diff options
| author | Nick Kralevich <nnk@google.com> | 2015-08-20 18:18:58 +0000 |
|---|---|---|
| committer | Android Git Automerger <android-git-automerger@android.com> | 2015-08-20 18:18:58 +0000 |
| commit | b8a84e59ed3724a2e220dbda49dc5478334e9bad (patch) | |
| tree | 24d57259fbbf96ba8aae0ca3efe8b7c23f7331e8 /media | |
| parent | bd96da22ca079e68c8efe3b6dcec56a0fe9a7cf7 (diff) | |
| parent | ef87594bd821520cdc46e30036c16ee2eb5becb3 (diff) | |
| download | frameworks_av-b8a84e59ed3724a2e220dbda49dc5478334e9bad.zip frameworks_av-b8a84e59ed3724a2e220dbda49dc5478334e9bad.tar.gz frameworks_av-b8a84e59ed3724a2e220dbda49dc5478334e9bad.tar.bz2 | |
am ef87594b: Merge "libstagefright: Fix crash in convertMetaDataToMessage" into lmp-dev
* commit 'ef87594bd821520cdc46e30036c16ee2eb5becb3':
libstagefright: Fix crash in convertMetaDataToMessage
Diffstat (limited to 'media')
| -rw-r--r-- | media/libstagefright/Utils.cpp | 88 |
1 files changed, 66 insertions, 22 deletions
diff --git a/media/libstagefright/Utils.cpp b/media/libstagefright/Utils.cpp index 25afc5b..d86be6e 100644 --- a/media/libstagefright/Utils.cpp +++ b/media/libstagefright/Utils.cpp @@ -70,6 +70,23 @@ uint64_t hton64(uint64_t x) { return ((uint64_t)htonl(x & 0xffffffff) << 32) | htonl(x >> 32); } +static status_t copyNALUToABuffer(sp<ABuffer> *buffer, const uint8_t *ptr, size_t length) { + if (((*buffer)->size() + 4 + length) > ((*buffer)->capacity() - (*buffer)->offset())) { + sp<ABuffer> tmpBuffer = new (std::nothrow) ABuffer((*buffer)->size() + 4 + length + 1024); + if (tmpBuffer.get() == NULL || tmpBuffer->base() == NULL) { + return NO_MEMORY; + } + memcpy(tmpBuffer->data(), (*buffer)->data(), (*buffer)->size()); + tmpBuffer->setRange(0, (*buffer)->size()); + (*buffer) = tmpBuffer; + } + + memcpy((*buffer)->data() + (*buffer)->size(), "\x00\x00\x00\x01", 4); + memcpy((*buffer)->data() + (*buffer)->size() + 4, ptr, length); + (*buffer)->setRange((*buffer)->offset(), (*buffer)->size() + 4 + length); + return OK; +} + status_t convertMetaDataToMessage( const sp<MetaData> &meta, sp<AMessage> *format) { format->clear(); @@ -199,7 +216,10 @@ status_t convertMetaDataToMessage( ptr += 6; size -= 6; - sp<ABuffer> buffer = new ABuffer(1024); + sp<ABuffer> buffer = new (std::nothrow) ABuffer(1024); + if (buffer.get() == NULL || buffer->base() == NULL) { + return NO_MEMORY; + } buffer->setRange(0, 0); for (size_t i = 0; i < numSeqParameterSets; ++i) { @@ -209,11 +229,13 @@ status_t convertMetaDataToMessage( ptr += 2; size -= 2; - CHECK(size >= length); - - memcpy(buffer->data() + buffer->size(), "\x00\x00\x00\x01", 4); - memcpy(buffer->data() + buffer->size() + 4, ptr, length); - buffer->setRange(0, buffer->size() + 4 + length); + if (size < length) { + return BAD_VALUE; + } + status_t err = copyNALUToABuffer(&buffer, ptr, length); + if (err != OK) { + return err; + } ptr += length; size -= length; @@ -224,7 +246,10 @@ status_t convertMetaDataToMessage( msg->setBuffer("csd-0", buffer); - buffer = new ABuffer(1024); + buffer = new (std::nothrow) ABuffer(1024); + if (buffer.get() == NULL || buffer->base() == NULL) { + return NO_MEMORY; + } buffer->setRange(0, 0); CHECK(size >= 1); @@ -239,11 +264,13 @@ status_t convertMetaDataToMessage( ptr += 2; size -= 2; - CHECK(size >= length); - - memcpy(buffer->data() + buffer->size(), "\x00\x00\x00\x01", 4); - memcpy(buffer->data() + buffer->size() + 4, ptr, length); - buffer->setRange(0, buffer->size() + 4 + length); + if (size < length) { + return BAD_VALUE; + } + status_t err = copyNALUToABuffer(&buffer, ptr, length); + if (err != OK) { + return err; + } ptr += length; size -= length; @@ -268,7 +295,10 @@ status_t convertMetaDataToMessage( size -= 1; size_t j = 0, i = 0; - sp<ABuffer> buffer = new ABuffer(1024); + sp<ABuffer> buffer = new (std::nothrow) ABuffer(1024); + if (buffer.get() == NULL || buffer->base() == NULL) { + return NO_MEMORY; + } buffer->setRange(0, 0); for (i = 0; i < numofArrays; i++) { @@ -288,11 +318,13 @@ status_t convertMetaDataToMessage( ptr += 2; size -= 2; - CHECK(size >= length); - - memcpy(buffer->data() + buffer->size(), "\x00\x00\x00\x01", 4); - memcpy(buffer->data() + buffer->size() + 4, ptr, length); - buffer->setRange(0, buffer->size() + 4 + length); + if (size < length) { + return BAD_VALUE; + } + status_t err = copyNALUToABuffer(&buffer, ptr, length); + if (err != OK) { + return err; + } ptr += length; size -= length; @@ -311,7 +343,10 @@ status_t convertMetaDataToMessage( esds.getCodecSpecificInfo( &codec_specific_data, &codec_specific_data_size); - sp<ABuffer> buffer = new ABuffer(codec_specific_data_size); + sp<ABuffer> buffer = new (std::nothrow) ABuffer(codec_specific_data_size); + if (buffer.get() == NULL || buffer->base() == NULL) { + return NO_MEMORY; + } memcpy(buffer->data(), codec_specific_data, codec_specific_data_size); @@ -320,7 +355,10 @@ status_t convertMetaDataToMessage( buffer->meta()->setInt64("timeUs", 0); msg->setBuffer("csd-0", buffer); } else if (meta->findData(kKeyVorbisInfo, &type, &data, &size)) { - sp<ABuffer> buffer = new ABuffer(size); + sp<ABuffer> buffer = new (std::nothrow) ABuffer(size); + if (buffer.get() == NULL || buffer->base() == NULL) { + return NO_MEMORY; + } memcpy(buffer->data(), data, size); buffer->meta()->setInt32("csd", true); @@ -331,14 +369,20 @@ status_t convertMetaDataToMessage( return -EINVAL; } - buffer = new ABuffer(size); + buffer = new (std::nothrow) ABuffer(size); + if (buffer.get() == NULL || buffer->base() == NULL) { + return NO_MEMORY; + } memcpy(buffer->data(), data, size); buffer->meta()->setInt32("csd", true); buffer->meta()->setInt64("timeUs", 0); msg->setBuffer("csd-1", buffer); } else if (meta->findData(kKeyOpusHeader, &type, &data, &size)) { - sp<ABuffer> buffer = new ABuffer(size); + sp<ABuffer> buffer = new (std::nothrow) ABuffer(size); + if (buffer.get() == NULL || buffer->base() == NULL) { + return NO_MEMORY; + } memcpy(buffer->data(), data, size); buffer->meta()->setInt32("csd", true); |