summaryrefslogtreecommitdiffstats
path: root/media/libstagefright/foundation
diff options
context:
space:
mode:
authorRicardo Cerqueira <ricardo@cyngn.com>2015-11-05 01:41:03 +0000
committerRicardo Cerqueira <ricardo@cyngn.com>2015-11-05 15:12:16 +0000
commitd5d618443b0166393389b422892ec033825e57ce (patch)
treead66ae383f72046ed6805b570450ae78709df3aa /media/libstagefright/foundation
parent2848080cc0182847cb2130cba1a59282db88bce0 (diff)
parentf733ab6e153fb89f045bfb1cb2746bd58399a0c2 (diff)
downloadframeworks_av-d5d618443b0166393389b422892ec033825e57ce.zip
frameworks_av-d5d618443b0166393389b422892ec033825e57ce.tar.gz
frameworks_av-d5d618443b0166393389b422892ec033825e57ce.tar.bz2
Merge tag 'android-6.0.0_r26' into cm-13.0
Android 6.0.0 release 26 Change-Id: I8a57007bf6efcd8b95c3cebf5e0444345bdd4cda
Diffstat (limited to 'media/libstagefright/foundation')
-rw-r--r--media/libstagefright/foundation/AMessage.cpp28
1 files changed, 25 insertions, 3 deletions
diff --git a/media/libstagefright/foundation/AMessage.cpp b/media/libstagefright/foundation/AMessage.cpp
index e549ff6..725a574 100644
--- a/media/libstagefright/foundation/AMessage.cpp
+++ b/media/libstagefright/foundation/AMessage.cpp
@@ -601,13 +601,24 @@ sp<AMessage> AMessage::FromParcel(const Parcel &parcel) {
msg->setWhat(what);
msg->mNumItems = static_cast<size_t>(parcel.readInt32());
+ if (msg->mNumItems > kMaxNumItems) {
+ ALOGE("Too large number of items clipped.");
+ msg->mNumItems = kMaxNumItems;
+ }
+
for (size_t i = 0; i < msg->mNumItems; ++i) {
Item *item = &msg->mItems[i];
const char *name = parcel.readCString();
- item->setName(name, strlen(name));
- item->mType = static_cast<Type>(parcel.readInt32());
+ if (name == NULL) {
+ ALOGE("Failed reading name for an item. Parsing aborted.");
+ msg->mNumItems = i;
+ break;
+ }
+ item->mType = static_cast<Type>(parcel.readInt32());
+ // setName() happens below so that we don't leak memory when parsing
+ // is aborted in the middle.
switch (item->mType) {
case kTypeInt32:
{
@@ -641,7 +652,16 @@ sp<AMessage> AMessage::FromParcel(const Parcel &parcel) {
case kTypeString:
{
- item->u.stringValue = new AString(parcel.readCString());
+ const char *stringValue = parcel.readCString();
+ if (stringValue == NULL) {
+ ALOGE("Failed reading string value from a parcel. "
+ "Parsing aborted.");
+ msg->mNumItems = i;
+ continue;
+ // The loop will terminate subsequently.
+ } else {
+ item->u.stringValue = new AString(stringValue);
+ }
break;
}
@@ -660,6 +680,8 @@ sp<AMessage> AMessage::FromParcel(const Parcel &parcel) {
TRESPASS();
}
}
+
+ item->setName(name, strlen(name));
}
return msg;
generated by cgit v1.1 at 2024-05-14 04:56:41 +0000