diff options
| author | Joshua J. Drake <android-open-source@qoop.org> | 2015-04-08 22:21:53 -0500 |
|---|---|---|
| committer | Nick Kralevich <nnk@google.com> | 2015-04-09 17:34:16 -0700 |
| commit | 274f64c7d6367f13c7852256b10339a3b75529f2 (patch) | |
| tree | c5f043db0331030ca906218addd11e29dda679d2 /media | |
| parent | f35ff157134456d30f4cd32b463e32bbbf796cc9 (diff) | |
| download | frameworks_av-274f64c7d6367f13c7852256b10339a3b75529f2.zip frameworks_av-274f64c7d6367f13c7852256b10339a3b75529f2.tar.gz frameworks_av-274f64c7d6367f13c7852256b10339a3b75529f2.tar.bz2 | |
Fix null-pointer-dereferences accessing the SampleTable
While processing various sample table related FourCC values, methods are called
on a NULL mLastTrack or sampleTable object. This leads to undefined behavior
which typically results in a crash (denial of service condition).
Bug: 20139950
Change-Id: Ie2dd8222e702d8bf95faf7d2bd44e6303cd21f68
Diffstat (limited to 'media')
| -rw-r--r-- | media/libstagefright/MPEG4Extractor.cpp | 18 |
1 files changed, 18 insertions, 0 deletions
diff --git a/media/libstagefright/MPEG4Extractor.cpp b/media/libstagefright/MPEG4Extractor.cpp index 27e50d1..6019a85 100644 --- a/media/libstagefright/MPEG4Extractor.cpp +++ b/media/libstagefright/MPEG4Extractor.cpp @@ -1409,6 +1409,9 @@ status_t MPEG4Extractor::parseChunk(off64_t *offset, int depth) { case FOURCC('s', 't', 'c', 'o'): case FOURCC('c', 'o', '6', '4'): { + if ((mLastTrack == NULL) || (mLastTrack->sampleTable == NULL)) + return ERROR_MALFORMED; + status_t err = mLastTrack->sampleTable->setChunkOffsetParams( chunk_type, data_offset, chunk_data_size); @@ -1424,6 +1427,9 @@ status_t MPEG4Extractor::parseChunk(off64_t *offset, int depth) { case FOURCC('s', 't', 's', 'c'): { + if ((mLastTrack == NULL) || (mLastTrack->sampleTable == NULL)) + return ERROR_MALFORMED; + status_t err = mLastTrack->sampleTable->setSampleToChunkParams( data_offset, chunk_data_size); @@ -1440,6 +1446,9 @@ status_t MPEG4Extractor::parseChunk(off64_t *offset, int depth) { case FOURCC('s', 't', 's', 'z'): case FOURCC('s', 't', 'z', '2'): { + if ((mLastTrack == NULL) || (mLastTrack->sampleTable == NULL)) + return ERROR_MALFORMED; + status_t err = mLastTrack->sampleTable->setSampleSizeParams( chunk_type, data_offset, chunk_data_size); @@ -1509,6 +1518,9 @@ status_t MPEG4Extractor::parseChunk(off64_t *offset, int depth) { case FOURCC('s', 't', 't', 's'): { + if ((mLastTrack == NULL) || (mLastTrack->sampleTable == NULL)) + return ERROR_MALFORMED; + *offset += chunk_size; status_t err = @@ -1524,6 +1536,9 @@ status_t MPEG4Extractor::parseChunk(off64_t *offset, int depth) { case FOURCC('c', 't', 't', 's'): { + if ((mLastTrack == NULL) || (mLastTrack->sampleTable == NULL)) + return ERROR_MALFORMED; + *offset += chunk_size; status_t err = @@ -1539,6 +1554,9 @@ status_t MPEG4Extractor::parseChunk(off64_t *offset, int depth) { case FOURCC('s', 't', 's', 's'): { + if ((mLastTrack == NULL) || (mLastTrack->sampleTable == NULL)) + return ERROR_MALFORMED; + *offset += chunk_size; status_t err = |