Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Unverified Commit 26b73ebb authored by Wonsik Kim's avatar Wonsik Kim Committed by Michael Bestas
Browse files

DO NOT MERGE stagefright: fix possible stack overflow in AVCC reassemble 

Additionally, remove use of variable length array which is
non-standard in C++.

Bug: 29161888
Change-Id: Ifdc3e7435f2225214c053b13f3bfe71c7d0ff506
(cherry picked from commit 7f554618)
parent 1d76b8c5

media/libstagefright/Utils.cpp

+25 −12
Original line number Diff line number Diff line
@@ -500,26 +500,39 @@ void convertMessageToMetaData(const sp<AMessage> &msg, sp<MetaData> &meta) { 
    // reassemble the csd data into its original form

    sp<ABuffer> csd0;

    if (msg->findBuffer("csd-0", &csd0)) {

        int csd0size = csd0->size();

        if (mime.startsWith("video/")) { // do we need to be stricter than this?

            if (!strcasecmp(mime.c_str(), MEDIA_MIMETYPE_VIDEO_AVC)) {

                sp<ABuffer> csd1;

                if (msg->findBuffer("csd-1", &csd1)) {

                    char avcc[1024]; // that oughta be enough, right?

                    size_t outsize = reassembleAVCC(csd0, csd1, avcc);

                    meta->setData(kKeyAVCC, kKeyAVCC, avcc, outsize);

                    Vector<char> avcc;

                    int avccSize = csd0size + csd1->size() + 1024;

                    if (avcc.resize(avccSize) < 0) {

                        ALOGE("error allocating avcc (size %d); abort setting avcc.", avccSize);

                    } else {

                        size_t outsize = reassembleAVCC(csd0, csd1, avcc.editArray());

                        meta->setData(kKeyAVCC, kKeyAVCC, avcc.array(), outsize);

                    }

                }

            } else if (!strcasecmp(mime.c_str(), MEDIA_MIMETYPE_VIDEO_MPEG4)) {

                int csd0size = csd0->size();

                char esds[csd0size + 31];

                reassembleESDS(csd0, esds);

                meta->setData(kKeyESDS, kKeyESDS, esds, sizeof(esds));

                Vector<char> esds;

                int esdsSize = csd0size + 31;

                if (esds.resize(esdsSize) < 0) {

                    ALOGE("error allocating esds (size %d); abort setting esds.", esdsSize);

                } else {

                    reassembleESDS(csd0, esds.editArray());

                    meta->setData(kKeyESDS, kKeyESDS, esds.array(), esds.size());

                }

            }



        } else if (mime.startsWith("audio/")) {

            int csd0size = csd0->size();

            char esds[csd0size + 31];

            reassembleESDS(csd0, esds);

            meta->setData(kKeyESDS, kKeyESDS, esds, sizeof(esds));

            Vector<char> esds;

            int esdsSize = csd0size + 31;

            if (esds.resize(esdsSize) < 0) {

                ALOGE("error allocating esds (size %d); abort setting esds.", esdsSize);

            } else {

                reassembleESDS(csd0, esds.editArray());

                meta->setData(kKeyESDS, kKeyESDS, esds.array(), esds.size());

            }

        }

    }