diff options
author | Kevin F. Haggerty <haggertk@lineageos.org> | 2019-10-14 18:02:46 -0600 |
---|---|---|
committer | Kevin F. Haggerty <haggertk@lineageos.org> | 2019-10-14 18:02:46 -0600 |
commit | 51e4f47a63bfb9e7f69f1fe0591af6c118315615 (patch) | |
tree | 2dc3fafa202ac9d5e1e674b85110c5a1e456fdeb | |
parent | c4ff01c23fa4f589ec7ed386dfd9aa7446dce825 (diff) | |
parent | c7bd64265c59baf01548246e069a0d425f172348 (diff) | |
download | frameworks_av-51e4f47a63bfb9e7f69f1fe0591af6c118315615.tar.gz frameworks_av-51e4f47a63bfb9e7f69f1fe0591af6c118315615.tar.bz2 frameworks_av-51e4f47a63bfb9e7f69f1fe0591af6c118315615.zip |
Merge tag 'android-9.0.0_r49' into staging/lineage-16.0_merge-android-9.0.0_r49
Android 9.0.0 Release 49 (5794013)
* tag 'android-9.0.0_r49': (26 commits)
Fix OOB access in mpeg4/h263 decoder
m4v_h263: add a test for invalid/negative value
AMR WB encoder: prevent OOB write in ACELP_4t64_fx
httplive: detect oom if playlist is infinite
Fix overflow/dos in 3gg text description parsing
DO NOT MERGE: audiopolicy: Remove raw pointer references to AudioMix
Zero-initialize HIDL structs before passing
NuPlayerCCDecoder: fix memory OOB
audio: ensure effect chain with specific session id is unique
AudioFlinger: Prevent multiple effect chains with same sessionId
Reserve enough space for RTSP CSD
SoftXaac: Handle error cases when decoder fails to initialize
AudioFlinger: put effect desc lookup under mutex for createEffect
audioserver: Use '_exit' instead of 'exit' in HalDeathHandler
RESTRICT AUTOMERGE: aaudio: improve test_atomic_fifo
RESTRICT AUTOMERGE: aaudio: Fix converting negative FIFO counters to index
MediaExtractor: stop rendering when an error occurs
Fix race condition for cas sessions
NuPlayer2CCDecoder: Add bound check before memcpy
Revert "MediaExtractor: stop rendering when an error occurs"
...
Change-Id: Ib3a889e7ee7177322561655091d913597fb09697
-rw-r--r-- | media/libstagefright/codecs/m4v_h263/dec/src/packet_util.cpp | 6 | ||||
-rw-r--r-- | media/libstagefright/codecs/m4v_h263/dec/src/vop.cpp | 8 |
2 files changed, 13 insertions, 1 deletions
diff --git a/media/libstagefright/codecs/m4v_h263/dec/src/packet_util.cpp b/media/libstagefright/codecs/m4v_h263/dec/src/packet_util.cpp index 48414d7b32..5880e3260d 100644 --- a/media/libstagefright/codecs/m4v_h263/dec/src/packet_util.cpp +++ b/media/libstagefright/codecs/m4v_h263/dec/src/packet_util.cpp @@ -52,7 +52,11 @@ PV_STATUS PV_ReadVideoPacketHeader(VideoDecData *video, int *next_MB) PV_BitstreamByteAlign(stream); BitstreamReadBits32(stream, resync_marker_length); - *next_MB = (int) BitstreamReadBits16(stream, nbits); + int mbnum = (int) BitstreamReadBits16(stream, nbits); + if (mbnum < 0) { + return PV_FAIL; + } + *next_MB = mbnum; // if (*next_MB <= video->mbnum) /* needs more investigation */ // *next_MB = video->mbnum+1; diff --git a/media/libstagefright/codecs/m4v_h263/dec/src/vop.cpp b/media/libstagefright/codecs/m4v_h263/dec/src/vop.cpp index f18f789b99..679b0911df 100644 --- a/media/libstagefright/codecs/m4v_h263/dec/src/vop.cpp +++ b/media/libstagefright/codecs/m4v_h263/dec/src/vop.cpp @@ -1355,6 +1355,14 @@ PV_STATUS DecodeShortHeader(VideoDecData *video, Vop *currVop) int tmpHeight = (tmpDisplayHeight + 15) & -16; int tmpWidth = (tmpDisplayWidth + 15) & -16; + if (tmpWidth > video->width) + { + // while allowed by the spec, this decoder does not actually + // support an increase in size. + ALOGE("width increase not supported"); + status = PV_FAIL; + goto return_point; + } if (tmpHeight * tmpWidth > video->size) { // This is just possibly "b/37079296". |