libstagefright: sanity check size before dereferencing pointer in Utils.cpp

Also remove some CHECK's. Bug: 23680780 Change-Id: I62d0941e203e40209fa6fbe3f923f3efdc5a6c23
author: Wei Jia <wjia@google.com> 2015-09-01 11:14:18 -0700
committer: The Android Automerger <android-build@google.com> 2015-09-28 17:08:16 -0700
commit: fbf25d64787e4a99564c294dcb97ef2d1e668c50 (patch)
tree: 3e8c28ba5983fb430056ab30aa6fae3c169843ff /media/libstagefright/Utils.cpp
parent: aec1b5451d5961fd8767c7e221960c0a7d205ae2 (diff)
download: frameworks_av-fbf25d64787e4a99564c294dcb97ef2d1e668c50.zip
frameworks_av-fbf25d64787e4a99564c294dcb97ef2d1e668c50.tar.gz
frameworks_av-fbf25d64787e4a99564c294dcb97ef2d1e668c50.tar.bz2
1 files changed, 28 insertions, 8 deletions
diff --git a/media/libstagefright/Utils.cpp b/media/libstagefright/Utils.cpp
index f0a7277..7c8d441 100644
--- a/media/libstagefright/Utils.cpp
+++ b/media/libstagefright/Utils.cpp
@@ -211,8 +211,10 @@ status_t convertMetaDataToMessage(
 
         const uint8_t *ptr = (const uint8_t *)data;
 
-        CHECK(size >= 7);
-        CHECK_EQ((unsigned)ptr[0], 1u);  // configurationVersion == 1
+        if (size < 7 || ptr[0] != 1) {  // configurationVersion == 1
+            ALOGE("b/23680780");
+            return BAD_VALUE;
+        }
         uint8_t profile __unused = ptr[1];
         uint8_t level __unused = ptr[3];
 
@@ -238,7 +240,10 @@ status_t convertMetaDataToMessage(
         buffer->setRange(0, 0);
 
         for (size_t i = 0; i < numSeqParameterSets; ++i) {
-            CHECK(size >= 2);
+            if (size < 2) {
+                ALOGE("b/23680780");
+                return BAD_VALUE;
+            }
             size_t length = U16_AT(ptr);
 
             ptr += 2;
@@ -267,13 +272,19 @@ status_t convertMetaDataToMessage(
         }
         buffer->setRange(0, 0);
 
-        CHECK(size >= 1);
+        if (size < 1) {
+            ALOGE("b/23680780");
+            return BAD_VALUE;
+        }
         size_t numPictureParameterSets = *ptr;
         ++ptr;
         --size;
 
         for (size_t i = 0; i < numPictureParameterSets; ++i) {
-            CHECK(size >= 2);
+            if (size < 2) {
+                ALOGE("b/23680780");
+                return BAD_VALUE;
+            }
             size_t length = U16_AT(ptr);
 
             ptr += 2;
@@ -297,8 +308,10 @@ status_t convertMetaDataToMessage(
     } else if (meta->findData(kKeyHVCC, &type, &data, &size)) {
         const uint8_t *ptr = (const uint8_t *)data;
 
-        CHECK(size >= 7);
-        CHECK_EQ((unsigned)ptr[0], 1u);  // configurationVersion == 1
+        if (size < 23 || ptr[0] != 1) {  // configurationVersion == 1
+            ALOGE("b/23680780");
+            return BAD_VALUE;
+        }
         uint8_t profile __unused = ptr[1] & 31;
         uint8_t level __unused = ptr[12];
         ptr += 22;
@@ -317,6 +330,10 @@ status_t convertMetaDataToMessage(
         buffer->setRange(0, 0);
 
         for (i = 0; i < numofArrays; i++) {
+            if (size < 3) {
+                ALOGE("b/23680780");
+                return BAD_VALUE;
+            }
             ptr += 1;
             size -= 1;
 
@@ -327,7 +344,10 @@ status_t convertMetaDataToMessage(
             size -= 2;
 
             for (j = 0; j < numofNals; j++) {
-                CHECK(size >= 2);
+                if (size < 2) {
+                    ALOGE("b/23680780");
+                    return BAD_VALUE;
+                }
                 size_t length = U16_AT(ptr);
 
                 ptr += 2;
author	Wei Jia <wjia@google.com>	2015-09-01 11:14:18 -0700
committer	The Android Automerger <android-build@google.com>	2015-09-28 17:08:16 -0700
commit	fbf25d64787e4a99564c294dcb97ef2d1e668c50 (patch)
tree	3e8c28ba5983fb430056ab30aa6fae3c169843ff /media/libstagefright/Utils.cpp
parent	aec1b5451d5961fd8767c7e221960c0a7d205ae2 (diff)
download	frameworks_av-fbf25d64787e4a99564c294dcb97ef2d1e668c50.zip frameworks_av-fbf25d64787e4a99564c294dcb97ef2d1e668c50.tar.gz frameworks_av-fbf25d64787e4a99564c294dcb97ef2d1e668c50.tar.bz2