diff options
author | Nick Kralevich <nnk@google.com> | 2015-08-18 18:31:20 +0000 |
---|---|---|
committer | Android Git Automerger <android-git-automerger@android.com> | 2015-08-18 18:31:20 +0000 |
commit | a3a29952f485cd2ebf521273a7b36aac586451cf (patch) | |
tree | a9f45be2b1a63cd1cc50f762dd0af9d1e625bd53 /media/libstagefright/MPEG4Extractor.cpp | |
parent | 6f0b1b3e25eb2db2e8465f13268c297fa9070012 (diff) | |
parent | 4b153ff9b5c979684ed0a53d52a3ad90ec7f7d22 (diff) | |
download | frameworks_av-a3a29952f485cd2ebf521273a7b36aac586451cf.zip frameworks_av-a3a29952f485cd2ebf521273a7b36aac586451cf.tar.gz frameworks_av-a3a29952f485cd2ebf521273a7b36aac586451cf.tar.bz2 |
am 4b153ff9: am 2f3c04a4: resolved conflicts for merge of 6035c811 to lmp-dev
* commit '4b153ff9b5c979684ed0a53d52a3ad90ec7f7d22':
MPEG4Source::fragmentedRead: check range before writing into buffers
Diffstat (limited to 'media/libstagefright/MPEG4Extractor.cpp')
-rw-r--r-- | media/libstagefright/MPEG4Extractor.cpp | 48 |
1 files changed, 40 insertions, 8 deletions
diff --git a/media/libstagefright/MPEG4Extractor.cpp b/media/libstagefright/MPEG4Extractor.cpp index 4b3b45a..8e6840d 100644 --- a/media/libstagefright/MPEG4Extractor.cpp +++ b/media/libstagefright/MPEG4Extractor.cpp @@ -4101,6 +4101,14 @@ status_t MPEG4Source::fragmentedRead( if ((!mIsAVC && !mIsHEVC)|| mWantsNALFragments) { if (newBuffer) { + if (!isInRange((size_t)0u, mBuffer->size(), size)) { + mBuffer->release(); + mBuffer = NULL; + + ALOGE("fragmentedRead ERROR_MALFORMED size %zu", size); + return ERROR_MALFORMED; + } + ssize_t num_bytes_read = mDataSource->readAt(offset, (uint8_t *)mBuffer->data(), size); @@ -4108,7 +4116,7 @@ status_t MPEG4Source::fragmentedRead( mBuffer->release(); mBuffer = NULL; - ALOGV("i/o error"); + ALOGE("i/o error"); return ERROR_IO; } @@ -4180,18 +4188,40 @@ status_t MPEG4Source::fragmentedRead( ssize_t num_bytes_read = 0; int32_t drm = 0; bool usesDRM = (mFormat->findInt32(kKeyIsDRM, &drm) && drm != 0); + void *data = NULL; + bool isMalFormed = false; if (usesDRM) { - num_bytes_read = - mDataSource->readAt(offset, (uint8_t*)mBuffer->data(), size); + if (mBuffer == NULL || !isInRange((size_t)0u, mBuffer->size(), size)) { + isMalFormed = true; + } else { + data = mBuffer->data(); + } } else { - num_bytes_read = mDataSource->readAt(offset, mSrcBuffer, size); + int32_t max_size; + if (mFormat == NULL + || !mFormat->findInt32(kKeyMaxInputSize, &max_size) + || !isInRange((size_t)0u, (size_t)max_size, size)) { + isMalFormed = true; + } else { + data = mSrcBuffer; + } } + if (isMalFormed || data == NULL) { + ALOGE("isMalFormed size %zu", size); + if (mBuffer != NULL) { + mBuffer->release(); + mBuffer = NULL; + } + return ERROR_MALFORMED; + } + num_bytes_read = mDataSource->readAt(offset, data, size); + if (num_bytes_read < (ssize_t)size) { mBuffer->release(); mBuffer = NULL; - ALOGV("i/o error"); + ALOGE("i/o error"); return ERROR_IO; } @@ -4205,16 +4235,18 @@ status_t MPEG4Source::fragmentedRead( size_t dstOffset = 0; while (srcOffset < size) { - bool isMalFormed = !isInRange((size_t)0u, size, srcOffset, mNALLengthSize); + isMalFormed = !isInRange((size_t)0u, size, srcOffset, mNALLengthSize); size_t nalLength = 0; if (!isMalFormed) { nalLength = parseNALSize(&mSrcBuffer[srcOffset]); srcOffset += mNALLengthSize; - isMalFormed = !isInRange((size_t)0u, size, srcOffset, nalLength); + isMalFormed = !isInRange((size_t)0u, size, srcOffset, nalLength) + || !isInRange((size_t)0u, mBuffer->size(), dstOffset, (size_t)4u) + || !isInRange((size_t)0u, mBuffer->size(), dstOffset + 4, nalLength); } if (isMalFormed) { - ALOGE("Video is malformed"); + ALOGE("Video is malformed; nalLength %zu", nalLength); mBuffer->release(); mBuffer = NULL; return ERROR_MALFORMED; |