diff options
| author | Ray Essick <essick@google.com> | 2019-04-23 12:51:51 -0700 |
|---|---|---|
| committer | Ray Essick <essick@google.com> | 2020-02-13 21:49:02 +0000 |
| commit | 0f9b8b3328ebd4986b2b7907d256ef973fcf7d34 (patch) | |
| tree | 25e8f60c5d27b65d0321d415ec8416d044736f5c | |
| parent | 58cc8f2c0254f03d66a28ae1cf0809c171d4ac7d (diff) | |
| download | frameworks_av-0f9b8b3328ebd4986b2b7907d256ef973fcf7d34.tar.gz frameworks_av-0f9b8b3328ebd4986b2b7907d256ef973fcf7d34.tar.bz2 frameworks_av-0f9b8b3328ebd4986b2b7907d256ef973fcf7d34.zip | |
Really fix excessive 'trun' box parsing
marks video tracks with excessive trun boxes filled with defaults as invalid.
handles overflow in the constructed vector of samples.
Bug: 124389881
Test: poc
Change-Id: If89c912d73340e41fd8ea81d74595a56987c961d
(cherry picked from commit 6707df1fea60bd7147262f7d7b2f1cece1687004)
| -rwxr-xr-x | media/extractors/mp4/MPEG4Extractor.cpp | 17 |
1 files changed, 9 insertions, 8 deletions
diff --git a/media/extractors/mp4/MPEG4Extractor.cpp b/media/extractors/mp4/MPEG4Extractor.cpp index 9d5890c42c..14fe0dc444 100755 --- a/media/extractors/mp4/MPEG4Extractor.cpp +++ b/media/extractors/mp4/MPEG4Extractor.cpp @@ -5440,16 +5440,12 @@ status_t MPEG4Source::parseTrackFragmentRun(off64_t offset, off64_t size) { // apply some sanity (vs strict legality) checks // - // clamp the count of entries in the trun box, to avoid spending forever parsing - // this box. Clamping (vs error) lets us play *something*. - // 1 million is about 400 msecs on a Pixel3, should be no more than a couple seconds - // on the slowest devices. - static constexpr uint32_t kMaxTrunSampleCount = 1000000; + static constexpr uint32_t kMaxTrunSampleCount = 10000; if (sampleCount > kMaxTrunSampleCount) { - ALOGW("b/123389881 clamp sampleCount(%u) @ kMaxTrunSampleCount(%u)", + ALOGW("b/123389881 sampleCount(%u) > kMaxTrunSampleCount(%u)", sampleCount, kMaxTrunSampleCount); android_errorWriteLog(0x534e4554, "124389881 count"); - + return -EINVAL; } } @@ -5493,7 +5489,12 @@ status_t MPEG4Source::parseTrackFragmentRun(off64_t offset, off64_t size) { tmp.duration = sampleDuration; tmp.compositionOffset = sampleCtsOffset; memset(tmp.iv, 0, sizeof(tmp.iv)); - mCurrentSamples.add(tmp); + if (mCurrentSamples.add(tmp) < 0) { + ALOGW("b/123389881 failed saving sample(n=%zu)", mCurrentSamples.size()); + android_errorWriteLog(0x534e4554, "124389881 allocation"); + mCurrentSamples.clear(); + return NO_MEMORY; + } dataOffset += sampleSize; } |