diff options
| author | Wei Jia <wjia@google.com> | 2015-06-25 11:46:54 -0700 |
|---|---|---|
| committer | Wei Jia <wjia@google.com> | 2015-07-29 11:13:30 -0700 |
| commit | 9c170c076382096b9e767da0e3f9f37dafa76546 (patch) | |
| tree | ac1dd4d4f861cc86bfee1f1e58063391af9cf2e1 /media/libstagefright/Utils.cpp | |
| parent | 70c1f74f3d4c43b67949f3e742195d60f4677462 (diff) | |
| download | frameworks_av-9c170c076382096b9e767da0e3f9f37dafa76546.zip frameworks_av-9c170c076382096b9e767da0e3f9f37dafa76546.tar.gz frameworks_av-9c170c076382096b9e767da0e3f9f37dafa76546.tar.bz2 | |
libstagefright: Fix crash in convertMetaDataToMessage
- The ABuffer used for the Message has a preset value of 1024, if
flattening the meta data exceeds this value, a check fails hence
the crash.
- This change creates a new ABuffer if the buffer size would exceed
the buffer capacity.
Bug: 22771132
CRs-Fixed: 857850
Change-Id: Iaa7374a4734a49db257a3f102a88412fde672260
Diffstat (limited to 'media/libstagefright/Utils.cpp')
| -rw-r--r-- | media/libstagefright/Utils.cpp | 98 |
1 files changed, 74 insertions, 24 deletions
diff --git a/media/libstagefright/Utils.cpp b/media/libstagefright/Utils.cpp index 6828b54..f0a7277 100644 --- a/media/libstagefright/Utils.cpp +++ b/media/libstagefright/Utils.cpp @@ -70,6 +70,23 @@ uint64_t hton64(uint64_t x) { return ((uint64_t)htonl(x & 0xffffffff) << 32) | htonl(x >> 32); } +static status_t copyNALUToABuffer(sp<ABuffer> *buffer, const uint8_t *ptr, size_t length) { + if (((*buffer)->size() + 4 + length) > ((*buffer)->capacity() - (*buffer)->offset())) { + sp<ABuffer> tmpBuffer = new (std::nothrow) ABuffer((*buffer)->size() + 4 + length + 1024); + if (tmpBuffer.get() == NULL || tmpBuffer->base() == NULL) { + return NO_MEMORY; + } + memcpy(tmpBuffer->data(), (*buffer)->data(), (*buffer)->size()); + tmpBuffer->setRange(0, (*buffer)->size()); + (*buffer) = tmpBuffer; + } + + memcpy((*buffer)->data() + (*buffer)->size(), "\x00\x00\x00\x01", 4); + memcpy((*buffer)->data() + (*buffer)->size() + 4, ptr, length); + (*buffer)->setRange((*buffer)->offset(), (*buffer)->size() + 4 + length); + return OK; +} + status_t convertMetaDataToMessage( const sp<MetaData> &meta, sp<AMessage> *format) { format->clear(); @@ -214,7 +231,10 @@ status_t convertMetaDataToMessage( ptr += 6; size -= 6; - sp<ABuffer> buffer = new ABuffer(1024); + sp<ABuffer> buffer = new (std::nothrow) ABuffer(1024); + if (buffer.get() == NULL || buffer->base() == NULL) { + return NO_MEMORY; + } buffer->setRange(0, 0); for (size_t i = 0; i < numSeqParameterSets; ++i) { @@ -224,11 +244,13 @@ status_t convertMetaDataToMessage( ptr += 2; size -= 2; - CHECK(size >= length); - - memcpy(buffer->data() + buffer->size(), "\x00\x00\x00\x01", 4); - memcpy(buffer->data() + buffer->size() + 4, ptr, length); - buffer->setRange(0, buffer->size() + 4 + length); + if (size < length) { + return BAD_VALUE; + } + status_t err = copyNALUToABuffer(&buffer, ptr, length); + if (err != OK) { + return err; + } ptr += length; size -= length; @@ -239,7 +261,10 @@ status_t convertMetaDataToMessage( msg->setBuffer("csd-0", buffer); - buffer = new ABuffer(1024); + buffer = new (std::nothrow) ABuffer(1024); + if (buffer.get() == NULL || buffer->base() == NULL) { + return NO_MEMORY; + } buffer->setRange(0, 0); CHECK(size >= 1); @@ -254,11 +279,13 @@ status_t convertMetaDataToMessage( ptr += 2; size -= 2; - CHECK(size >= length); - - memcpy(buffer->data() + buffer->size(), "\x00\x00\x00\x01", 4); - memcpy(buffer->data() + buffer->size() + 4, ptr, length); - buffer->setRange(0, buffer->size() + 4 + length); + if (size < length) { + return BAD_VALUE; + } + status_t err = copyNALUToABuffer(&buffer, ptr, length); + if (err != OK) { + return err; + } ptr += length; size -= length; @@ -283,7 +310,10 @@ status_t convertMetaDataToMessage( size -= 1; size_t j = 0, i = 0; - sp<ABuffer> buffer = new ABuffer(1024); + sp<ABuffer> buffer = new (std::nothrow) ABuffer(1024); + if (buffer.get() == NULL || buffer->base() == NULL) { + return NO_MEMORY; + } buffer->setRange(0, 0); for (i = 0; i < numofArrays; i++) { @@ -303,11 +333,13 @@ status_t convertMetaDataToMessage( ptr += 2; size -= 2; - CHECK(size >= length); - - memcpy(buffer->data() + buffer->size(), "\x00\x00\x00\x01", 4); - memcpy(buffer->data() + buffer->size() + 4, ptr, length); - buffer->setRange(0, buffer->size() + 4 + length); + if (size < length) { + return BAD_VALUE; + } + status_t err = copyNALUToABuffer(&buffer, ptr, length); + if (err != OK) { + return err; + } ptr += length; size -= length; @@ -326,7 +358,10 @@ status_t convertMetaDataToMessage( esds.getCodecSpecificInfo( &codec_specific_data, &codec_specific_data_size); - sp<ABuffer> buffer = new ABuffer(codec_specific_data_size); + sp<ABuffer> buffer = new (std::nothrow) ABuffer(codec_specific_data_size); + if (buffer.get() == NULL || buffer->base() == NULL) { + return NO_MEMORY; + } memcpy(buffer->data(), codec_specific_data, codec_specific_data_size); @@ -335,7 +370,10 @@ status_t convertMetaDataToMessage( buffer->meta()->setInt64("timeUs", 0); msg->setBuffer("csd-0", buffer); } else if (meta->findData(kKeyVorbisInfo, &type, &data, &size)) { - sp<ABuffer> buffer = new ABuffer(size); + sp<ABuffer> buffer = new (std::nothrow) ABuffer(size); + if (buffer.get() == NULL || buffer->base() == NULL) { + return NO_MEMORY; + } memcpy(buffer->data(), data, size); buffer->meta()->setInt32("csd", true); @@ -346,14 +384,20 @@ status_t convertMetaDataToMessage( return -EINVAL; } - buffer = new ABuffer(size); + buffer = new (std::nothrow) ABuffer(size); + if (buffer.get() == NULL || buffer->base() == NULL) { + return NO_MEMORY; + } memcpy(buffer->data(), data, size); buffer->meta()->setInt32("csd", true); buffer->meta()->setInt64("timeUs", 0); msg->setBuffer("csd-1", buffer); } else if (meta->findData(kKeyOpusHeader, &type, &data, &size)) { - sp<ABuffer> buffer = new ABuffer(size); + sp<ABuffer> buffer = new (std::nothrow) ABuffer(size); + if (buffer.get() == NULL || buffer->base() == NULL) { + return NO_MEMORY; + } memcpy(buffer->data(), data, size); buffer->meta()->setInt32("csd", true); @@ -364,7 +408,10 @@ status_t convertMetaDataToMessage( return -EINVAL; } - buffer = new ABuffer(size); + buffer = new (std::nothrow) ABuffer(size); + if (buffer.get() == NULL || buffer->base() == NULL) { + return NO_MEMORY; + } memcpy(buffer->data(), data, size); buffer->meta()->setInt32("csd", true); @@ -375,7 +422,10 @@ status_t convertMetaDataToMessage( return -EINVAL; } - buffer = new ABuffer(size); + buffer = new (std::nothrow) ABuffer(size); + if (buffer.get() == NULL || buffer->base() == NULL) { + return NO_MEMORY; + } memcpy(buffer->data(), data, size); buffer->meta()->setInt32("csd", true); |