From 49a847e0f6558849adef32d64d2a1093fc527c96 Mon Sep 17 00:00:00 2001
From: Wonsik Kim <wonsik@google.com>
Date: Fri, 17 Jun 2016 01:24:30 +0900
Subject: DO NOT MERGE stagefright: fix possible stack overflow in AVCC
 reassemble

Additionally, remove use of variable length array which is
non-standard in C++.

Bug: 29161888
Change-Id: Ifdc3e7435f2225214c053b13f3bfe71c7d0ff506
---
 media/libstagefright/Utils.cpp | 28 +++++++++++++++++++---------
 1 file changed, 19 insertions(+), 9 deletions(-)

(limited to 'media/libstagefright')

diff --git a/media/libstagefright/Utils.cpp b/media/libstagefright/Utils.cpp
index 17f0201..0d9dc3a 100644
--- a/media/libstagefright/Utils.cpp
+++ b/media/libstagefright/Utils.cpp
@@ -671,20 +671,30 @@ void convertMessageToMetaData(const sp<AMessage> &msg, sp<MetaData> &meta) {
     // reassemble the csd data into its original form
     sp<ABuffer> csd0;
     if (msg->findBuffer("csd-0", &csd0)) {
+        int csd0size = csd0->size();
         if (mime == MEDIA_MIMETYPE_VIDEO_AVC) {
             sp<ABuffer> csd1;
             if (msg->findBuffer("csd-1", &csd1)) {
-                char avcc[1024]; // that oughta be enough, right?
-                size_t outsize = reassembleAVCC(csd0, csd1, avcc);
-                meta->setData(kKeyAVCC, kKeyAVCC, avcc, outsize);
+                Vector<char> avcc;
+                int avccSize = csd0size + csd1->size() + 1024;
+                if (avcc.resize(avccSize) < 0) {
+                    ALOGE("error allocating avcc (size %d); abort setting avcc.", avccSize);
+                } else {
+                    size_t outsize = reassembleAVCC(csd0, csd1, avcc.editArray());
+                    meta->setData(kKeyAVCC, kKeyAVCC, avcc.array(), outsize);
+                }
             }
         } else if (mime == MEDIA_MIMETYPE_AUDIO_AAC || mime == MEDIA_MIMETYPE_VIDEO_MPEG4) {
-            int csd0size = csd0->size();
-            char esds[csd0size + 31];
-            // The written ESDS is actually for an audio stream, but it's enough
-            // for transporting the CSD to muxers.
-            reassembleESDS(csd0, esds);
-            meta->setData(kKeyESDS, kKeyESDS, esds, sizeof(esds));
+            Vector<char> esds;
+            int esdsSize = csd0size + 31;
+            if (esds.resize(esdsSize) < 0) {
+                ALOGE("error allocating esds (size %d); abort setting esds.", esdsSize);
+            } else {
+                // The written ESDS is actually for an audio stream, but it's enough
+                // for transporting the CSD to muxers.
+                reassembleESDS(csd0, esds.editArray());
+                meta->setData(kKeyESDS, kKeyESDS, esds.array(), esds.size());
+            }
         }
     }
 
-- 
cgit v1.1