From b5203aba00dc60bee526d78e5851f0a34c4b5bd7 Mon Sep 17 00:00:00 2001
From: Marco Nelissen <marcone@google.com>
Date: Mon, 19 Sep 2016 16:22:56 -0700
Subject: Limit mp4 atom size to something reasonable

Bug: 28615448
Change-Id: I5916f6839b4a9bbee4388a106e7373bcd4154f5a
(cherry picked from commit cb898dca47ac03738db91ddc371207435d2a1526)
---
 media/libstagefright/MPEG4Extractor.cpp | 13 +++++++++++++
 1 file changed, 13 insertions(+)

diff --git a/media/libstagefright/MPEG4Extractor.cpp b/media/libstagefright/MPEG4Extractor.cpp
index 4c10cc9..9e7f298 100755
--- a/media/libstagefright/MPEG4Extractor.cpp
+++ b/media/libstagefright/MPEG4Extractor.cpp
@@ -50,6 +50,12 @@
 
 namespace android {
 
+enum {
+    // maximum size of an atom. Some atoms can be bigger according to the spec,
+    // but we only allow up to this size.
+    kMaxAtomSize = 64 * 1024 * 1024,
+};
+
 class MPEG4Source : public MediaSource {
 public:
     // Caller retains ownership of both "dataSource" and "sampleTable".
@@ -836,6 +842,13 @@ status_t MPEG4Extractor::parseChunk(off64_t *offset, int depth) {
     PathAdder autoAdder(&mPath, chunk_type);
 
     off64_t chunk_data_size = *offset + chunk_size - data_offset;
+    if (chunk_type != FOURCC('m', 'd', 'a', 't') && chunk_data_size > kMaxAtomSize) {
+        char errMsg[100];
+        sprintf(errMsg, "%s atom has size %" PRId64, chunk, chunk_data_size);
+        ALOGE("%s (b/28615448)", errMsg);
+        android_errorWriteWithInfoLog(0x534e4554, "28615448", -1, errMsg, strlen(errMsg));
+        return ERROR_MALFORMED;
+    }
 
     if (chunk_type != FOURCC('c', 'p', 'r', 't')
             && chunk_type != FOURCC('c', 'o', 'v', 'r')
-- 
cgit v1.1