summaryrefslogtreecommitdiffstats
path: root/media/libstagefright/MPEG4Extractor.cpp
diff options
context:
space:
mode:
Diffstat (limited to 'media/libstagefright/MPEG4Extractor.cpp')
-rw-r--r--media/libstagefright/MPEG4Extractor.cpp17
1 files changed, 15 insertions, 2 deletions
diff --git a/media/libstagefright/MPEG4Extractor.cpp b/media/libstagefright/MPEG4Extractor.cpp
index 9e7f1c7..07a5a82 100644
--- a/media/libstagefright/MPEG4Extractor.cpp
+++ b/media/libstagefright/MPEG4Extractor.cpp
@@ -984,7 +984,14 @@ status_t MPEG4Source::read(
(const uint8_t *)mBuffer->data() + mBuffer->range_offset();
size_t nal_size = parseNALSize(src);
- CHECK(mBuffer->range_length() >= mNALLengthSize + nal_size);
+ if (mBuffer->range_length() < mNALLengthSize + nal_size) {
+ LOGE("incomplete NAL unit.");
+
+ mBuffer->release();
+ mBuffer = NULL;
+
+ return ERROR_MALFORMED;
+ }
MediaBuffer *clone = mBuffer->clone();
clone->set_range(mBuffer->range_offset() + mNALLengthSize, nal_size);
@@ -1023,7 +1030,13 @@ status_t MPEG4Source::read(
CHECK(srcOffset + mNALLengthSize <= size);
size_t nalLength = parseNALSize(&mSrcBuffer[srcOffset]);
srcOffset += mNALLengthSize;
- CHECK(srcOffset + nalLength <= size);
+
+ if (srcOffset + nalLength > size) {
+ mBuffer->release();
+ mBuffer = NULL;
+
+ return ERROR_MALFORMED;
+ }
if (nalLength == 0) {
continue;
generated by cgit v1.1 at 2024-06-14 03:10:05 +0000