DO NOT MERGE - libstagefright: sanity check size before dereferencing pointer in Utils.cpp

Also remove some CHECK's. Bug: 23680780 Change-Id: I62d0941e203e40209fa6fbe3f923f3efdc5a6c23 (cherry picked from commit 7bb772e0c643ff3292599cf485b9dbf232bf39a4)
author: Wei Jia <wjia@google.com> 2015-09-01 11:14:18 -0700
committer: Wei Jia <wjia@google.com> 2015-09-03 09:06:37 -0700
commit: c6a2815eadfce62702d58b3fa3887f24c49e1864 (patch)
tree: 3f9a78756af8a9ef4abb722b06bb51555f194afb
parent: a6c650a9e7927c7d640828cea66fc96e0bf762ce (diff)
download: frameworks_av-c6a2815eadfce62702d58b3fa3887f24c49e1864.zip
frameworks_av-c6a2815eadfce62702d58b3fa3887f24c49e1864.tar.gz
frameworks_av-c6a2815eadfce62702d58b3fa3887f24c49e1864.tar.bz2
1 files changed, 28 insertions, 8 deletions
diff --git a/media/libstagefright/Utils.cpp b/media/libstagefright/Utils.cpp
index d86be6e..214e2fc 100644
--- a/media/libstagefright/Utils.cpp
+++ b/media/libstagefright/Utils.cpp
@@ -196,8 +196,10 @@ status_t convertMetaDataToMessage(
 
         const uint8_t *ptr = (const uint8_t *)data;
 
-        CHECK(size >= 7);
-        CHECK_EQ((unsigned)ptr[0], 1u);  // configurationVersion == 1
+        if (size < 7 || ptr[0] != 1) {  // configurationVersion == 1
+            ALOGE("b/23680780");
+            return BAD_VALUE;
+        }
         uint8_t profile = ptr[1];
         uint8_t level = ptr[3];
 
@@ -223,7 +225,10 @@ status_t convertMetaDataToMessage(
         buffer->setRange(0, 0);
 
         for (size_t i = 0; i < numSeqParameterSets; ++i) {
-            CHECK(size >= 2);
+            if (size < 2) {
+                ALOGE("b/23680780");
+                return BAD_VALUE;
+            }
             size_t length = U16_AT(ptr);
 
             ptr += 2;
@@ -252,13 +257,19 @@ status_t convertMetaDataToMessage(
         }
         buffer->setRange(0, 0);
 
-        CHECK(size >= 1);
+        if (size < 1) {
+            ALOGE("b/23680780");
+            return BAD_VALUE;
+        }
         size_t numPictureParameterSets = *ptr;
         ++ptr;
         --size;
 
         for (size_t i = 0; i < numPictureParameterSets; ++i) {
-            CHECK(size >= 2);
+            if (size < 2) {
+                ALOGE("b/23680780");
+                return BAD_VALUE;
+            }
             size_t length = U16_AT(ptr);
 
             ptr += 2;
@@ -282,8 +293,10 @@ status_t convertMetaDataToMessage(
     } else if (meta->findData(kKeyHVCC, &type, &data, &size)) {
         const uint8_t *ptr = (const uint8_t *)data;
 
-        CHECK(size >= 7);
-        CHECK_EQ((unsigned)ptr[0], 1u);  // configurationVersion == 1
+        if (size < 23 || ptr[0] != 1) {  // configurationVersion == 1
+            ALOGE("b/23680780");
+            return BAD_VALUE;
+        }
         uint8_t profile = ptr[1] & 31;
         uint8_t level = ptr[12];
         ptr += 22;
@@ -302,6 +315,10 @@ status_t convertMetaDataToMessage(
         buffer->setRange(0, 0);
 
         for (i = 0; i < numofArrays; i++) {
+            if (size < 3) {
+                ALOGE("b/23680780");
+                return BAD_VALUE;
+            }
             ptr += 1;
             size -= 1;
 
@@ -312,7 +329,10 @@ status_t convertMetaDataToMessage(
             size -= 2;
 
             for (j = 0; j < numofNals; j++) {
-                CHECK(size >= 2);
+                if (size < 2) {
+                    ALOGE("b/23680780");
+                    return BAD_VALUE;
+                }
                 size_t length = U16_AT(ptr);
 
                 ptr += 2;
author	Wei Jia <wjia@google.com>	2015-09-01 11:14:18 -0700
committer	Wei Jia <wjia@google.com>	2015-09-03 09:06:37 -0700
commit	c6a2815eadfce62702d58b3fa3887f24c49e1864 (patch)
tree	3f9a78756af8a9ef4abb722b06bb51555f194afb
parent	a6c650a9e7927c7d640828cea66fc96e0bf762ce (diff)
download	frameworks_av-c6a2815eadfce62702d58b3fa3887f24c49e1864.zip frameworks_av-c6a2815eadfce62702d58b3fa3887f24c49e1864.tar.gz frameworks_av-c6a2815eadfce62702d58b3fa3887f24c49e1864.tar.bz2