Merge remote-tracking branch 'remotes/android-6.0.1_r52' into HEAD

Ticket: CYNGNOS-3020 Change-Id: I7e8d69c5f7041b66893ea643c4bc19c3b7bcdda5
author: Jessica Wagantall <jwagantall@cyngn.com> 2016-07-07 12:07:33 -0700
committer: Jessica Wagantall <jwagantall@cyngn.com> 2016-07-07 14:15:22 -0700
commit: 1e7c9d2c408b17fa14f897cfe8d1ae06fe944637 (patch)
tree: 2e132ad77cb30013947b94eeb8d4835bbd01f664 /media/libstagefright
parent: fbef511c958b5f1b3e015d032dcac4ed7cc84876 (diff)
parent: d112f7d0c1dbaf0368365885becb11ca8d3f13a4 (diff)
download: frameworks_av-1e7c9d2c408b17fa14f897cfe8d1ae06fe944637.zip
frameworks_av-1e7c9d2c408b17fa14f897cfe8d1ae06fe944637.tar.gz
frameworks_av-1e7c9d2c408b17fa14f897cfe8d1ae06fe944637.tar.bz2
5 files changed, 70 insertions, 5 deletions
diff --git a/media/libstagefright/DRMExtractor.cpp b/media/libstagefright/DRMExtractor.cpp
index 9cb6e86..e2bc89c 100644
--- a/media/libstagefright/DRMExtractor.cpp
+++ b/media/libstagefright/DRMExtractor.cpp
@@ -200,7 +200,17 @@ status_t DRMSource::read(MediaBuffer **buffer, const ReadOptions *options) {
                 continue;
             }
 
-            CHECK(dstOffset + 4 <= (*buffer)->size());
+            if (dstOffset > SIZE_MAX - 4 ||
+                dstOffset + 4 > SIZE_MAX - nalLength ||
+                dstOffset + 4 + nalLength > (*buffer)->size()) {
+                (*buffer)->release();
+                (*buffer) = NULL;
+                if (decryptedDrmBuffer.data) {
+                    delete [] decryptedDrmBuffer.data;
+                    decryptedDrmBuffer.data = NULL;
+                }
+                return ERROR_MALFORMED;
+            }
 
             dstData[dstOffset++] = 0;
             dstData[dstOffset++] = 0;
diff --git a/media/libstagefright/MPEG4Extractor.cpp b/media/libstagefright/MPEG4Extractor.cpp
index f606366..89b561e 100755
--- a/media/libstagefright/MPEG4Extractor.cpp
+++ b/media/libstagefright/MPEG4Extractor.cpp
@@ -544,7 +544,10 @@ status_t MPEG4Extractor::readMetaData() {
     }
     if (psshsize > 0 && psshsize <= UINT32_MAX) {
         char *buf = (char*)malloc(psshsize);
-        CHECK(buf != NULL);
+        if (!buf) {
+            ALOGE("b/28471206");
+            return NO_MEMORY;
+        }
         char *ptr = buf;
         for (size_t i = 0; i < mPssh.size(); i++) {
             memcpy(ptr, mPssh[i].uuid, 20); // uuid + length
@@ -939,6 +942,11 @@ status_t MPEG4Extractor::parseChunk(off64_t *offset, int depth) {
             }
 
             if (isTrack) {
+                int32_t trackId;
+                // There must be exact one track header per track.
+                if (!mLastTrack->meta->findInt32(kKeyTrackID, &trackId)) {
+                    mLastTrack->skipTrack = true;
+                }
                 if (mLastTrack->skipTrack) {
                     Track *cur = mFirstTrack;
 
@@ -1730,6 +1738,11 @@ status_t MPEG4Extractor::parseChunk(off64_t *offset, int depth) {
 
             sp<ABuffer> buffer = new ABuffer(chunk_data_size);
 
+            if (buffer->data() == NULL) {
+                ALOGE("b/28471206");
+                return NO_MEMORY;
+            }
+
             if (mDataSource->readAt(
                         data_offset, buffer->data(), chunk_data_size) < chunk_data_size) {
                 return ERROR_IO;
@@ -1747,6 +1760,11 @@ status_t MPEG4Extractor::parseChunk(off64_t *offset, int depth) {
         {
             sp<ABuffer> buffer = new ABuffer(chunk_data_size);
 
+            if (buffer->data() == NULL) {
+                ALOGE("b/28471206");
+                return NO_MEMORY;
+            }
+
             if (mDataSource->readAt(
                         data_offset, buffer->data(), chunk_data_size) < chunk_data_size) {
                 return ERROR_IO;
@@ -2082,6 +2100,10 @@ status_t MPEG4Extractor::parseChunk(off64_t *offset, int depth) {
                     return ERROR_MALFORMED;
                 }
                 sp<ABuffer> buffer = new ABuffer(chunk_data_size + 1);
+                if (buffer->data() == NULL) {
+                    ALOGE("b/28471206");
+                    return NO_MEMORY;
+                }
                 if (mDataSource->readAt(
                     data_offset, buffer->data(), chunk_data_size) != (ssize_t)chunk_data_size) {
                     return ERROR_IO;
@@ -2882,6 +2904,9 @@ sp<MediaSource> MPEG4Extractor::getTrack(size_t index) {
                 break;
             }
         }
+    } else {
+        ALOGE("b/21657957");
+        return NULL;
     }
 
     ALOGV("getTrack called, pssh: %zu", mPssh.size());
diff --git a/media/libstagefright/SampleIterator.cpp b/media/libstagefright/SampleIterator.cpp
index 6042a9a..0efa270 100644
--- a/media/libstagefright/SampleIterator.cpp
+++ b/media/libstagefright/SampleIterator.cpp
@@ -95,6 +95,11 @@ status_t SampleIterator::seekTo(uint32_t sampleIndex) {
 
     CHECK(sampleIndex < mStopChunkSampleIndex);
 
+    if (mSamplesPerChunk == 0) {
+        ALOGE("b/22802344");
+        return ERROR_MALFORMED;
+    }
+
     uint32_t chunk =
         (sampleIndex - mFirstChunkSampleIndex) / mSamplesPerChunk
         + mFirstChunk;
diff --git a/media/libstagefright/codecs/on2/h264dec/source/h264bsd_storage.c b/media/libstagefright/codecs/on2/h264dec/source/h264bsd_storage.c
index 3234754..ff7a42a 100644
--- a/media/libstagefright/codecs/on2/h264dec/source/h264bsd_storage.c
+++ b/media/libstagefright/codecs/on2/h264dec/source/h264bsd_storage.c
@@ -58,6 +58,10 @@
     3. Module defines
 ------------------------------------------------------------------------------*/
 
+#ifndef UINT32_MAX
+#define UINT32_MAX       (4294967295U)
+#endif
+
 /*------------------------------------------------------------------------------
     4. Local function prototypes
 ------------------------------------------------------------------------------*/
@@ -326,9 +330,23 @@ u32 h264bsdActivateParamSets(storage_t *pStorage, u32 ppsId, u32 isIdr)
         pStorage->activePps = pStorage->pps[ppsId];
         pStorage->activeSpsId = pStorage->activePps->seqParameterSetId;
         pStorage->activeSps = pStorage->sps[pStorage->activeSpsId];
-        pStorage->picSizeInMbs =
-            pStorage->activeSps->picWidthInMbs *
-            pStorage->activeSps->picHeightInMbs;
+
+        /* report error before multiplication to prevent integer overflow */
+        if (pStorage->activeSps->picWidthInMbs == 0)
+        {
+            pStorage->picSizeInMbs = 0;
+        }
+        else if (pStorage->activeSps->picHeightInMbs >
+                 UINT32_MAX / pStorage->activeSps->picWidthInMbs)
+        {
+            return(MEMORY_ALLOCATION_ERROR);
+        }
+        else
+        {
+            pStorage->picSizeInMbs =
+                pStorage->activeSps->picWidthInMbs *
+                pStorage->activeSps->picHeightInMbs;
+        }
 
         pStorage->currImage->width = pStorage->activeSps->picWidthInMbs;
         pStorage->currImage->height = pStorage->activeSps->picHeightInMbs;
diff --git a/media/libstagefright/mpeg2ts/ATSParser.cpp b/media/libstagefright/mpeg2ts/ATSParser.cpp
index f9a9c4c..3ad3118 100644
--- a/media/libstagefright/mpeg2ts/ATSParser.cpp
+++ b/media/libstagefright/mpeg2ts/ATSParser.cpp
@@ -1713,6 +1713,13 @@ bool ATSParser::PSISection::isCRCOkay() const {
     unsigned sectionLength = U16_AT(data + 1) & 0xfff;
     ALOGV("sectionLength %u, skip %u", sectionLength, mSkipBytes);
 
+
+    if(sectionLength < mSkipBytes) {
+        ALOGE("b/28333006");
+        android_errorWriteLog(0x534e4554, "28333006");
+        return false;
+    }
+
     // Skip the preceding field present when payload start indicator is on.
     sectionLength -= mSkipBytes;
author	Jessica Wagantall <jwagantall@cyngn.com>	2016-07-07 12:07:33 -0700
committer	Jessica Wagantall <jwagantall@cyngn.com>	2016-07-07 14:15:22 -0700
commit	1e7c9d2c408b17fa14f897cfe8d1ae06fe944637 (patch)
tree	2e132ad77cb30013947b94eeb8d4835bbd01f664 /media/libstagefright
parent	fbef511c958b5f1b3e015d032dcac4ed7cc84876 (diff)
parent	d112f7d0c1dbaf0368365885becb11ca8d3f13a4 (diff)
download	frameworks_av-1e7c9d2c408b17fa14f897cfe8d1ae06fe944637.zip frameworks_av-1e7c9d2c408b17fa14f897cfe8d1ae06fe944637.tar.gz frameworks_av-1e7c9d2c408b17fa14f897cfe8d1ae06fe944637.tar.bz2