diff options
author | Chong Zhang <chz@google.com> | 2017-07-07 18:25:16 -0700 |
---|---|---|
committer | Andreas Blaesius <skate4life@gmx.de> | 2017-09-17 22:11:16 +0200 |
commit | 6a8fda20b9170dc650c4eefd3c18d5eb620d48e2 (patch) | |
tree | 23da47bfb983dd87cf156d7dfeab2a2565c05cf2 | |
parent | 16c6f1a2863cd51398f92a22c6980690e98329d8 (diff) | |
download | frameworks_av-6a8fda20b9170dc650c4eefd3c18d5eb620d48e2.tar.gz frameworks_av-6a8fda20b9170dc650c4eefd3c18d5eb620d48e2.tar.bz2 frameworks_av-6a8fda20b9170dc650c4eefd3c18d5eb620d48e2.zip |
stagefright: check aac_frame_length to prevent infinite loop
bug: 62673179
Change-Id: I5da44822ad2ff59d396d1df42f34cd0a5620e134
(cherry picked from commit 6e2bcf40e4083be3a0fbb13d03293a78301e66ef)
CVE-2017-0775
-rw-r--r-- | media/libstagefright/mpeg2ts/ESQueue.cpp | 5 |
1 files changed, 5 insertions, 0 deletions
diff --git a/media/libstagefright/mpeg2ts/ESQueue.cpp b/media/libstagefright/mpeg2ts/ESQueue.cpp index 36ec3672a1..7359e8bb1f 100644 --- a/media/libstagefright/mpeg2ts/ESQueue.cpp +++ b/media/libstagefright/mpeg2ts/ESQueue.cpp @@ -715,6 +715,11 @@ sp<ABuffer> ElementaryStreamQueue::dequeueAccessUnitAAC() { bits.skipBits(2); unsigned aac_frame_length = bits.getBits(13); + if (aac_frame_length == 0){ + ALOGE("b/62673179, Invalid AAC frame length!"); + android_errorWriteLog(0x534e4554, "62673179"); + return NULL; + } bits.skipBits(11); // adts_buffer_fullness |