am 9d916c77: DO NOT MERGE - libstagefright: sanity check size before dereferencing pointer in Utils.cpp

* commit '9d916c771ca32cb2d0df27b85ce3e17bb6b48eaf': DO NOT MERGE - libstagefright: sanity check size before dereferencing pointer in Utils.cpp
author: Wei Jia <wjia@google.com> 2015-09-03 17:14:06 +0000
committer: Android Git Automerger <android-git-automerger@android.com> 2015-09-03 17:14:06 +0000
commit: 03b7f72b98ef0a4fa58a84a27d2f8735342faf58 (patch)
tree: 1d5475ace4b2d3e57e6ae41a52d9560765a3ce81 /media
parent: 436b32d1eb75cf20d09776549bd7f7a11fa569a1 (diff)
parent: 9d916c771ca32cb2d0df27b85ce3e17bb6b48eaf (diff)
download: frameworks_av-03b7f72b98ef0a4fa58a84a27d2f8735342faf58.zip
frameworks_av-03b7f72b98ef0a4fa58a84a27d2f8735342faf58.tar.gz
frameworks_av-03b7f72b98ef0a4fa58a84a27d2f8735342faf58.tar.bz2
1 files changed, 16 insertions, 5 deletions
diff --git a/media/libstagefright/Utils.cpp b/media/libstagefright/Utils.cpp
index 80d8cef..090c891 100644
--- a/media/libstagefright/Utils.cpp
+++ b/media/libstagefright/Utils.cpp
@@ -160,8 +160,10 @@ status_t convertMetaDataToMessage(
 
         const uint8_t *ptr = (const uint8_t *)data;
 
-        CHECK(size >= 7);
-        CHECK_EQ((unsigned)ptr[0], 1u);  // configurationVersion == 1
+        if (size < 7 || ptr[0] != 1) {  // configurationVersion == 1
+            ALOGE("b/23680780");
+            return BAD_VALUE;
+        }
         uint8_t profile = ptr[1];
         uint8_t level = ptr[3];
 
@@ -187,7 +189,10 @@ status_t convertMetaDataToMessage(
         buffer->setRange(0, 0);
 
         for (size_t i = 0; i < numSeqParameterSets; ++i) {
-            CHECK(size >= 2);
+            if (size < 2) {
+                ALOGE("b/23680780");
+                return BAD_VALUE;
+            }
             size_t length = U16_AT(ptr);
 
             ptr += 2;
@@ -216,13 +221,19 @@ status_t convertMetaDataToMessage(
         }
         buffer->setRange(0, 0);
 
-        CHECK(size >= 1);
+        if (size < 1) {
+            ALOGE("b/23680780");
+            return BAD_VALUE;
+        }
         size_t numPictureParameterSets = *ptr;
         ++ptr;
         --size;
 
         for (size_t i = 0; i < numPictureParameterSets; ++i) {
-            CHECK(size >= 2);
+            if (size < 2) {
+                ALOGE("b/23680780");
+                return BAD_VALUE;
+            }
             size_t length = U16_AT(ptr);
 
             ptr += 2;
author	Wei Jia <wjia@google.com>	2015-09-03 17:14:06 +0000
committer	Android Git Automerger <android-git-automerger@android.com>	2015-09-03 17:14:06 +0000
commit	03b7f72b98ef0a4fa58a84a27d2f8735342faf58 (patch)
tree	1d5475ace4b2d3e57e6ae41a52d9560765a3ce81 /media
parent	436b32d1eb75cf20d09776549bd7f7a11fa569a1 (diff)
parent	9d916c771ca32cb2d0df27b85ce3e17bb6b48eaf (diff)
download	frameworks_av-03b7f72b98ef0a4fa58a84a27d2f8735342faf58.zip frameworks_av-03b7f72b98ef0a4fa58a84a27d2f8735342faf58.tar.gz frameworks_av-03b7f72b98ef0a4fa58a84a27d2f8735342faf58.tar.bz2