diff options
author | Wei Jia <wjia@google.com> | 2015-09-01 11:14:18 -0700 |
---|---|---|
committer | The Android Automerger <android-build@google.com> | 2015-09-28 17:08:16 -0700 |
commit | fbf25d64787e4a99564c294dcb97ef2d1e668c50 (patch) | |
tree | 3e8c28ba5983fb430056ab30aa6fae3c169843ff /media/libstagefright/Utils.cpp | |
parent | aec1b5451d5961fd8767c7e221960c0a7d205ae2 (diff) | |
download | frameworks_av-fbf25d64787e4a99564c294dcb97ef2d1e668c50.zip frameworks_av-fbf25d64787e4a99564c294dcb97ef2d1e668c50.tar.gz frameworks_av-fbf25d64787e4a99564c294dcb97ef2d1e668c50.tar.bz2 |
libstagefright: sanity check size before dereferencing pointer in Utils.cpp
Also remove some CHECK's.
Bug: 23680780
Change-Id: I62d0941e203e40209fa6fbe3f923f3efdc5a6c23
Diffstat (limited to 'media/libstagefright/Utils.cpp')
-rw-r--r-- | media/libstagefright/Utils.cpp | 36 |
1 files changed, 28 insertions, 8 deletions
diff --git a/media/libstagefright/Utils.cpp b/media/libstagefright/Utils.cpp index f0a7277..7c8d441 100644 --- a/media/libstagefright/Utils.cpp +++ b/media/libstagefright/Utils.cpp @@ -211,8 +211,10 @@ status_t convertMetaDataToMessage( const uint8_t *ptr = (const uint8_t *)data; - CHECK(size >= 7); - CHECK_EQ((unsigned)ptr[0], 1u); // configurationVersion == 1 + if (size < 7 || ptr[0] != 1) { // configurationVersion == 1 + ALOGE("b/23680780"); + return BAD_VALUE; + } uint8_t profile __unused = ptr[1]; uint8_t level __unused = ptr[3]; @@ -238,7 +240,10 @@ status_t convertMetaDataToMessage( buffer->setRange(0, 0); for (size_t i = 0; i < numSeqParameterSets; ++i) { - CHECK(size >= 2); + if (size < 2) { + ALOGE("b/23680780"); + return BAD_VALUE; + } size_t length = U16_AT(ptr); ptr += 2; @@ -267,13 +272,19 @@ status_t convertMetaDataToMessage( } buffer->setRange(0, 0); - CHECK(size >= 1); + if (size < 1) { + ALOGE("b/23680780"); + return BAD_VALUE; + } size_t numPictureParameterSets = *ptr; ++ptr; --size; for (size_t i = 0; i < numPictureParameterSets; ++i) { - CHECK(size >= 2); + if (size < 2) { + ALOGE("b/23680780"); + return BAD_VALUE; + } size_t length = U16_AT(ptr); ptr += 2; @@ -297,8 +308,10 @@ status_t convertMetaDataToMessage( } else if (meta->findData(kKeyHVCC, &type, &data, &size)) { const uint8_t *ptr = (const uint8_t *)data; - CHECK(size >= 7); - CHECK_EQ((unsigned)ptr[0], 1u); // configurationVersion == 1 + if (size < 23 || ptr[0] != 1) { // configurationVersion == 1 + ALOGE("b/23680780"); + return BAD_VALUE; + } uint8_t profile __unused = ptr[1] & 31; uint8_t level __unused = ptr[12]; ptr += 22; @@ -317,6 +330,10 @@ status_t convertMetaDataToMessage( buffer->setRange(0, 0); for (i = 0; i < numofArrays; i++) { + if (size < 3) { + ALOGE("b/23680780"); + return BAD_VALUE; + } ptr += 1; size -= 1; @@ -327,7 +344,10 @@ status_t convertMetaDataToMessage( size -= 2; for (j = 0; j < numofNals; j++) { - CHECK(size >= 2); + if (size < 2) { + ALOGE("b/23680780"); + return BAD_VALUE; + } size_t length = U16_AT(ptr); ptr += 2; |