summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorChong Zhang <chz@google.com>2017-07-07 18:25:16 -0700
committerAndreas Blaesius <skate4life@gmx.de>2017-09-17 22:11:16 +0200
commit6a8fda20b9170dc650c4eefd3c18d5eb620d48e2 (patch)
tree23da47bfb983dd87cf156d7dfeab2a2565c05cf2
parent16c6f1a2863cd51398f92a22c6980690e98329d8 (diff)
downloadframeworks_av-6a8fda20b9170dc650c4eefd3c18d5eb620d48e2.tar.gz
frameworks_av-6a8fda20b9170dc650c4eefd3c18d5eb620d48e2.tar.bz2
frameworks_av-6a8fda20b9170dc650c4eefd3c18d5eb620d48e2.zip
stagefright: check aac_frame_length to prevent infinite loop
bug: 62673179 Change-Id: I5da44822ad2ff59d396d1df42f34cd0a5620e134 (cherry picked from commit 6e2bcf40e4083be3a0fbb13d03293a78301e66ef) CVE-2017-0775
-rw-r--r--media/libstagefright/mpeg2ts/ESQueue.cpp5
1 files changed, 5 insertions, 0 deletions
diff --git a/media/libstagefright/mpeg2ts/ESQueue.cpp b/media/libstagefright/mpeg2ts/ESQueue.cpp
index 36ec3672a1..7359e8bb1f 100644
--- a/media/libstagefright/mpeg2ts/ESQueue.cpp
+++ b/media/libstagefright/mpeg2ts/ESQueue.cpp
@@ -715,6 +715,11 @@ sp<ABuffer> ElementaryStreamQueue::dequeueAccessUnitAAC() {
bits.skipBits(2);
unsigned aac_frame_length = bits.getBits(13);
+ if (aac_frame_length == 0){
+ ALOGE("b/62673179, Invalid AAC frame length!");
+ android_errorWriteLog(0x534e4554, "62673179");
+ return NULL;
+ }
bits.skipBits(11); // adts_buffer_fullness