From 4d23645c8d3d93c91967a5494473b4a8b5d10d9c Mon Sep 17 00:00:00 2001
From: Wei Jia <wjia@google.com>
Date: Wed, 3 Dec 2014 13:18:23 -0800
Subject: ESQueue: add frame length checking in validation of ADTS header.

This allows an invalid ADTS buffer to be abandoned when frame length in
the header exceeds buffer size.

Bug: 18532335
Change-Id: I8057db525d06ff00ca24afd075a7c6c17b87eaa8
---
 media/libstagefright/mpeg2ts/ESQueue.cpp | 23 +++++++++++++++++++----
 1 file changed, 19 insertions(+), 4 deletions(-)

(limited to 'media/libstagefright')

diff --git a/media/libstagefright/mpeg2ts/ESQueue.cpp b/media/libstagefright/mpeg2ts/ESQueue.cpp
index ef1cd3d..db5d23e 100644
--- a/media/libstagefright/mpeg2ts/ESQueue.cpp
+++ b/media/libstagefright/mpeg2ts/ESQueue.cpp
@@ -173,8 +173,9 @@ static bool IsSeeminglyValidAC3Header(const uint8_t *ptr, size_t size) {
     return parseAC3SyncFrame(ptr, size, NULL) > 0;
 }
 
-static bool IsSeeminglyValidADTSHeader(const uint8_t *ptr, size_t size) {
-    if (size < 3) {
+static bool IsSeeminglyValidADTSHeader(
+        const uint8_t *ptr, size_t size, size_t *frameLength) {
+    if (size < 7) {
         // Not enough data to verify header.
         return false;
     }
@@ -197,6 +198,13 @@ static bool IsSeeminglyValidADTSHeader(const uint8_t *ptr, size_t size) {
         return false;
     }
 
+    size_t frameLengthInHeader =
+            ((ptr[3] & 3) << 11) + (ptr[4] << 3) + ((ptr[5] >> 5) & 7);
+    if (frameLengthInHeader > size) {
+        return false;
+    }
+
+    *frameLength = frameLengthInHeader;
     return true;
 }
 
@@ -318,8 +326,10 @@ status_t ElementaryStreamQueue::appendData(
                 }
 #else
                 ssize_t startOffset = -1;
+                size_t frameLength;
                 for (size_t i = 0; i < size; ++i) {
-                    if (IsSeeminglyValidADTSHeader(&ptr[i], size - i)) {
+                    if (IsSeeminglyValidADTSHeader(
+                            &ptr[i], size - i, &frameLength)) {
                         startOffset = i;
                         break;
                     }
@@ -335,8 +345,13 @@ status_t ElementaryStreamQueue::appendData(
                           startOffset);
                 }
 
+                if (frameLength != size - startOffset) {
+                    ALOGW("got ADTS AAC frame length %zd instead of %zd",
+                          frameLength, size - startOffset);
+                }
+
                 data = &ptr[startOffset];
-                size -= startOffset;
+                size = frameLength;
 #endif
                 break;
             }
-- 
cgit v1.1