DO NOT MERGE stagefright: fix possible stack overflow in AVCC reassemble

Additionally, remove use of variable length array which is non-standard in C++. Bug: 29161888 Change-Id: Ifdc3e7435f2225214c053b13f3bfe71c7d0ff506
author: Wonsik Kim <wonsik@google.com> 2016-06-17 01:24:30 +0900
committer: gitbuildkicker <android-build@google.com> 2016-07-21 17:29:22 -0700
commit: 49a847e0f6558849adef32d64d2a1093fc527c96 (patch)
tree: f47c87839ec9c617760d79bee82b0b9e3067f236 /media/libstagefright
parent: 9871fae25b351268e359682e6c149acbf47620c1 (diff)
download: frameworks_av-49a847e0f6558849adef32d64d2a1093fc527c96.zip
frameworks_av-49a847e0f6558849adef32d64d2a1093fc527c96.tar.gz
frameworks_av-49a847e0f6558849adef32d64d2a1093fc527c96.tar.bz2
1 files changed, 19 insertions, 9 deletions
diff --git a/media/libstagefright/Utils.cpp b/media/libstagefright/Utils.cpp
index 17f0201..0d9dc3a 100644
--- a/media/libstagefright/Utils.cpp
+++ b/media/libstagefright/Utils.cpp
@@ -671,20 +671,30 @@ void convertMessageToMetaData(const sp<AMessage> &msg, sp<MetaData> &meta) {
     // reassemble the csd data into its original form
     sp<ABuffer> csd0;
     if (msg->findBuffer("csd-0", &csd0)) {
+        int csd0size = csd0->size();
         if (mime == MEDIA_MIMETYPE_VIDEO_AVC) {
             sp<ABuffer> csd1;
             if (msg->findBuffer("csd-1", &csd1)) {
-                char avcc[1024]; // that oughta be enough, right?
-                size_t outsize = reassembleAVCC(csd0, csd1, avcc);
-                meta->setData(kKeyAVCC, kKeyAVCC, avcc, outsize);
+                Vector<char> avcc;
+                int avccSize = csd0size + csd1->size() + 1024;
+                if (avcc.resize(avccSize) < 0) {
+                    ALOGE("error allocating avcc (size %d); abort setting avcc.", avccSize);
+                } else {
+                    size_t outsize = reassembleAVCC(csd0, csd1, avcc.editArray());
+                    meta->setData(kKeyAVCC, kKeyAVCC, avcc.array(), outsize);
+                }
             }
         } else if (mime == MEDIA_MIMETYPE_AUDIO_AAC || mime == MEDIA_MIMETYPE_VIDEO_MPEG4) {
-            int csd0size = csd0->size();
-            char esds[csd0size + 31];
-            // The written ESDS is actually for an audio stream, but it's enough
-            // for transporting the CSD to muxers.
-            reassembleESDS(csd0, esds);
-            meta->setData(kKeyESDS, kKeyESDS, esds, sizeof(esds));
+            Vector<char> esds;
+            int esdsSize = csd0size + 31;
+            if (esds.resize(esdsSize) < 0) {
+                ALOGE("error allocating esds (size %d); abort setting esds.", esdsSize);
+            } else {
+                // The written ESDS is actually for an audio stream, but it's enough
+                // for transporting the CSD to muxers.
+                reassembleESDS(csd0, esds.editArray());
+                meta->setData(kKeyESDS, kKeyESDS, esds.array(), esds.size());
+            }
         }
     }
author	Wonsik Kim <wonsik@google.com>	2016-06-17 01:24:30 +0900
committer	gitbuildkicker <android-build@google.com>	2016-07-21 17:29:22 -0700
commit	49a847e0f6558849adef32d64d2a1093fc527c96 (patch)
tree	f47c87839ec9c617760d79bee82b0b9e3067f236 /media/libstagefright
parent	9871fae25b351268e359682e6c149acbf47620c1 (diff)
download	frameworks_av-49a847e0f6558849adef32d64d2a1093fc527c96.zip frameworks_av-49a847e0f6558849adef32d64d2a1093fc527c96.tar.gz frameworks_av-49a847e0f6558849adef32d64d2a1093fc527c96.tar.bz2