diff options
| author | Wei Jia <wjia@google.com> | 2015-09-04 09:37:50 -0700 |
|---|---|---|
| committer | Wei Jia <wjia@google.com> | 2015-09-04 09:37:50 -0700 |
| commit | e457eb058643d3e2b305a477e5c7d4dbd9e4a165 (patch) | |
| tree | 8a98b35ff2308c83d8ad01abe3d370d4d7c9d14c /media | |
| parent | 4abb48c30cd7821f3397ccd7de8deb3eb645b385 (diff) | |
| parent | 3b8747ca601175da0c94537e49f3097769a09501 (diff) | |
| download | frameworks_av-e457eb058643d3e2b305a477e5c7d4dbd9e4a165.zip frameworks_av-e457eb058643d3e2b305a477e5c7d4dbd9e4a165.tar.gz frameworks_av-e457eb058643d3e2b305a477e5c7d4dbd9e4a165.tar.bz2 | |
resolved conflicts for 3b8747ca to lmp-mr1-ub-dev
Merge commit '3b8747ca601175da0c94537e49f3097769a09501' into HEAD
libstagefright: sanity check size before dereferencing pointer in Utils.cpp
Also remove some CHECK's.
Bug: 23680780
(cherry picked from commit 7bb772e0c643ff3292599cf485b9dbf232bf39a4)
Change-Id: I5b919716178eb3ba844b21e497b792e6ac61554d
Diffstat (limited to 'media')
| -rw-r--r-- | media/libstagefright/Utils.cpp | 36 |
1 files changed, 28 insertions, 8 deletions
diff --git a/media/libstagefright/Utils.cpp b/media/libstagefright/Utils.cpp index 73f23f0..987f12d 100644 --- a/media/libstagefright/Utils.cpp +++ b/media/libstagefright/Utils.cpp @@ -196,8 +196,10 @@ status_t convertMetaDataToMessage( const uint8_t *ptr = (const uint8_t *)data; - CHECK(size >= 7); - CHECK_EQ((unsigned)ptr[0], 1u); // configurationVersion == 1 + if (size < 7 || ptr[0] != 1) { // configurationVersion == 1 + ALOGE("b/23680780"); + return BAD_VALUE; + } uint8_t profile __unused = ptr[1]; uint8_t level __unused = ptr[3]; @@ -223,7 +225,10 @@ status_t convertMetaDataToMessage( buffer->setRange(0, 0); for (size_t i = 0; i < numSeqParameterSets; ++i) { - CHECK(size >= 2); + if (size < 2) { + ALOGE("b/23680780"); + return BAD_VALUE; + } size_t length = U16_AT(ptr); ptr += 2; @@ -252,13 +257,19 @@ status_t convertMetaDataToMessage( } buffer->setRange(0, 0); - CHECK(size >= 1); + if (size < 1) { + ALOGE("b/23680780"); + return BAD_VALUE; + } size_t numPictureParameterSets = *ptr; ++ptr; --size; for (size_t i = 0; i < numPictureParameterSets; ++i) { - CHECK(size >= 2); + if (size < 2) { + ALOGE("b/23680780"); + return BAD_VALUE; + } size_t length = U16_AT(ptr); ptr += 2; @@ -282,8 +293,10 @@ status_t convertMetaDataToMessage( } else if (meta->findData(kKeyHVCC, &type, &data, &size)) { const uint8_t *ptr = (const uint8_t *)data; - CHECK(size >= 7); - CHECK_EQ((unsigned)ptr[0], 1u); // configurationVersion == 1 + if (size < 23 || ptr[0] != 1) { // configurationVersion == 1 + ALOGE("b/23680780"); + return BAD_VALUE; + } uint8_t profile __unused = ptr[1] & 31; uint8_t level __unused = ptr[12]; ptr += 22; @@ -302,6 +315,10 @@ status_t convertMetaDataToMessage( buffer->setRange(0, 0); for (i = 0; i < numofArrays; i++) { + if (size < 3) { + ALOGE("b/23680780"); + return BAD_VALUE; + } ptr += 1; size -= 1; @@ -312,7 +329,10 @@ status_t convertMetaDataToMessage( size -= 2; for (j = 0; j < numofNals; j++) { - CHECK(size >= 2); + if (size < 2) { + ALOGE("b/23680780"); + return BAD_VALUE; + } size_t length = U16_AT(ptr); ptr += 2; |