diff options
| author | Robert Shih <robertshih@google.com> | 2015-07-16 15:04:12 -0700 |
|---|---|---|
| committer | Robert Shih <robertshih@google.com> | 2015-07-20 14:41:40 -0700 |
| commit | 2dcf6138ebc9c5688aeae151d2fbde55a2826128 (patch) | |
| tree | 4f872a7c6abf08adf805275cfe256c508092f470 /media/libstagefright/matroska | |
| parent | bc24bb8a552097e7975d0c16fad80158b542ba62 (diff) | |
| download | frameworks_av-2dcf6138ebc9c5688aeae151d2fbde55a2826128.zip frameworks_av-2dcf6138ebc9c5688aeae151d2fbde55a2826128.tar.gz frameworks_av-2dcf6138ebc9c5688aeae151d2fbde55a2826128.tar.bz2 | |
MatroskaExtractor: detect infinite loop when parsing NALs
Bug: 21335999
Change-Id: I76bd34610e52048ffcf16e41aa6175afc8a14ee4
Diffstat (limited to 'media/libstagefright/matroska')
| -rw-r--r-- | media/libstagefright/matroska/MatroskaExtractor.cpp | 8 |
1 files changed, 7 insertions, 1 deletions
diff --git a/media/libstagefright/matroska/MatroskaExtractor.cpp b/media/libstagefright/matroska/MatroskaExtractor.cpp index 70d2c69..e8bd432 100644 --- a/media/libstagefright/matroska/MatroskaExtractor.cpp +++ b/media/libstagefright/matroska/MatroskaExtractor.cpp @@ -21,6 +21,7 @@ #include "MatroskaExtractor.h" #include <media/stagefright/foundation/ADebug.h> +#include <media/stagefright/foundation/AUtils.h> #include <media/stagefright/foundation/hexdump.h> #include <media/stagefright/DataSource.h> #include <media/stagefright/MediaBuffer.h> @@ -620,7 +621,12 @@ status_t MatroskaSource::read( TRESPASS(); } - if (srcOffset + mNALSizeLen + NALsize > srcSize) { + if (srcOffset + mNALSizeLen + NALsize <= srcOffset + mNALSizeLen) { + frame->release(); + frame = NULL; + + return ERROR_MALFORMED; + } else if (srcOffset + mNALSizeLen + NALsize > srcSize) { break; } |