From b90b748d7484f1d464cd9e15289d77b83beed10e Mon Sep 17 00:00:00 2001
From: Roger1 Jonsson <roger1.jonsson@sonyericsson.com>
Date: Tue, 21 Dec 2010 09:57:41 +0100
Subject: Fix bad checks that causes crash when streaming H.263 content.

Remove checks that causes crash for rtsp streamed h.263 content
with certain values in the RTP payload header:
Remove zero check for the five reserved bits in the payload header.
According to RFC 4629 these bits MUST be ignored by receivers.
Remove zero-check for the VRC (Video Redundancy Coding) bit,
skip packet instead.
Remove zero-check for the PLEN bits (extra picture header),
skip packet instead.
Remove zero-check for the PEBIT bits (extra picture header),
skip packet instead.
Remove corresponding zero check for the four resreved bits in the
AMR payload header. According to RFC 4867 these bits MUST be
ignored by receivers.

Change-Id: I7fc21d69a19d23da24f9267623c338d415ef1387
---
 media/libstagefright/rtsp/AH263Assembler.cpp | 30 ++++++++++++++++++++++++++--
 1 file changed, 28 insertions(+), 2 deletions(-)

(limited to 'media/libstagefright/rtsp/AH263Assembler.cpp')

diff --git a/media/libstagefright/rtsp/AH263Assembler.cpp b/media/libstagefright/rtsp/AH263Assembler.cpp
index d0313cc..75cd911 100644
--- a/media/libstagefright/rtsp/AH263Assembler.cpp
+++ b/media/libstagefright/rtsp/AH263Assembler.cpp
@@ -13,6 +13,9 @@
  * See the License for the specific language governing permissions and
  * limitations under the License.
  */
+//#define LOG_NDEBUG 0
+#define LOG_TAG "AH263Assembler"
+#include <utils/Log.h>
 
 #include "AH263Assembler.h"
 
@@ -100,11 +103,34 @@ ARTPAssembler::AssemblyStatus AH263Assembler::addPacket(
     }
 
     unsigned payloadHeader = U16_AT(buffer->data());
-    CHECK_EQ(payloadHeader >> 11, 0u);  // RR=0
     unsigned P = (payloadHeader >> 10) & 1;
     unsigned V = (payloadHeader >> 9) & 1;
     unsigned PLEN = (payloadHeader >> 3) & 0x3f;
-    // unsigned PEBIT = payloadHeader & 7;
+    unsigned PEBIT = payloadHeader & 7;
+
+    // V=0
+    if (V != 0u) {
+        queue->erase(queue->begin());
+        ++mNextExpectedSeqNo;
+        ALOGW("Packet discarded due to VRC (V != 0)");
+        return MALFORMED_PACKET;
+    }
+
+    // PLEN=0
+    if (PLEN != 0u) {
+        queue->erase(queue->begin());
+        ++mNextExpectedSeqNo;
+        ALOGW("Packet discarded (PLEN != 0)");
+        return MALFORMED_PACKET;
+    }
+
+    // PEBIT=0
+    if (PEBIT != 0u) {
+        queue->erase(queue->begin());
+        ++mNextExpectedSeqNo;
+        ALOGW("Packet discarded (PEBIT != 0)");
+        return MALFORMED_PACKET;
+    }
 
     size_t skip = V + PLEN + (P ? 0 : 2);
 
-- 
cgit v1.1