diff options
author | android-build-team Robot <android-build-team-robot@google.com> | 2020-03-28 23:08:33 +0000 |
---|---|---|
committer | android-build-team Robot <android-build-team-robot@google.com> | 2020-03-28 23:08:33 +0000 |
commit | aee4f4436f499b702d3e4dd8778dc1cf6ed6d222 (patch) | |
tree | 02744cf9a39da43a398d55cbd127a2e8cbf5bb71 | |
parent | 3843395ab14c843ee8173beb0346e783c2d96d0a (diff) | |
parent | 01e349c1e70e48d9d4c88ad51b0732d674eb89ba (diff) | |
download | frameworks_av-aee4f4436f499b702d3e4dd8778dc1cf6ed6d222.tar.gz frameworks_av-aee4f4436f499b702d3e4dd8778dc1cf6ed6d222.tar.bz2 frameworks_av-aee4f4436f499b702d3e4dd8778dc1cf6ed6d222.zip |
Snap for 6344022 from 01e349c1e70e48d9d4c88ad51b0732d674eb89ba to qt-qpr3-release
Change-Id: Ib10b77b00dabf97477b78ceecc4ab5d9abe81b30
-rw-r--r-- | media/libstagefright/rtsp/AMPEG4ElementaryAssembler.cpp | 12 |
1 files changed, 12 insertions, 0 deletions
diff --git a/media/libstagefright/rtsp/AMPEG4ElementaryAssembler.cpp b/media/libstagefright/rtsp/AMPEG4ElementaryAssembler.cpp index 1e434cbcea..9df3508d85 100644 --- a/media/libstagefright/rtsp/AMPEG4ElementaryAssembler.cpp +++ b/media/libstagefright/rtsp/AMPEG4ElementaryAssembler.cpp @@ -338,6 +338,12 @@ ARTPAssembler::AssemblyStatus AMPEG4ElementaryAssembler::addPacket( ABitReader bits(buffer->data() + offset, buffer->size() - offset); unsigned auxSize = bits.getBits(mAuxiliaryDataSizeLength); + if (buffer->size() < auxSize) { + ALOGE("b/123940919 auxSize %u", auxSize); + android_errorWriteLog(0x534e4554, "123940919"); + queue->erase(queue->begin()); + return MALFORMED_PACKET; + } offset += (mAuxiliaryDataSizeLength + auxSize + 7) / 8; } @@ -346,6 +352,12 @@ ARTPAssembler::AssemblyStatus AMPEG4ElementaryAssembler::addPacket( it != headers.end(); ++it) { const AUHeader &header = *it; + if (buffer->size() < header.mSize) { + ALOGE("b/123940919 AU_size %u", header.mSize); + android_errorWriteLog(0x534e4554, "123940919"); + queue->erase(queue->begin()); + return MALFORMED_PACKET; + } if (buffer->size() < offset + header.mSize) { return MALFORMED_PACKET; } |