am 99214848: am 5226d6b7: am e64d4870: am 2b8cd9cb: stagefright: fix AMessage::FromParcel

* commit '992148484a286dab886dd4d1b58dabacf1c1920f': stagefright: fix AMessage::FromParcel
author: Flanker <i@flanker017.me> 2015-09-29 06:37:39 +0000
committer: Android Git Automerger <android-git-automerger@android.com> 2015-09-29 06:37:39 +0000
commit: 0f8f3bd0ae66a05ddc85eab84767da034532a56c (patch)
tree: d869fee31c1ded3fccadb294be607ecd4394f86f
parent: e22f5f490cb69e30e8a2630868e58db41838bcb3 (diff)
parent: 992148484a286dab886dd4d1b58dabacf1c1920f (diff)
download: frameworks_av-0f8f3bd0ae66a05ddc85eab84767da034532a56c.zip
frameworks_av-0f8f3bd0ae66a05ddc85eab84767da034532a56c.tar.gz
frameworks_av-0f8f3bd0ae66a05ddc85eab84767da034532a56c.tar.bz2
1 files changed, 25 insertions, 3 deletions
diff --git a/media/libstagefright/foundation/AMessage.cpp b/media/libstagefright/foundation/AMessage.cpp
index 1f46bc9..4942ba7 100644
--- a/media/libstagefright/foundation/AMessage.cpp
+++ b/media/libstagefright/foundation/AMessage.cpp
@@ -535,13 +535,24 @@ sp<AMessage> AMessage::FromParcel(const Parcel &parcel) {
     sp<AMessage> msg = new AMessage(what);
 
     msg->mNumItems = static_cast<size_t>(parcel.readInt32());
+    if (msg->mNumItems > kMaxNumItems) {
+        ALOGE("Too large number of items clipped.");
+        msg->mNumItems = kMaxNumItems;
+    }
+
     for (size_t i = 0; i < msg->mNumItems; ++i) {
         Item *item = &msg->mItems[i];
 
         const char *name = parcel.readCString();
-        item->setName(name, strlen(name));
-        item->mType = static_cast<Type>(parcel.readInt32());
+        if (name == NULL) {
+            ALOGE("Failed reading name for an item. Parsing aborted.");
+            msg->mNumItems = i;
+            break;
+        }
 
+        item->mType = static_cast<Type>(parcel.readInt32());
+        // setName() happens below so that we don't leak memory when parsing
+        // is aborted in the middle.
         switch (item->mType) {
             case kTypeInt32:
             {
@@ -575,7 +586,16 @@ sp<AMessage> AMessage::FromParcel(const Parcel &parcel) {
 
             case kTypeString:
             {
-                item->u.stringValue = new AString(parcel.readCString());
+                const char *stringValue = parcel.readCString();
+                if (stringValue == NULL) {
+                    ALOGE("Failed reading string value from a parcel. "
+                        "Parsing aborted.");
+                    msg->mNumItems = i;
+                    continue;
+                    // The loop will terminate subsequently.
+                } else {
+                    item->u.stringValue = new AString(stringValue);
+                }
                 break;
             }
 
@@ -594,6 +614,8 @@ sp<AMessage> AMessage::FromParcel(const Parcel &parcel) {
                 TRESPASS();
             }
         }
+
+        item->setName(name, strlen(name));
     }
 
     return msg;
author	Flanker <i@flanker017.me>	2015-09-29 06:37:39 +0000
committer	Android Git Automerger <android-git-automerger@android.com>	2015-09-29 06:37:39 +0000
commit	0f8f3bd0ae66a05ddc85eab84767da034532a56c (patch)
tree	d869fee31c1ded3fccadb294be607ecd4394f86f
parent	e22f5f490cb69e30e8a2630868e58db41838bcb3 (diff)
parent	992148484a286dab886dd4d1b58dabacf1c1920f (diff)
download	frameworks_av-0f8f3bd0ae66a05ddc85eab84767da034532a56c.zip frameworks_av-0f8f3bd0ae66a05ddc85eab84767da034532a56c.tar.gz frameworks_av-0f8f3bd0ae66a05ddc85eab84767da034532a56c.tar.bz2