From 37c5d30af6797192de58586ab4ef64b2fcdc7ae9 Mon Sep 17 00:00:00 2001
From: Chad Brubaker <cbrubaker@google.com>
Date: Fri, 31 Jul 2015 16:03:44 -0700
Subject: Fix harmless unsigned overflow in recoverPTS

Change-Id: I89e3a827cf566421e8dd9b6a3c842e73a19c140f
---
 media/libstagefright/mpeg2ts/ATSParser.cpp | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

(limited to 'media/libstagefright/mpeg2ts/ATSParser.cpp')

diff --git a/media/libstagefright/mpeg2ts/ATSParser.cpp b/media/libstagefright/mpeg2ts/ATSParser.cpp
index e3c3e80..f9a9c4c 100644
--- a/media/libstagefright/mpeg2ts/ATSParser.cpp
+++ b/media/libstagefright/mpeg2ts/ATSParser.cpp
@@ -509,7 +509,7 @@ int64_t ATSParser::Program::recoverPTS(uint64_t PTS_33bit) {
         mLastRecoveredPTS = static_cast<int64_t>(PTS_33bit);
     } else {
         mLastRecoveredPTS = static_cast<int64_t>(
-                ((mLastRecoveredPTS - PTS_33bit + 0x100000000ll)
+                ((mLastRecoveredPTS - static_cast<int64_t>(PTS_33bit) + 0x100000000ll)
                 & 0xfffffffe00000000ull) | PTS_33bit);
         // We start from 0, but recovered PTS could be slightly below 0.
         // Clamp it to 0 as rest of the pipeline doesn't take negative pts.
-- 
cgit v1.1


From 4f236c532039a61f0cf681d2e3c6e022911bbb5c Mon Sep 17 00:00:00 2001
From: Marco Nelissen <marcone@google.com>
Date: Thu, 28 Apr 2016 13:32:41 -0700
Subject: Check section size when verifying CRC

Bug: 28333006
Change-Id: Ief7a2da848face78f0edde21e2f2009316076679
---
 media/libstagefright/mpeg2ts/ATSParser.cpp | 7 +++++++
 1 file changed, 7 insertions(+)

(limited to 'media/libstagefright/mpeg2ts/ATSParser.cpp')

diff --git a/media/libstagefright/mpeg2ts/ATSParser.cpp b/media/libstagefright/mpeg2ts/ATSParser.cpp
index e3c3e80..2f2b115 100644
--- a/media/libstagefright/mpeg2ts/ATSParser.cpp
+++ b/media/libstagefright/mpeg2ts/ATSParser.cpp
@@ -1713,6 +1713,13 @@ bool ATSParser::PSISection::isCRCOkay() const {
     unsigned sectionLength = U16_AT(data + 1) & 0xfff;
     ALOGV("sectionLength %u, skip %u", sectionLength, mSkipBytes);
 
+
+    if(sectionLength < mSkipBytes) {
+        ALOGE("b/28333006");
+        android_errorWriteLog(0x534e4554, "28333006");
+        return false;
+    }
+
     // Skip the preceding field present when payload start indicator is on.
     sectionLength -= mSkipBytes;
 
-- 
cgit v1.1