Avoid parsing CC SEI payload beyond buffer end

Break CC SEI parsing when payload size exceeds buffer size to avoid a CHECK that have been seen in MTBF statistics. Change-Id: Ifd97648678a935ac815dd616301d46f9bf583838
author: Patrik2 Carlsson <patrik2.carlsson@sonymobile.com> 2015-05-25 15:12:49 +0200
committer: Steve Kondik <steve@cyngn.com> 2016-03-22 17:14:35 -0700
commit: 536fd16fa6d56008ba3d6f46275fd52dac25fd8c (patch)
tree: aec5ee300cc4b9025f32784db2e9ceff7c965a42 /media/libmediaplayerservice
parent: 5a4c1f8f409a28508075562277e4d19c4650513c (diff)
download: frameworks_av-536fd16fa6d56008ba3d6f46275fd52dac25fd8c.zip
frameworks_av-536fd16fa6d56008ba3d6f46275fd52dac25fd8c.tar.gz
frameworks_av-536fd16fa6d56008ba3d6f46275fd52dac25fd8c.tar.bz2
1 files changed, 6 insertions, 0 deletions
diff --git a/media/libmediaplayerservice/nuplayer/NuPlayerCCDecoder.cpp b/media/libmediaplayerservice/nuplayer/NuPlayerCCDecoder.cpp
index ac3c6b6..2c07f28 100644
--- a/media/libmediaplayerservice/nuplayer/NuPlayerCCDecoder.cpp
+++ b/media/libmediaplayerservice/nuplayer/NuPlayerCCDecoder.cpp
@@ -235,6 +235,12 @@ bool NuPlayer::CCDecoder::parseSEINalUnit(
             payload_size += last_byte;
         } while (last_byte == 0xFF);
 
+        if (payload_size > SIZE_MAX / 8
+                || !br.atLeastNumBitsLeft(payload_size * 8)) {
+            ALOGV("Malformed SEI payload");
+            break;
+        }
+
         // sei_payload()
         if (payload_type == 4) {
             bool isCC = false;
author	Patrik2 Carlsson <patrik2.carlsson@sonymobile.com>	2015-05-25 15:12:49 +0200
committer	Steve Kondik <steve@cyngn.com>	2016-03-22 17:14:35 -0700
commit	536fd16fa6d56008ba3d6f46275fd52dac25fd8c (patch)
tree	aec5ee300cc4b9025f32784db2e9ceff7c965a42 /media/libmediaplayerservice
parent	5a4c1f8f409a28508075562277e4d19c4650513c (diff)
download	frameworks_av-536fd16fa6d56008ba3d6f46275fd52dac25fd8c.zip frameworks_av-536fd16fa6d56008ba3d6f46275fd52dac25fd8c.tar.gz frameworks_av-536fd16fa6d56008ba3d6f46275fd52dac25fd8c.tar.bz2