From 4e5f6633b573b1d076cda7e3390c021ea95aeea3 Mon Sep 17 00:00:00 2001
From: rago <rago@google.com>
Date: Fri, 7 Oct 2016 18:16:09 -0700
Subject: Fix potential NULL dereference in Visualizer effect

CYNGNOS-3312
Bug: 30229821

Test: fixing CL. Existing unit tests still pass.

Change-Id: I6e4abd759d5d2abc3b391e92e2e18f060cab7af0
(cherry picked from commit 874f9e0b8eb0cbe508d15c8c03796c863851f21f)
(cherry picked from commit 244e7fd2a45b4e7d70d2c2e550181220371b7edf)
---
 media/libeffects/visualizer/EffectVisualizer.cpp | 11 ++++++++---
 1 file changed, 8 insertions(+), 3 deletions(-)

diff --git a/media/libeffects/visualizer/EffectVisualizer.cpp b/media/libeffects/visualizer/EffectVisualizer.cpp
index 91f9fc7..21fddb1 100644
--- a/media/libeffects/visualizer/EffectVisualizer.cpp
+++ b/media/libeffects/visualizer/EffectVisualizer.cpp
@@ -602,9 +602,14 @@ int Visualizer_command(effect_handle_t self, uint32_t cmdCode, uint32_t cmdSize,
     case VISUALIZER_CMD_MEASURE: {
         if (pReplyData == NULL || replySize == NULL ||
                 *replySize < (sizeof(int32_t) * MEASUREMENT_COUNT)) {
-            ALOGV("VISUALIZER_CMD_MEASURE() error *replySize %" PRIu32
-                    " < (sizeof(int32_t) * MEASUREMENT_COUNT) %" PRIu32, *replySize,
-                    sizeof(int32_t) * MEASUREMENT_COUNT);
+            if (replySize == NULL) {
+                ALOGV("VISUALIZER_CMD_MEASURE() error replySize NULL");
+            } else {
+                ALOGV("VISUALIZER_CMD_MEASURE() error *replySize %" PRIu32
+                        " < (sizeof(int32_t) * MEASUREMENT_COUNT) %" PRIu32,
+                        *replySize,
+                        uint32_t(sizeof(int32_t)) * MEASUREMENT_COUNT);
+            }
             android_errorWriteLog(0x534e4554, "30229821");
             return -EINVAL;
         }
-- 
cgit v1.1


From fd66f406edcb6c20558073ee4f5a0aa5f994716e Mon Sep 17 00:00:00 2001
From: Marco Nelissen <marcone@google.com>
Date: Thu, 6 Oct 2016 15:31:52 -0700
Subject: DO NOT MERGE Fix divide by zero

and be stricter about the layout of various boxes in mp4 files.

CYNGNOS-3312
Bug: 31318219
Change-Id: I50034d5b6b1967ca6e88aabeacf49f26ba3c0d32
(cherry picked from commit 2e211d38a3124849ef46376256d01e69549c422f)
(cherry picked from commit d4eb1e1ca163d6ab0eaf0d80ca138f851f87c3d2)
---
 media/libstagefright/MPEG4Extractor.cpp | 23 ++++++++++++++++++-----
 1 file changed, 18 insertions(+), 5 deletions(-)

diff --git a/media/libstagefright/MPEG4Extractor.cpp b/media/libstagefright/MPEG4Extractor.cpp
index 80ef7b7..92a1fed 100755
--- a/media/libstagefright/MPEG4Extractor.cpp
+++ b/media/libstagefright/MPEG4Extractor.cpp
@@ -481,7 +481,8 @@ sp<MetaData> MPEG4Extractor::getTrackMetaData(
             } else {
                 uint32_t sampleIndex;
                 uint32_t sampleTime;
-                if (track->sampleTable->findThumbnailSample(&sampleIndex) == OK
+                if (track->timescale != 0 &&
+                        track->sampleTable->findThumbnailSample(&sampleIndex) == OK
                         && track->sampleTable->getMetaDataForSample(
                             sampleIndex, NULL /* offset */, NULL /* size */,
                             &sampleTime) == OK) {
@@ -895,6 +896,10 @@ status_t MPEG4Extractor::parseChunk(off64_t *offset, int depth) {
         case FOURCC('s', 'c', 'h', 'i'):
         case FOURCC('e', 'd', 't', 's'):
         {
+            if (chunk_type == FOURCC('m', 'o', 'o', 'v') && depth != 0) {
+                ALOGE("moov: depth %d", depth);
+                return ERROR_MALFORMED;
+            }
             if (chunk_type == FOURCC('m', 'o', 'o', 'f') && !mMoofFound) {
                 // store the offset of the first segment
                 mMoofFound = true;
@@ -923,6 +928,10 @@ status_t MPEG4Extractor::parseChunk(off64_t *offset, int depth) {
 
             bool isTrack = false;
             if (chunk_type == FOURCC('t', 'r', 'a', 'k')) {
+                if (depth != 1) {
+                    ALOGE("trak: depth %d", depth);
+                    return ERROR_MALFORMED;
+                }
                 isTrack = true;
 
                 Track *track = new Track;
@@ -946,6 +955,10 @@ status_t MPEG4Extractor::parseChunk(off64_t *offset, int depth) {
             while (*offset < stop_offset) {
                 status_t err = parseChunk(offset, depth + 1);
                 if (err != OK) {
+                    if (isTrack) {
+                        mLastTrack->skipTrack = true;
+                        break;
+                    }
                     return err;
                 }
             }
@@ -1291,10 +1304,6 @@ status_t MPEG4Extractor::parseChunk(off64_t *offset, int depth) {
 
         case FOURCC('s', 't', 's', 'd'):
         {
-            if (chunk_data_size < 8) {
-                return ERROR_MALFORMED;
-            }
-
             uint8_t buffer[8];
             if (chunk_data_size < (off64_t)sizeof(buffer)) {
                 return ERROR_MALFORMED;
@@ -1892,6 +1901,10 @@ status_t MPEG4Extractor::parseChunk(off64_t *offset, int depth) {
         {
             *offset += chunk_size;
 
+            if (depth != 1) {
+                ALOGE("mvhd: depth %d", depth);
+                return ERROR_MALFORMED;
+            }
             if (chunk_data_size < 32) {
                 return ERROR_MALFORMED;
             }
-- 
cgit v1.1