summaryrefslogtreecommitdiffstats
path: root/media/libstagefright
diff options
context:
space:
mode:
authorMarco Nelissen <marcone@google.com>2016-09-19 16:22:56 -0700
committergitbuildkicker <android-build@google.com>2016-09-27 15:56:41 -0700
commitb5203aba00dc60bee526d78e5851f0a34c4b5bd7 (patch)
tree8387f4ea1df212358086f0915c02822689ac6674 /media/libstagefright
parent2af81c25f462ba958507bfe6ba43200e3c2e2a0e (diff)
downloadframeworks_av-b5203aba00dc60bee526d78e5851f0a34c4b5bd7.zip
frameworks_av-b5203aba00dc60bee526d78e5851f0a34c4b5bd7.tar.gz
frameworks_av-b5203aba00dc60bee526d78e5851f0a34c4b5bd7.tar.bz2
Limit mp4 atom size to something reasonable
Bug: 28615448 Change-Id: I5916f6839b4a9bbee4388a106e7373bcd4154f5a (cherry picked from commit cb898dca47ac03738db91ddc371207435d2a1526)
Diffstat (limited to 'media/libstagefright')
-rwxr-xr-xmedia/libstagefright/MPEG4Extractor.cpp13
1 files changed, 13 insertions, 0 deletions
diff --git a/media/libstagefright/MPEG4Extractor.cpp b/media/libstagefright/MPEG4Extractor.cpp
index 4c10cc9..9e7f298 100755
--- a/media/libstagefright/MPEG4Extractor.cpp
+++ b/media/libstagefright/MPEG4Extractor.cpp
@@ -50,6 +50,12 @@
namespace android {
+enum {
+ // maximum size of an atom. Some atoms can be bigger according to the spec,
+ // but we only allow up to this size.
+ kMaxAtomSize = 64 * 1024 * 1024,
+};
+
class MPEG4Source : public MediaSource {
public:
// Caller retains ownership of both "dataSource" and "sampleTable".
@@ -836,6 +842,13 @@ status_t MPEG4Extractor::parseChunk(off64_t *offset, int depth) {
PathAdder autoAdder(&mPath, chunk_type);
off64_t chunk_data_size = *offset + chunk_size - data_offset;
+ if (chunk_type != FOURCC('m', 'd', 'a', 't') && chunk_data_size > kMaxAtomSize) {
+ char errMsg[100];
+ sprintf(errMsg, "%s atom has size %" PRId64, chunk, chunk_data_size);
+ ALOGE("%s (b/28615448)", errMsg);
+ android_errorWriteWithInfoLog(0x534e4554, "28615448", -1, errMsg, strlen(errMsg));
+ return ERROR_MALFORMED;
+ }
if (chunk_type != FOURCC('c', 'p', 'r', 't')
&& chunk_type != FOURCC('c', 'o', 'v', 'r')