32(kKeyTrackID, id);
size_t matrixOffset = dynSize + 16;
@@ -1741,6 +1769,9 @@ status_t MPEG4Extractor::parseMetaData(off64_t offset, size_t size) {
int32_t delay, padding;
if (sscanf(mLastCommentData,
" %*x %x %x %*x", &delay, &padding) == 2) {
+ if (!mLastTrack)
+ return ERROR_MALFORMED;
+
mLastTrack->meta->setInt32(kKeyEncoderDelay, delay);
mLastTrack->meta->setInt32(kKeyEncoderPadding, padding);
}
@@ -1870,6 +1901,9 @@ status_t MPEG4Extractor::updateAudioTrackInfoFromESDS_MPEG4Audio(
if (objectTypeIndication == 0xe1) {
// This isn't MPEG4 audio at all, it's QCELP 14k...
+ if (!mLastTrack)
+ return ERROR_MALFORMED;
+
mLastTrack->meta->setCString(kKeyMIMEType, MEDIA_MIMETYPE_AUDIO_QCELP);
return OK;
}
@@ -1913,6 +1947,10 @@ status_t MPEG4Extractor::updateAudioTrackInfoFromESDS_MPEG4Audio(
objectType = 32 + br.getBits(6);
}
+ if (!mLastTrack)
+ return ERROR_MALFORMED;
+
+
uint32_t freqIndex = br.getBits(4);
int32_t sampleRate = 0;
@@ -1941,6 +1979,9 @@ status_t MPEG4Extractor::updateAudioTrackInfoFromESDS_MPEG4Audio(
return ERROR_UNSUPPORTED;
}
+ if (!mLastTrack)
+ return ERROR_MALFORMED;
+
int32_t prevSampleRate;
CHECK(mLastTrack->meta->findInt32(kKeySampleRate, &prevSampleRate));