ESQueue: add frame length checking in validation of ADTS header.

This allows an invalid ADTS buffer to be abandoned when frame length in the header exceeds buffer size. Bug: 18532335 Change-Id: I8057db525d06ff00ca24afd075a7c6c17b87eaa8
author: Wei Jia <wjia@google.com> 2014-12-03 13:18:23 -0800
committer: Wei Jia <wjia@google.com> 2014-12-03 16:49:03 -0800
commit: 4d23645c8d3d93c91967a5494473b4a8b5d10d9c (patch)
tree: 76578051f547b86611a5fb5cfe5f004247d521dc /media/libstagefright/mpeg2ts
parent: ab05b4ccb8ea59079d7f773aa0e090029c479bad (diff)
download: frameworks_av-4d23645c8d3d93c91967a5494473b4a8b5d10d9c.zip
frameworks_av-4d23645c8d3d93c91967a5494473b4a8b5d10d9c.tar.gz
frameworks_av-4d23645c8d3d93c91967a5494473b4a8b5d10d9c.tar.bz2
1 files changed, 19 insertions, 4 deletions
diff --git a/media/libstagefright/mpeg2ts/ESQueue.cpp b/media/libstagefright/mpeg2ts/ESQueue.cpp
index ef1cd3d..db5d23e 100644
--- a/media/libstagefright/mpeg2ts/ESQueue.cpp
+++ b/media/libstagefright/mpeg2ts/ESQueue.cpp
@@ -173,8 +173,9 @@ static bool IsSeeminglyValidAC3Header(const uint8_t *ptr, size_t size) {
     return parseAC3SyncFrame(ptr, size, NULL) > 0;
 }
 
-static bool IsSeeminglyValidADTSHeader(const uint8_t *ptr, size_t size) {
-    if (size < 3) {
+static bool IsSeeminglyValidADTSHeader(
+        const uint8_t *ptr, size_t size, size_t *frameLength) {
+    if (size < 7) {
         // Not enough data to verify header.
         return false;
     }
@@ -197,6 +198,13 @@ static bool IsSeeminglyValidADTSHeader(const uint8_t *ptr, size_t size) {
         return false;
     }
 
+    size_t frameLengthInHeader =
+            ((ptr[3] & 3) << 11) + (ptr[4] << 3) + ((ptr[5] >> 5) & 7);
+    if (frameLengthInHeader > size) {
+        return false;
+    }
+
+    *frameLength = frameLengthInHeader;
     return true;
 }
 
@@ -318,8 +326,10 @@ status_t ElementaryStreamQueue::appendData(
                 }
 #else
                 ssize_t startOffset = -1;
+                size_t frameLength;
                 for (size_t i = 0; i < size; ++i) {
-                    if (IsSeeminglyValidADTSHeader(&ptr[i], size - i)) {
+                    if (IsSeeminglyValidADTSHeader(
+                            &ptr[i], size - i, &frameLength)) {
                         startOffset = i;
                         break;
                     }
@@ -335,8 +345,13 @@ status_t ElementaryStreamQueue::appendData(
                           startOffset);
                 }
 
+                if (frameLength != size - startOffset) {
+                    ALOGW("got ADTS AAC frame length %zd instead of %zd",
+                          frameLength, size - startOffset);
+                }
+
                 data = &ptr[startOffset];
-                size -= startOffset;
+                size = frameLength;
 #endif
                 break;
             }
author	Wei Jia <wjia@google.com>	2014-12-03 13:18:23 -0800
committer	Wei Jia <wjia@google.com>	2014-12-03 16:49:03 -0800
commit	4d23645c8d3d93c91967a5494473b4a8b5d10d9c (patch)
tree	76578051f547b86611a5fb5cfe5f004247d521dc /media/libstagefright/mpeg2ts
parent	ab05b4ccb8ea59079d7f773aa0e090029c479bad (diff)
download	frameworks_av-4d23645c8d3d93c91967a5494473b4a8b5d10d9c.zip frameworks_av-4d23645c8d3d93c91967a5494473b4a8b5d10d9c.tar.gz frameworks_av-4d23645c8d3d93c91967a5494473b4a8b5d10d9c.tar.bz2