diff options
author | Chris Craik <ccraik@google.com> | 2016-11-16 10:33:54 -0800 |
---|---|---|
committer | mh0rst <mhorst@tzi.de> | 2017-01-13 10:07:08 +0100 |
commit | 06ecaa36d050866b2f0f29864b3e69b9970e9980 (patch) | |
tree | aca9d7d0418cb61aa97218f73224c7e03349adcb /framesequence/jni/FrameSequence_webp.cpp | |
parent | 4bfd4bae257bef1693e3585b5e0f3f9d397372aa (diff) | |
download | android_frameworks_ex-06ecaa36d050866b2f0f29864b3e69b9970e9980.tar.gz android_frameworks_ex-06ecaa36d050866b2f0f29864b3e69b9970e9980.tar.bz2 android_frameworks_ex-06ecaa36d050866b2f0f29864b3e69b9970e9980.zip |
resolve merge conflicts of 3802db4 to mnc-dev
bug:32338390
Change-Id: I304c0c8c646808e690918eae7d34f0852e2b0fa8
(cherry picked from commit fffaa9f25edddc6fa10512c1cc19f625c2abee8c)
(cherry picked from commit 7f0e3dab5a892228d8dead7f0221cc9ae82474f7)
Diffstat (limited to 'framesequence/jni/FrameSequence_webp.cpp')
-rw-r--r-- | framesequence/jni/FrameSequence_webp.cpp | 12 |
1 files changed, 10 insertions, 2 deletions
diff --git a/framesequence/jni/FrameSequence_webp.cpp b/framesequence/jni/FrameSequence_webp.cpp index c33a7e2..034847a 100644 --- a/framesequence/jni/FrameSequence_webp.cpp +++ b/framesequence/jni/FrameSequence_webp.cpp @@ -84,7 +84,10 @@ void FrameSequence_webp::constructDependencyChain() { #endif } -FrameSequence_webp::FrameSequence_webp(Stream* stream) { +FrameSequence_webp::FrameSequence_webp(Stream* stream) + : mDemux(NULL) + , mIsKeyFrame(NULL) + , mRawByteBuffer(NULL) { if (stream->getRawBuffer() != NULL) { mData.size = stream->getRawBufferSize(); mData.bytes = stream->getRawBufferAddr(); @@ -96,7 +99,12 @@ FrameSequence_webp::FrameSequence_webp(Stream* stream) { ALOGE("WebP header load failed"); return; } - mData.size = CHUNK_HEADER_SIZE + GetLE32(riff_header + TAG_SIZE); + uint32_t readSize = GetLE32(riff_header + TAG_SIZE); + if (readSize > MAX_CHUNK_PAYLOAD) { + ALOGE("WebP got header size too large"); + return; + } + mData.size = CHUNK_HEADER_SIZE + readSize; mData.bytes = new uint8_t[mData.size]; memcpy((void*)mData.bytes, riff_header, RIFF_HEADER_SIZE); |