Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit 011c761b authored by Joshua J. Drake's avatar Joshua J. Drake Committed by Ricardo Cerqueira
Browse files

MPEG4Extractor: still more NULL dereference fixes 

When processing various FourCC values within MP4 media, mLastTrack is accessed
without first ensuring that a track has been encoutered. Check for NULL and
bail out instead of crashing.

Bug: 20139950, CYNGNOS-695
Change-Id: Ie16687024d17348f576a0e13bd60bd4d6898de91
parent ed8feced

media/libstagefright/MPEG4Extractor.cpp

+56 −0
Original line number Diff line number Diff line
@@ -980,6 +980,9 @@ status_t MPEG4Extractor::parseChunk(off64_t *offset, int depth) { 
                    }

                }



                if (mLastTrack == NULL)

                    return ERROR_MALFORMED;



                mLastTrack->sampleTable = new SampleTable(mDataSource);

            }
@@ -1134,6 +1137,10 @@ status_t MPEG4Extractor::parseChunk(off64_t *offset, int depth) { 
            }

            original_fourcc = ntohl(original_fourcc);

            ALOGV("read original format: %d", original_fourcc);



            if (mLastTrack == NULL)

                return ERROR_MALFORMED;



            mLastTrack->meta->setCString(kKeyMIMEType, FourCC2MIME(original_fourcc));

            uint32_t num_channels = 0;

            uint32_t sample_rate = 0;
@@ -1189,6 +1196,9 @@ status_t MPEG4Extractor::parseChunk(off64_t *offset, int depth) { 
                return ERROR_IO;

            }



            if (mLastTrack == NULL)

                return ERROR_MALFORMED;



            mLastTrack->meta->setInt32(kKeyCryptoMode, defaultAlgorithmId);

            mLastTrack->meta->setInt32(kKeyCryptoDefaultIVSize, defaultIVSize);

            mLastTrack->meta->setData(kKeyCryptoKey, 'tenc', defaultKeyId, 16);
@@ -1368,6 +1378,10 @@ status_t MPEG4Extractor::parseChunk(off64_t *offset, int depth) { 
                // display the timed text.

                // For encrypted files, there may also be more than one entry.

                const char *mime;



                if (mLastTrack == NULL)

                    return ERROR_MALFORMED;



                CHECK(mLastTrack->meta->findCString(kKeyMIMEType, &mime));

                if (strcasecmp(mime, MEDIA_MIMETYPE_TEXT_3GPP) &&

                        strcasecmp(mime, "application/octet-stream")) {
@@ -1425,6 +1439,9 @@ status_t MPEG4Extractor::parseChunk(off64_t *offset, int depth) { 
            uint16_t sample_size = U16_AT(&buffer[18]);

            uint32_t sample_rate = U32_AT(&buffer[24]) >> 16;



            if (mLastTrack == NULL)

                return ERROR_MALFORMED;



            if (chunk_type != FOURCC('e', 'n', 'c', 'a')) {

                // if the chunk type is enca, we'll get the type from the sinf/frma box later

#ifdef DOLBY_UDC
@@ -1567,6 +1584,9 @@ status_t MPEG4Extractor::parseChunk(off64_t *offset, int depth) { 
            // printf("*** coding='%s' width=%d height=%d\n",

            //        chunk, width, height);



            if (mLastTrack == NULL)

                return ERROR_MALFORMED;



            if (chunk_type != FOURCC('e', 'n', 'c', 'v')) {

                // if the chunk type is encv, we'll get the type from the sinf/frma box later

                mLastTrack->meta->setCString(kKeyMIMEType, FourCC2MIME(chunk_type));
@@ -1802,6 +1822,9 @@ status_t MPEG4Extractor::parseChunk(off64_t *offset, int depth) { 
                return ERROR_MALFORMED;

            }



            if (mLastTrack == NULL)

                return ERROR_MALFORMED;



            mLastTrack->meta->setData(

                    kKeyESDS, kTypeESDS, &buffer[4], chunk_data_size - 4);
@@ -1848,6 +1871,9 @@ status_t MPEG4Extractor::parseChunk(off64_t *offset, int depth) { 
                return ERROR_IO;

            }



            if (mLastTrack == NULL)

                return ERROR_MALFORMED;



            mLastTrack->meta->setData(

                    kKeyAVCC, kTypeAVCC, buffer->data(), chunk_data_size);
@@ -1862,6 +1888,9 @@ status_t MPEG4Extractor::parseChunk(off64_t *offset, int depth) { 
                return ERROR_IO;

            }



            if (mLastTrack == NULL)

                return ERROR_MALFORMED;



            mLastTrack->meta->setData(

                    kKeyHVCC, kTypeHVCC, buffer->data(), chunk_data_size);
@@ -1895,6 +1924,9 @@ status_t MPEG4Extractor::parseChunk(off64_t *offset, int depth) { 
                return ERROR_IO;

            }



            if (mLastTrack == NULL)

                return ERROR_MALFORMED;



            mLastTrack->meta->setData(kKeyD263, kTypeD263, buffer, chunk_data_size);



            break;
@@ -2073,6 +2105,9 @@ status_t MPEG4Extractor::parseChunk(off64_t *offset, int depth) { 
                return ERROR_IO;

            }



            if (mLastTrack == NULL)

                return ERROR_MALFORMED;



            uint32_t type = ntohl(buffer);

            // For the 3GPP file format, the handler-type within the 'hdlr' box

            // shall be 'text'. We also want to support 'sbtl' handler type
@@ -2105,6 +2140,9 @@ status_t MPEG4Extractor::parseChunk(off64_t *offset, int depth) { 


        case FOURCC('t', 'x', '3', 'g'):

        {

            if (mLastTrack == NULL)

                return ERROR_MALFORMED;



            uint32_t type;

            const void *data;

            size_t size = 0;
@@ -2340,6 +2378,9 @@ status_t MPEG4Extractor::parseSegmentIndex(off64_t offset, size_t size) { 


    uint64_t sidxDuration = total_duration * 1000000 / timeScale;



    if (mLastTrack == NULL)

        return ERROR_MALFORMED;



    int64_t metaDuration;

    if (!mLastTrack->meta->findInt64(kKeyDuration, &metaDuration) || metaDuration == 0) {

        mLastTrack->meta->setInt64(kKeyDuration, sidxDuration);
@@ -2390,6 +2431,9 @@ status_t MPEG4Extractor::parseTrackHeader( 
        return ERROR_UNSUPPORTED;

    }



    if (mLastTrack == NULL)

        return ERROR_MALFORMED;



    mLastTrack->meta->setInt32(kKeyTrackID, id);



    size_t matrixOffset = dynSize + 16;
@@ -2572,6 +2616,9 @@ status_t MPEG4Extractor::parseITunesMetaData(off64_t offset, size_t size) { 
                    int32_t delay, padding;

                    if (sscanf(mLastCommentData,

                               " %*x %x %x %*x", &delay, &padding) == 2) {

                        if (mLastTrack == NULL)

                            return ERROR_MALFORMED;



                        mLastTrack->meta->setInt32(kKeyEncoderDelay, delay);

                        mLastTrack->meta->setInt32(kKeyEncoderPadding, padding);

                    }
@@ -2951,6 +2998,9 @@ status_t MPEG4Extractor::updateAudioTrackInfoFromESDS_MPEG4Audio( 
#endif

    if (objectTypeIndication == 0xe1) {

        // This isn't MPEG4 audio at all, it's QCELP 14k...

        if (mLastTrack == NULL)

            return ERROR_MALFORMED;



        mLastTrack->meta->setCString(kKeyMIMEType, MEDIA_MIMETYPE_AUDIO_QCELP);

        return OK;

    }
@@ -2999,6 +3049,9 @@ status_t MPEG4Extractor::updateAudioTrackInfoFromESDS_MPEG4Audio( 
        objectType = 32 + br.getBits(6);

    }



    if (mLastTrack == NULL)

        return ERROR_MALFORMED;



    //keep AOT type

    mLastTrack->meta->setInt32(kKeyAACAOT, objectType);
@@ -3169,6 +3222,9 @@ status_t MPEG4Extractor::updateAudioTrackInfoFromESDS_MPEG4Audio( 
        return ERROR_UNSUPPORTED;

    }



    if (mLastTrack == NULL)

        return ERROR_MALFORMED;



    int32_t prevSampleRate;

    CHECK(mLastTrack->meta->findInt32(kKeySampleRate, &prevSampleRate));