From 536fd16fa6d56008ba3d6f46275fd52dac25fd8c Mon Sep 17 00:00:00 2001
From: Patrik2 Carlsson <patrik2.carlsson@sonymobile.com>
Date: Mon, 25 May 2015 15:12:49 +0200
Subject: Avoid parsing CC SEI payload beyond buffer end

Break CC SEI parsing when payload size exceeds buffer size
to avoid a CHECK that have been seen in MTBF statistics.

Change-Id: Ifd97648678a935ac815dd616301d46f9bf583838
---
 media/libmediaplayerservice/nuplayer/NuPlayerCCDecoder.cpp | 6 ++++++
 1 file changed, 6 insertions(+)

(limited to 'media/libmediaplayerservice')

diff --git a/media/libmediaplayerservice/nuplayer/NuPlayerCCDecoder.cpp b/media/libmediaplayerservice/nuplayer/NuPlayerCCDecoder.cpp
index ac3c6b6..2c07f28 100644
--- a/media/libmediaplayerservice/nuplayer/NuPlayerCCDecoder.cpp
+++ b/media/libmediaplayerservice/nuplayer/NuPlayerCCDecoder.cpp
@@ -235,6 +235,12 @@ bool NuPlayer::CCDecoder::parseSEINalUnit(
             payload_size += last_byte;
         } while (last_byte == 0xFF);
 
+        if (payload_size > SIZE_MAX / 8
+                || !br.atLeastNumBitsLeft(payload_size * 8)) {
+            ALOGV("Malformed SEI payload");
+            break;
+        }
+
         // sei_payload()
         if (payload_type == 4) {
             bool isCC = false;
-- 
cgit v1.1