summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
Diffstat
-rw-r--r--include/media/stagefright/MetaData.h2
-rwxr-xr-xmedia/libstagefright/MPEG4Extractor.cpp34
-rw-r--r--media/libstagefright/MetaData.cpp32
-rw-r--r--media/libstagefright/OggExtractor.cpp13
-rw-r--r--media/libstagefright/id3/ID3.cpp6
-rw-r--r--services/audiopolicy/managerdefault/AudioPolicyManager.cpp8
6 files changed, 68 insertions, 27 deletions
diff --git a/include/media/stagefright/MetaData.h b/include/media/stagefright/MetaData.h
index 726b197..8d4e15a 100644
--- a/include/media/stagefright/MetaData.h
+++ b/include/media/stagefright/MetaData.h
@@ -268,7 +268,7 @@ private:
return mSize <= sizeof(u.reservoir);
}
- void allocateStorage(size_t size);
+ void *allocateStorage(size_t size);
void freeStorage();
void *storage() {
diff --git a/media/libstagefright/MPEG4Extractor.cpp b/media/libstagefright/MPEG4Extractor.cpp
index 4293abb..53d1a62 100755
--- a/media/libstagefright/MPEG4Extractor.cpp
+++ b/media/libstagefright/MPEG4Extractor.cpp
@@ -525,11 +525,11 @@ status_t MPEG4Extractor::readMetaData() {
CHECK_NE(err, (status_t)NO_INIT);
// copy pssh data into file metadata
- int psshsize = 0;
+ uint64_t psshsize = 0;
for (size_t i = 0; i < mPssh.size(); i++) {
psshsize += 20 + mPssh[i].datalen;
}
- if (psshsize) {
+ if (psshsize > 0 && psshsize <= UINT32_MAX) {
char *buf = (char*)malloc(psshsize);
char *ptr = buf;
for (size_t i = 0; i < mPssh.size(); i++) {
@@ -1138,7 +1138,7 @@ status_t MPEG4Extractor::parseChunk(off64_t *offset, int depth) {
}
pssh.datalen = ntohl(psshdatalen);
ALOGV("pssh data size: %d", pssh.datalen);
- if (pssh.datalen + 20 > chunk_size) {
+ if (chunk_size < 20 || pssh.datalen > chunk_size - 20) {
// pssh data length exceeds size of containing box
return ERROR_MALFORMED;
}
@@ -2447,7 +2447,7 @@ status_t MPEG4Extractor::parseTrackHeader(
}
status_t MPEG4Extractor::parseITunesMetaData(off64_t offset, size_t size) {
- if (size < 4) {
+ if (size < 4 || size == SIZE_MAX) {
return ERROR_MALFORMED;
}
@@ -3017,12 +3017,11 @@ status_t MPEG4Extractor::updateAudioTrackInfoFromESDS_MPEG4Audio(
int32_t sampleRate = 0;
int32_t numChannels = 0;
if (freqIndex == 15) {
- if (csd_size < 5) {
- return ERROR_MALFORMED;
- }
+ if (br.numBitsLeft() < 28) return ERROR_MALFORMED;
sampleRate = br.getBits(24);
numChannels = br.getBits(4);
} else {
+ if (br.numBitsLeft() < 4) return ERROR_MALFORMED;
numChannels = br.getBits(4);
if (freqIndex == 13 || freqIndex == 14) {
@@ -3033,12 +3032,14 @@ status_t MPEG4Extractor::updateAudioTrackInfoFromESDS_MPEG4Audio(
}
if (objectType == AOT_SBR || objectType == AOT_PS) {//SBR specific config per 14496-3 table 1.13
+ if (br.numBitsLeft() < 4) return ERROR_MALFORMED;
uint32_t extFreqIndex = br.getBits(4);
int32_t extSampleRate __unused;
if (extFreqIndex == 15) {
if (csd_size < 8) {
return ERROR_MALFORMED;
}
+ if (br.numBitsLeft() < 24) return ERROR_MALFORMED;
extSampleRate = br.getBits(24);
} else {
if (extFreqIndex == 13 || extFreqIndex == 14) {
@@ -3075,20 +3076,24 @@ status_t MPEG4Extractor::updateAudioTrackInfoFromESDS_MPEG4Audio(
{
if (objectType == AOT_SBR || objectType == AOT_PS) {
+ if (br.numBitsLeft() < 5) return ERROR_MALFORMED;
objectType = br.getBits(5);
if (objectType == AOT_ESCAPE) {
+ if (br.numBitsLeft() < 6) return ERROR_MALFORMED;
objectType = 32 + br.getBits(6);
}
}
if (objectType == AOT_AAC_LC || objectType == AOT_ER_AAC_LC ||
objectType == AOT_ER_AAC_LD || objectType == AOT_ER_AAC_SCAL ||
objectType == AOT_ER_BSAC) {
+ if (br.numBitsLeft() < 2) return ERROR_MALFORMED;
const int32_t frameLengthFlag __unused = br.getBits(1);
const int32_t dependsOnCoreCoder = br.getBits(1);
if (dependsOnCoreCoder ) {
+ if (br.numBitsLeft() < 14) return ERROR_MALFORMED;
const int32_t coreCoderDelay __unused = br.getBits(14);
}
@@ -3108,7 +3113,7 @@ status_t MPEG4Extractor::updateAudioTrackInfoFromESDS_MPEG4Audio(
extensionFlag = 1;
break;
default:
- TRESPASS();
+ return ERROR_MALFORMED;
break;
}
ALOGW("csd missing extension flag; assuming %d for object type %u.",
@@ -3118,6 +3123,9 @@ status_t MPEG4Extractor::updateAudioTrackInfoFromESDS_MPEG4Audio(
if (numChannels == 0) {
int32_t channelsEffectiveNum = 0;
int32_t channelsNum = 0;
+ if (br.numBitsLeft() < 32) {
+ return ERROR_MALFORMED;
+ }
const int32_t ElementInstanceTag __unused = br.getBits(4);
const int32_t Profile __unused = br.getBits(2);
const int32_t SamplingFrequencyIndex __unused = br.getBits(4);
@@ -3129,35 +3137,44 @@ status_t MPEG4Extractor::updateAudioTrackInfoFromESDS_MPEG4Audio(
const int32_t NumValidCcElements __unused = br.getBits(4);
const int32_t MonoMixdownPresent = br.getBits(1);
+
if (MonoMixdownPresent != 0) {
+ if (br.numBitsLeft() < 4) return ERROR_MALFORMED;
const int32_t MonoMixdownElementNumber __unused = br.getBits(4);
}
+ if (br.numBitsLeft() < 1) return ERROR_MALFORMED;
const int32_t StereoMixdownPresent = br.getBits(1);
if (StereoMixdownPresent != 0) {
+ if (br.numBitsLeft() < 4) return ERROR_MALFORMED;
const int32_t StereoMixdownElementNumber __unused = br.getBits(4);
}
+ if (br.numBitsLeft() < 1) return ERROR_MALFORMED;
const int32_t MatrixMixdownIndexPresent = br.getBits(1);
if (MatrixMixdownIndexPresent != 0) {
+ if (br.numBitsLeft() < 3) return ERROR_MALFORMED;
const int32_t MatrixMixdownIndex __unused = br.getBits(2);
const int32_t PseudoSurroundEnable __unused = br.getBits(1);
}
int i;
for (i=0; i < NumFrontChannelElements; i++) {
+ if (br.numBitsLeft() < 5) return ERROR_MALFORMED;
const int32_t FrontElementIsCpe = br.getBits(1);
const int32_t FrontElementTagSelect __unused = br.getBits(4);
channelsNum += FrontElementIsCpe ? 2 : 1;
}
for (i=0; i < NumSideChannelElements; i++) {
+ if (br.numBitsLeft() < 5) return ERROR_MALFORMED;
const int32_t SideElementIsCpe = br.getBits(1);
const int32_t SideElementTagSelect __unused = br.getBits(4);
channelsNum += SideElementIsCpe ? 2 : 1;
}
for (i=0; i < NumBackChannelElements; i++) {
+ if (br.numBitsLeft() < 5) return ERROR_MALFORMED;
const int32_t BackElementIsCpe = br.getBits(1);
const int32_t BackElementTagSelect __unused = br.getBits(4);
channelsNum += BackElementIsCpe ? 2 : 1;
@@ -3165,6 +3182,7 @@ status_t MPEG4Extractor::updateAudioTrackInfoFromESDS_MPEG4Audio(
channelsEffectiveNum = channelsNum;
for (i=0; i < NumLfeChannelElements; i++) {
+ if (br.numBitsLeft() < 4) return ERROR_MALFORMED;
const int32_t LfeElementTagSelect __unused = br.getBits(4);
channelsNum += 1;
}
diff --git a/media/libstagefright/MetaData.cpp b/media/libstagefright/MetaData.cpp
index 7d867b7..1a11c1e 100644
--- a/media/libstagefright/MetaData.cpp
+++ b/media/libstagefright/MetaData.cpp
@@ -244,8 +244,11 @@ MetaData::typed_data::~typed_data() {
MetaData::typed_data::typed_data(const typed_data &from)
: mType(from.mType),
mSize(0) {
- allocateStorage(from.mSize);
- memcpy(storage(), from.storage(), mSize);
+
+ void *dst = allocateStorage(from.mSize);
+ if (dst) {
+ memcpy(dst, from.storage(), mSize);
+ }
}
MetaData::typed_data &MetaData::typed_data::operator=(
@@ -253,8 +256,10 @@ MetaData::typed_data &MetaData::typed_data::operator=(
if (this != &from) {
clear();
mType = from.mType;
- allocateStorage(from.mSize);
- memcpy(storage(), from.storage(), mSize);
+ void *dst = allocateStorage(from.mSize);
+ if (dst) {
+ memcpy(dst, from.storage(), mSize);
+ }
}
return *this;
@@ -271,13 +276,11 @@ void MetaData::typed_data::setData(
clear();
mType = type;
- allocateStorage(size);
- void *dst = storage();
- if (!dst) {
- ALOGE("Couldn't allocate %zu bytes for item", size);
- return;
+
+ void *dst = allocateStorage(size);
+ if (dst) {
+ memcpy(dst, data, size);
}
- memcpy(dst, data, size);
}
void MetaData::typed_data::getData(
@@ -287,14 +290,19 @@ void MetaData::typed_data::getData(
*data = storage();
}
-void MetaData::typed_data::allocateStorage(size_t size) {
+void *MetaData::typed_data::allocateStorage(size_t size) {
mSize = size;
if (usesReservoir()) {
- return;
+ return &u.reservoir;
}
u.ext_data = malloc(mSize);
+ if (u.ext_data == NULL) {
+ ALOGE("Couldn't allocate %zu bytes for item", size);
+ mSize = 0;
+ }
+ return u.ext_data;
}
void MetaData::typed_data::freeStorage() {
diff --git a/media/libstagefright/OggExtractor.cpp b/media/libstagefright/OggExtractor.cpp
index 1c663a3..6fba8e1 100644
--- a/media/libstagefright/OggExtractor.cpp
+++ b/media/libstagefright/OggExtractor.cpp
@@ -1299,11 +1299,12 @@ static void extractAlbumArt(
}
typeLen = U32_AT(&flac[4]);
- if (typeLen + 1 > sizeof(type)) {
+ if (typeLen > sizeof(type) - 1) {
goto exit;
}
- if (flacSize < 8 + typeLen) {
+ // we've already checked above that flacSize >= 8
+ if (flacSize - 8 < typeLen) {
goto exit;
}
@@ -1319,13 +1320,17 @@ static void extractAlbumArt(
descLen = U32_AT(&flac[8 + typeLen]);
- if (flacSize < 32 + typeLen + descLen) {
+ if (flacSize < 32 ||
+ flacSize - 32 < typeLen ||
+ flacSize - 32 - typeLen < descLen) {
goto exit;
}
dataLen = U32_AT(&flac[8 + typeLen + 4 + descLen + 16]);
- if (flacSize < 32 + typeLen + descLen + dataLen) {
+
+ // we've already checked above that (flacSize - 32 - typeLen - descLen) >= 0
+ if (flacSize - 32 - typeLen - descLen < dataLen) {
goto exit;
}
diff --git a/media/libstagefright/id3/ID3.cpp b/media/libstagefright/id3/ID3.cpp
index d9491d6..38ba844 100644
--- a/media/libstagefright/id3/ID3.cpp
+++ b/media/libstagefright/id3/ID3.cpp
@@ -811,6 +811,12 @@ ID3::getAlbumArt(size_t *length, String8 *mime) const {
size_t descLen = StringSize(&data[2 + mimeLen], encoding);
+ if (size < 2 ||
+ size - 2 < mimeLen ||
+ size - 2 - mimeLen < descLen) {
+ ALOGW("bogus album art sizes");
+ return NULL;
+ }
*length = size - 2 - mimeLen - descLen;
return &data[2 + mimeLen + descLen];
diff --git a/services/audiopolicy/managerdefault/AudioPolicyManager.cpp b/services/audiopolicy/managerdefault/AudioPolicyManager.cpp
index 7530dcc..fc27789 100644
--- a/services/audiopolicy/managerdefault/AudioPolicyManager.cpp
+++ b/services/audiopolicy/managerdefault/AudioPolicyManager.cpp
@@ -2854,8 +2854,12 @@ AudioPolicyManager::AudioPolicyManager(AudioPolicyClientInterface *clientInterfa
ssize_t index =
mAvailableInputDevices.indexOf(inProfile->mSupportedDevices[k]);
// give a valid ID to an attached device once confirmed it is reachable
- if (index >= 0 && !mAvailableInputDevices[index]->isAttached()) {
- mAvailableInputDevices[index]->attach(mHwModules[i]);
+ if (index >= 0) {
+ sp<DeviceDescriptor> devDesc = mAvailableInputDevices[index];
+ if (!devDesc->isAttached()) {
+ devDesc->attach(mHwModules[i]);
+ devDesc->importAudioPort(inProfile);
+ }
}
}
mpClientInterface->closeInput(input);
generated by cgit v1.1 at 2025-11-04 10:26:13 +0000