diff options
author | Robert Shih <robertshih@google.com> | 2014-02-07 12:26:58 -0800 |
---|---|---|
committer | Robert Shih <robertshih@google.com> | 2014-03-04 14:10:19 -0800 |
commit | bdc0609f8133517b8e051938ad66bac750be90b4 (patch) | |
tree | 61d4f2d63af0fc0db75b405c02e683424189a7f5 /media/libstagefright/httplive | |
parent | b4350af65dd66ed57f1ff79b1b426507f0e73b7b (diff) | |
download | frameworks_av-bdc0609f8133517b8e051938ad66bac750be90b4.zip frameworks_av-bdc0609f8133517b8e051938ad66bac750be90b4.tar.gz frameworks_av-bdc0609f8133517b8e051938ad66bac750be90b4.tar.bz2 |
PlaylistFetcher: fix infinite loop when parsing ADTS.
First check for embedded ID3 tag, then bail out if invalid.
Bug: 12934795
Change-Id: I74acebed4bfb2c6ca44dfe936166fdba8510233f
Diffstat (limited to 'media/libstagefright/httplive')
-rw-r--r-- | media/libstagefright/httplive/PlaylistFetcher.cpp | 12 |
1 files changed, 12 insertions, 0 deletions
diff --git a/media/libstagefright/httplive/PlaylistFetcher.cpp b/media/libstagefright/httplive/PlaylistFetcher.cpp index 1a02e85..2649705 100644 --- a/media/libstagefright/httplive/PlaylistFetcher.cpp +++ b/media/libstagefright/httplive/PlaylistFetcher.cpp @@ -1220,6 +1220,18 @@ status_t PlaylistFetcher::extractAndQueueAccessUnits( | (adtsHeader[4] << 3) | (adtsHeader[5] >> 5); + if (aac_frame_length == 0) { + const uint8_t *id3Header = adtsHeader; + if (!memcmp(id3Header, "ID3", 3)) { + ID3 id3(id3Header, buffer->size() - offset, true); + if (id3.isValid()) { + offset += id3.rawSize(); + continue; + }; + } + return ERROR_MALFORMED; + } + CHECK_LE(offset + aac_frame_length, buffer->size()); sp<ABuffer> unit = new ABuffer(aac_frame_length); |