From e3e82d54c51a3130badcd9e433fe808d965f15c2 Mon Sep 17 00:00:00 2001 From: "Joshua J. Drake" Date: Wed, 8 Apr 2015 23:13:02 -0500 Subject: Fix multiple division-by-zero conditions in MPEG4 parsing Several situations arise processing MP4 atoms that lead to undefined behavior when dividing by zero. Typically this results in a crash (denial of service condition). NOTE: In most cases we simply avoid the division, leaving kKeyDuration unset. It may be more desirable to bail out, as we do in the parseSegmentIndex case. Bug: 20139950 Change-Id: I62e1b977f0e5ed0094094a55d300bac76b476c7b --- media/libstagefright/MPEG4Extractor.cpp | 8 +++++--- 1 file changed, 5 insertions(+), 3 deletions(-) (limited to 'media') diff --git a/media/libstagefright/MPEG4Extractor.cpp b/media/libstagefright/MPEG4Extractor.cpp index 6019a85..87d14b7 100644 --- a/media/libstagefright/MPEG4Extractor.cpp +++ b/media/libstagefright/MPEG4Extractor.cpp @@ -1203,7 +1203,7 @@ status_t MPEG4Extractor::parseChunk(off64_t *offset, int depth) { duration = ntohl(duration32); } } - if (duration != 0) { + if (duration != 0 && mLastTrack->timescale != 0) { mLastTrack->meta->setInt64( kKeyDuration, (duration * 1000000) / mLastTrack->timescale); } @@ -1817,7 +1817,7 @@ status_t MPEG4Extractor::parseChunk(off64_t *offset, int depth) { } duration = d32; } - if (duration != 0) { + if (duration != 0 && mHeaderTimescale != 0) { mFileMetaData->setInt64(kKeyDuration, duration * 1000000 / mHeaderTimescale); } @@ -1866,7 +1866,7 @@ status_t MPEG4Extractor::parseChunk(off64_t *offset, int depth) { return ERROR_MALFORMED; } - if (duration != 0) { + if (duration != 0 && mHeaderTimescale != 0) { mFileMetaData->setInt64(kKeyDuration, duration * 1000000 / mHeaderTimescale); } @@ -2080,6 +2080,8 @@ status_t MPEG4Extractor::parseSegmentIndex(off64_t offset, size_t size) { return ERROR_MALFORMED; } ALOGV("sidx refid/timescale: %d/%d", referenceId, timeScale); + if (timeScale == 0) + return ERROR_MALFORMED; uint64_t earliestPresentationTime; uint64_t firstOffset; -- cgit v1.1