Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit 076443f6 authored by Ray Essick's avatar Ray Essick
Browse files

Better size validation when parsing httplive/aac headers. 

ensure no underflow when pulling header from front of AAC packet.
Indicate malformed error in parent routine if we don't have the expected
header data.

Bug: 128433933
Test: y
parent b9df1597

media/libstagefright/httplive/PlaylistFetcher.cpp

+4 −1
Original line number Diff line number Diff line
@@ -2125,7 +2125,10 @@ status_t PlaylistFetcher::extractAndQueueAccessUnits( 
    size_t offset = 0;

    while (offset < buffer->size()) {

        const uint8_t *adtsHeader = buffer->data() + offset;

        CHECK_LT(offset + 5, buffer->size());

        if (buffer->size() <= offset+5) {

            ALOGV("buffer does not contain a complete header");

            return ERROR_MALFORMED;

        }

        // non-const pointer for decryption if needed

        uint8_t *adtsFrame = buffer->data() + offset;

media/libstagefright/mpeg2ts/HlsSampleDecryptor.cpp

+5 −0
Original line number Diff line number Diff line
@@ -149,6 +149,11 @@ void HlsSampleDecryptor::processAAC(size_t adtsHdrSize, uint8_t *data, size_t si 
    }



    // ADTS header is included in the size

    if (size < adtsHdrSize) {

        ALOGV("processAAC: size (%zu) < adtsHdrSize (%zu)", size, adtsHdrSize);

        android_errorWriteLog(0x534e4554, "128433933");

        return;

    }

    size_t offset = adtsHdrSize;

    size_t remainingBytes = size - adtsHdrSize;