summaryrefslogtreecommitdiffstats
path: root/media/libstagefright
diff options
context:
space:
mode:
authorWonsik Kim <wonsik@google.com>2016-06-17 01:24:30 +0900
committergitbuildkicker <android-build@google.com>2016-07-21 17:29:22 -0700
commit49a847e0f6558849adef32d64d2a1093fc527c96 (patch)
treef47c87839ec9c617760d79bee82b0b9e3067f236 /media/libstagefright
parent9871fae25b351268e359682e6c149acbf47620c1 (diff)
downloadframeworks_av-49a847e0f6558849adef32d64d2a1093fc527c96.zip
frameworks_av-49a847e0f6558849adef32d64d2a1093fc527c96.tar.gz
frameworks_av-49a847e0f6558849adef32d64d2a1093fc527c96.tar.bz2
DO NOT MERGE stagefright: fix possible stack overflow in AVCC reassemble
Additionally, remove use of variable length array which is non-standard in C++. Bug: 29161888 Change-Id: Ifdc3e7435f2225214c053b13f3bfe71c7d0ff506
Diffstat (limited to 'media/libstagefright')
-rw-r--r--media/libstagefright/Utils.cpp28
1 files changed, 19 insertions, 9 deletions
diff --git a/media/libstagefright/Utils.cpp b/media/libstagefright/Utils.cpp
index 17f0201..0d9dc3a 100644
--- a/media/libstagefright/Utils.cpp
+++ b/media/libstagefright/Utils.cpp
@@ -671,20 +671,30 @@ void convertMessageToMetaData(const sp<AMessage> &msg, sp<MetaData> &meta) {
// reassemble the csd data into its original form
sp<ABuffer> csd0;
if (msg->findBuffer("csd-0", &csd0)) {
+ int csd0size = csd0->size();
if (mime == MEDIA_MIMETYPE_VIDEO_AVC) {
sp<ABuffer> csd1;
if (msg->findBuffer("csd-1", &csd1)) {
- char avcc[1024]; // that oughta be enough, right?
- size_t outsize = reassembleAVCC(csd0, csd1, avcc);
- meta->setData(kKeyAVCC, kKeyAVCC, avcc, outsize);
+ Vector<char> avcc;
+ int avccSize = csd0size + csd1->size() + 1024;
+ if (avcc.resize(avccSize) < 0) {
+ ALOGE("error allocating avcc (size %d); abort setting avcc.", avccSize);
+ } else {
+ size_t outsize = reassembleAVCC(csd0, csd1, avcc.editArray());
+ meta->setData(kKeyAVCC, kKeyAVCC, avcc.array(), outsize);
+ }
}
} else if (mime == MEDIA_MIMETYPE_AUDIO_AAC || mime == MEDIA_MIMETYPE_VIDEO_MPEG4) {
- int csd0size = csd0->size();
- char esds[csd0size + 31];
- // The written ESDS is actually for an audio stream, but it's enough
- // for transporting the CSD to muxers.
- reassembleESDS(csd0, esds);
- meta->setData(kKeyESDS, kKeyESDS, esds, sizeof(esds));
+ Vector<char> esds;
+ int esdsSize = csd0size + 31;
+ if (esds.resize(esdsSize) < 0) {
+ ALOGE("error allocating esds (size %d); abort setting esds.", esdsSize);
+ } else {
+ // The written ESDS is actually for an audio stream, but it's enough
+ // for transporting the CSD to muxers.
+ reassembleESDS(csd0, esds.editArray());
+ meta->setData(kKeyESDS, kKeyESDS, esds.array(), esds.size());
+ }
}
}