From 65e20ffc984c541a8119420f917493dd7b703f77 Mon Sep 17 00:00:00 2001 From: Robert Shih Date: Fri, 7 Feb 2014 12:26:58 -0800 Subject: DO NOT MERGE: PlaylistFetcher: fix infinite loop when parsing ADTS. First check for embedded ID3 tag, then bail out if invalid. Bug: 12934795 Change-Id: I74acebed4bfb2c6ca44dfe936166fdba8510233f --- media/libstagefright/httplive/PlaylistFetcher.cpp | 12 ++++++++++++ 1 file changed, 12 insertions(+) (limited to 'media/libstagefright') diff --git a/media/libstagefright/httplive/PlaylistFetcher.cpp b/media/libstagefright/httplive/PlaylistFetcher.cpp index ada856d..668cbd4 100644 --- a/media/libstagefright/httplive/PlaylistFetcher.cpp +++ b/media/libstagefright/httplive/PlaylistFetcher.cpp @@ -1321,6 +1321,18 @@ status_t PlaylistFetcher::extractAndQueueAccessUnits( | (adtsHeader[4] << 3) | (adtsHeader[5] >> 5); + if (aac_frame_length == 0) { + const uint8_t *id3Header = adtsHeader; + if (!memcmp(id3Header, "ID3", 3)) { + ID3 id3(id3Header, buffer->size() - offset, true); + if (id3.isValid()) { + offset += id3.rawSize(); + continue; + }; + } + return ERROR_MALFORMED; + } + CHECK_LE(offset + aac_frame_length, buffer->size()); sp unit = new ABuffer(aac_frame_length); -- cgit v1.1