diff options
author | Robert Shih <robertshih@google.com> | 2020-03-21 23:04:56 -0700 |
---|---|---|
committer | Robert Shih <robertshih@google.com> | 2020-03-21 23:12:35 -0700 |
commit | 2ba16f6134bd67e07ea0daa29aac5adb3155872b (patch) | |
tree | 3d271c319481906b679fcb08e18ad536d4dcd2f6 | |
parent | 01102840bc362208e1ec2e8d50e10f460af158f1 (diff) | |
download | frameworks_av-2ba16f6134bd67e07ea0daa29aac5adb3155872b.tar.gz frameworks_av-2ba16f6134bd67e07ea0daa29aac5adb3155872b.tar.bz2 frameworks_av-2ba16f6134bd67e07ea0daa29aac5adb3155872b.zip |
rtsp: fix integer overflow caused by malformed packets
Bug: 123940919
Test: adb shell am start -a android.intent.action.VIEW \
-n com.google.android.apps.photos/.pager.HostPhotoPagerActivity \
-t video/'*' -d rtsp://<rtsp_server2.py.host>/a.mp4
Change-Id: I2ef55d218e91aa4134150895ccf49ff81bee5891
-rw-r--r-- | media/libstagefright/rtsp/AMPEG4ElementaryAssembler.cpp | 12 |
1 files changed, 12 insertions, 0 deletions
diff --git a/media/libstagefright/rtsp/AMPEG4ElementaryAssembler.cpp b/media/libstagefright/rtsp/AMPEG4ElementaryAssembler.cpp index 1e434cbcea..9df3508d85 100644 --- a/media/libstagefright/rtsp/AMPEG4ElementaryAssembler.cpp +++ b/media/libstagefright/rtsp/AMPEG4ElementaryAssembler.cpp @@ -338,6 +338,12 @@ ARTPAssembler::AssemblyStatus AMPEG4ElementaryAssembler::addPacket( ABitReader bits(buffer->data() + offset, buffer->size() - offset); unsigned auxSize = bits.getBits(mAuxiliaryDataSizeLength); + if (buffer->size() < auxSize) { + ALOGE("b/123940919 auxSize %u", auxSize); + android_errorWriteLog(0x534e4554, "123940919"); + queue->erase(queue->begin()); + return MALFORMED_PACKET; + } offset += (mAuxiliaryDataSizeLength + auxSize + 7) / 8; } @@ -346,6 +352,12 @@ ARTPAssembler::AssemblyStatus AMPEG4ElementaryAssembler::addPacket( it != headers.end(); ++it) { const AUHeader &header = *it; + if (buffer->size() < header.mSize) { + ALOGE("b/123940919 AU_size %u", header.mSize); + android_errorWriteLog(0x534e4554, "123940919"); + queue->erase(queue->begin()); + return MALFORMED_PACKET; + } if (buffer->size() < offset + header.mSize) { return MALFORMED_PACKET; } |