summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorWonsik Kim <wonsik@google.com>2016-06-17 01:24:30 +0900
committergitbuildkicker <android-build@google.com>2016-08-16 15:51:48 -0700
commite441275efea14a98d5a059328e660d9a08b13932 (patch)
tree164125c23826ccee945e26c93a3bdfb9a19a017c
parent10db5e094e4d7501ec277622dc29e714927dc588 (diff)
downloadframeworks_av-e441275efea14a98d5a059328e660d9a08b13932.zip
frameworks_av-e441275efea14a98d5a059328e660d9a08b13932.tar.gz
frameworks_av-e441275efea14a98d5a059328e660d9a08b13932.tar.bz2
DO NOT MERGE stagefright: fix possible stack overflow in AVCC reassemble
Additionally, remove use of variable length array which is non-standard in C++. Bug: 29161888 Change-Id: Ifdc3e7435f2225214c053b13f3bfe71c7d0ff506
-rw-r--r--media/libstagefright/Utils.cpp28
1 files changed, 19 insertions, 9 deletions
diff --git a/media/libstagefright/Utils.cpp b/media/libstagefright/Utils.cpp
index 17f0201..0d9dc3a 100644
--- a/media/libstagefright/Utils.cpp
+++ b/media/libstagefright/Utils.cpp
@@ -671,20 +671,30 @@ void convertMessageToMetaData(const sp<AMessage> &msg, sp<MetaData> &meta) {
// reassemble the csd data into its original form
sp<ABuffer> csd0;
if (msg->findBuffer("csd-0", &csd0)) {
+ int csd0size = csd0->size();
if (mime == MEDIA_MIMETYPE_VIDEO_AVC) {
sp<ABuffer> csd1;
if (msg->findBuffer("csd-1", &csd1)) {
- char avcc[1024]; // that oughta be enough, right?
- size_t outsize = reassembleAVCC(csd0, csd1, avcc);
- meta->setData(kKeyAVCC, kKeyAVCC, avcc, outsize);
+ Vector<char> avcc;
+ int avccSize = csd0size + csd1->size() + 1024;
+ if (avcc.resize(avccSize) < 0) {
+ ALOGE("error allocating avcc (size %d); abort setting avcc.", avccSize);
+ } else {
+ size_t outsize = reassembleAVCC(csd0, csd1, avcc.editArray());
+ meta->setData(kKeyAVCC, kKeyAVCC, avcc.array(), outsize);
+ }
}
} else if (mime == MEDIA_MIMETYPE_AUDIO_AAC || mime == MEDIA_MIMETYPE_VIDEO_MPEG4) {
- int csd0size = csd0->size();
- char esds[csd0size + 31];
- // The written ESDS is actually for an audio stream, but it's enough
- // for transporting the CSD to muxers.
- reassembleESDS(csd0, esds);
- meta->setData(kKeyESDS, kKeyESDS, esds, sizeof(esds));
+ Vector<char> esds;
+ int esdsSize = csd0size + 31;
+ if (esds.resize(esdsSize) < 0) {
+ ALOGE("error allocating esds (size %d); abort setting esds.", esdsSize);
+ } else {
+ // The written ESDS is actually for an audio stream, but it's enough
+ // for transporting the CSD to muxers.
+ reassembleESDS(csd0, esds.editArray());
+ meta->setData(kKeyESDS, kKeyESDS, esds.array(), esds.size());
+ }
}
}