Merge "Extra sanity checks on sample size and resolution" into mnc-dev

author: Marco Nelissen <marcone@google.com> 2015-08-05 20:44:26 +0000
committer: Android (Google) Code Review <android-gerrit@google.com> 2015-08-05 20:44:26 +0000
commit: d24b430c3fc82e9288e9072971c9a185a18abd89 (patch)
tree: b9a8dfb087cfcdc6150f978693b4669572c2874e /media
parent: af7d737090a5c1d499b7dcbf54b795ad2f979ec2 (diff)
parent: beef7e58c1f1837bdaed6ac37414d8c48a133813 (diff)
download: frameworks_av-d24b430c3fc82e9288e9072971c9a185a18abd89.zip
frameworks_av-d24b430c3fc82e9288e9072971c9a185a18abd89.tar.gz
frameworks_av-d24b430c3fc82e9288e9072971c9a185a18abd89.tar.bz2
1 files changed, 15 insertions, 3 deletions
diff --git a/media/libstagefright/MPEG4Extractor.cpp b/media/libstagefright/MPEG4Extractor.cpp
index 0b07717..4293abb 100755
--- a/media/libstagefright/MPEG4Extractor.cpp
+++ b/media/libstagefright/MPEG4Extractor.cpp
@@ -1487,15 +1487,27 @@ status_t MPEG4Extractor::parseChunk(off64_t *offset, int depth) {
                 // each chunk originally prefixed with a 2 byte length will
                 // have a 4 byte header (0x00 0x00 0x00 0x01) after conversion,
                 // and thus will grow by 2 bytes per chunk.
+                if (max_size > SIZE_MAX - 10 * 2) {
+                    ALOGE("max sample size too big: %zu", max_size);
+                    return ERROR_MALFORMED;
+                }
                 mLastTrack->meta->setInt32(kKeyMaxInputSize, max_size + 10 * 2);
             } else {
                 // No size was specified. Pick a conservatively large size.
-                int32_t width, height;
-                if (!mLastTrack->meta->findInt32(kKeyWidth, &width) ||
-                    !mLastTrack->meta->findInt32(kKeyHeight, &height)) {
+                uint32_t width, height;
+                if (!mLastTrack->meta->findInt32(kKeyWidth, (int32_t*)&width) ||
+                    !mLastTrack->meta->findInt32(kKeyHeight,(int32_t*) &height)) {
                     ALOGE("No width or height, assuming worst case 1080p");
                     width = 1920;
                     height = 1080;
+                } else {
+                    // A resolution was specified, check that it's not too big. The values below
+                    // were chosen so that the calculations below don't cause overflows, they're
+                    // not indicating that resolutions up to 32kx32k are actually supported.
+                    if (width > 32768 || height > 32768) {
+                        ALOGE("can't support %u x %u video", width, height);
+                        return ERROR_MALFORMED;
+                    }
                 }
 
                 const char *mime;
author	Marco Nelissen <marcone@google.com>	2015-08-05 20:44:26 +0000
committer	Android (Google) Code Review <android-gerrit@google.com>	2015-08-05 20:44:26 +0000
commit	d24b430c3fc82e9288e9072971c9a185a18abd89 (patch)
tree	b9a8dfb087cfcdc6150f978693b4669572c2874e /media
parent	af7d737090a5c1d499b7dcbf54b795ad2f979ec2 (diff)
parent	beef7e58c1f1837bdaed6ac37414d8c48a133813 (diff)
download	frameworks_av-d24b430c3fc82e9288e9072971c9a185a18abd89.zip frameworks_av-d24b430c3fc82e9288e9072971c9a185a18abd89.tar.gz frameworks_av-d24b430c3fc82e9288e9072971c9a185a18abd89.tar.bz2