diff options
Diffstat (limited to 'media/extractors/mp4/MPEG4Extractor.cpp')
| -rwxr-xr-x | media/extractors/mp4/MPEG4Extractor.cpp | 40 |
1 files changed, 37 insertions, 3 deletions
diff --git a/media/extractors/mp4/MPEG4Extractor.cpp b/media/extractors/mp4/MPEG4Extractor.cpp index 14fe0dc444..fa562f3026 100755 --- a/media/extractors/mp4/MPEG4Extractor.cpp +++ b/media/extractors/mp4/MPEG4Extractor.cpp @@ -4993,8 +4993,11 @@ status_t MPEG4Source::parseChunk(off64_t *offset) { } status_t MPEG4Source::parseSampleAuxiliaryInformationSizes( - off64_t offset, off64_t /* size */) { + off64_t offset, off64_t size) { ALOGV("parseSampleAuxiliaryInformationSizes"); + if (size < 9) { + return -EINVAL; + } // 14496-12 8.7.12 uint8_t version; if (mDataSource->readAt( @@ -5007,25 +5010,32 @@ status_t MPEG4Source::parseSampleAuxiliaryInformationSizes( return ERROR_UNSUPPORTED; } offset++; + size--; uint32_t flags; if (!mDataSource->getUInt24(offset, &flags)) { return ERROR_IO; } offset += 3; + size -= 3; if (flags & 1) { + if (size < 13) { + return -EINVAL; + } uint32_t tmp; if (!mDataSource->getUInt32(offset, &tmp)) { return ERROR_MALFORMED; } mCurrentAuxInfoType = tmp; offset += 4; + size -= 4; if (!mDataSource->getUInt32(offset, &tmp)) { return ERROR_MALFORMED; } mCurrentAuxInfoTypeParameter = tmp; offset += 4; + size -= 4; } uint8_t defsize; @@ -5034,6 +5044,7 @@ status_t MPEG4Source::parseSampleAuxiliaryInformationSizes( } mCurrentDefaultSampleInfoSize = defsize; offset++; + size--; uint32_t smplcnt; if (!mDataSource->getUInt32(offset, &smplcnt)) { @@ -5041,11 +5052,16 @@ status_t MPEG4Source::parseSampleAuxiliaryInformationSizes( } mCurrentSampleInfoCount = smplcnt; offset += 4; - + size -= 4; if (mCurrentDefaultSampleInfoSize != 0) { ALOGV("@@@@ using default sample info size of %d", mCurrentDefaultSampleInfoSize); return OK; } + if(smplcnt > size) { + ALOGW("b/124525515 - smplcnt(%u) > size(%ld)", (unsigned int)smplcnt, (unsigned long)size); + android_errorWriteLog(0x534e4554, "124525515"); + return -EINVAL; + } if (smplcnt > mCurrentSampleInfoAllocSize) { uint8_t * newPtr = (uint8_t*) realloc(mCurrentSampleInfoSizes, smplcnt); if (newPtr == NULL) { @@ -5061,26 +5077,32 @@ status_t MPEG4Source::parseSampleAuxiliaryInformationSizes( } status_t MPEG4Source::parseSampleAuxiliaryInformationOffsets( - off64_t offset, off64_t /* size */) { + off64_t offset, off64_t size) { ALOGV("parseSampleAuxiliaryInformationOffsets"); + if (size < 8) { + return -EINVAL; + } // 14496-12 8.7.13 uint8_t version; if (mDataSource->readAt(offset, &version, sizeof(version)) != 1) { return ERROR_IO; } offset++; + size--; uint32_t flags; if (!mDataSource->getUInt24(offset, &flags)) { return ERROR_IO; } offset += 3; + size -= 3; uint32_t entrycount; if (!mDataSource->getUInt32(offset, &entrycount)) { return ERROR_IO; } offset += 4; + size -= 4; if (entrycount == 0) { return OK; } @@ -5106,19 +5128,31 @@ status_t MPEG4Source::parseSampleAuxiliaryInformationOffsets( for (size_t i = 0; i < entrycount; i++) { if (version == 0) { + if (size < 4) { + ALOGW("b/124526959"); + android_errorWriteLog(0x534e4554, "124526959"); + return -EINVAL; + } uint32_t tmp; if (!mDataSource->getUInt32(offset, &tmp)) { return ERROR_IO; } mCurrentSampleInfoOffsets[i] = tmp; offset += 4; + size -= 4; } else { + if (size < 8) { + ALOGW("b/124526959"); + android_errorWriteLog(0x534e4554, "124526959"); + return -EINVAL; + } uint64_t tmp; if (!mDataSource->getUInt64(offset, &tmp)) { return ERROR_IO; } mCurrentSampleInfoOffsets[i] = tmp; offset += 8; + size -= 8; } } |