diff options
author | Marco Nelissen <marcone@google.com> | 2017-07-18 14:57:11 -0700 |
---|---|---|
committer | MSe <mse1969@posteo.de> | 2017-10-04 23:29:56 +0200 |
commit | 00ab118533fb67fcfe5544fd198309f414083a0c (patch) | |
tree | d06b5070cfb1ebbc76ad289f06b54b78ad9f05f7 | |
parent | 30e7e1d9046bcd84897c4874d7d4d925f6caa0ff (diff) | |
download | frameworks_av-00ab118533fb67fcfe5544fd198309f414083a0c.tar.gz frameworks_av-00ab118533fb67fcfe5544fd198309f414083a0c.tar.bz2 frameworks_av-00ab118533fb67fcfe5544fd198309f414083a0c.zip |
Skip track if verification fails
Bug: 62187433
Test: ran poc, CTS
Change-Id: Ib9b0b6de88d046d8149e9ea5073d6c40ffec7b0c
(cherry picked from commit ef8c7830d838d877e6b37b75b47294b064c79397)
CVE-2017-0820
-rwxr-xr-x | media/libstagefright/MPEG4Extractor.cpp | 18 |
1 files changed, 12 insertions, 6 deletions
diff --git a/media/libstagefright/MPEG4Extractor.cpp b/media/libstagefright/MPEG4Extractor.cpp index 5e5c88a0c1..9e37ed32c0 100755 --- a/media/libstagefright/MPEG4Extractor.cpp +++ b/media/libstagefright/MPEG4Extractor.cpp @@ -901,6 +901,12 @@ status_t MPEG4Extractor::parseChunk(off64_t *offset, int depth) { ALOGE("moov: depth %d", depth); return ERROR_MALFORMED; } + + if (chunk_type == FOURCC('m', 'o', 'o', 'v') && mInitCheck == OK) { + ALOGE("duplicate moov"); + return ERROR_MALFORMED; + } + if (chunk_type == FOURCC('m', 'o', 'o', 'f') && !mMoofFound) { // store the offset of the first segment mMoofFound = true; @@ -974,6 +980,12 @@ status_t MPEG4Extractor::parseChunk(off64_t *offset, int depth) { if (!mLastTrack->meta->findInt32(kKeyTrackID, &trackId)) { mLastTrack->skipTrack = true; } + + status_t err = verifyTrack(mLastTrack); + if (err != OK) { + mLastTrack->skipTrack = true; + } + if (mLastTrack->skipTrack) { Track *cur = mFirstTrack; @@ -991,12 +1003,6 @@ status_t MPEG4Extractor::parseChunk(off64_t *offset, int depth) { return OK; } - - status_t err = verifyTrack(mLastTrack); - - if (err != OK) { - return err; - } } else if (chunk_type == FOURCC('m', 'o', 'o', 'v')) { mInitCheck = OK; |