Merge "rtsp: fix integer overflow caused by malformed packets" into qt-qpr1-dev am: 01e349c1e7 (0bf91a95) · Commits · e / os / android_frameworks_av

media/libstagefright/rtsp/AMPEG4ElementaryAssembler.cpp

+12 −0

Original line number	Original line	Diff line number	Diff line
	@@ -338,6 +338,12 @@ ARTPAssembler::AssemblyStatus AMPEG4ElementaryAssembler::addPacket(
	ABitReader bits(buffer->data() + offset, buffer->size() - offset);		ABitReader bits(buffer->data() + offset, buffer->size() - offset);

	unsigned auxSize = bits.getBits(mAuxiliaryDataSizeLength);		unsigned auxSize = bits.getBits(mAuxiliaryDataSizeLength);
			if (buffer->size() < auxSize) {
			ALOGE("b/123940919 auxSize %u", auxSize);
			android_errorWriteLog(0x534e4554, "123940919");
			queue->erase(queue->begin());
			return MALFORMED_PACKET;
			}

	offset += (mAuxiliaryDataSizeLength + auxSize + 7) / 8;		offset += (mAuxiliaryDataSizeLength + auxSize + 7) / 8;
	}		}
	@@ -346,6 +352,12 @@ ARTPAssembler::AssemblyStatus AMPEG4ElementaryAssembler::addPacket(
	it != headers.end(); ++it) {		it != headers.end(); ++it) {
	const AUHeader &header = *it;		const AUHeader &header = *it;

			if (buffer->size() < header.mSize) {
			ALOGE("b/123940919 AU_size %u", header.mSize);
			android_errorWriteLog(0x534e4554, "123940919");
			queue->erase(queue->begin());
			return MALFORMED_PACKET;
			}
	if (buffer->size() < offset + header.mSize) {		if (buffer->size() < offset + header.mSize) {
	return MALFORMED_PACKET;		return MALFORMED_PACKET;
	}		}