Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit 274f64c7 authored by Joshua J. Drake's avatar Joshua J. Drake Committed by Nick Kralevich
Browse files

Fix null-pointer-dereferences accessing the SampleTable 

While processing various sample table related FourCC values, methods are called
on a NULL mLastTrack or sampleTable object. This leads to undefined behavior
which typically results in a crash (denial of service condition).

Bug: 20139950
Change-Id: Ie2dd8222e702d8bf95faf7d2bd44e6303cd21f68
parent f35ff157

media/libstagefright/MPEG4Extractor.cpp

+18 −0
Original line number Diff line number Diff line
@@ -1409,6 +1409,9 @@ status_t MPEG4Extractor::parseChunk(off64_t *offset, int depth) { 
        case FOURCC('s', 't', 'c', 'o'):

        case FOURCC('c', 'o', '6', '4'):

        {

            if ((mLastTrack == NULL) || (mLastTrack->sampleTable == NULL))

                return ERROR_MALFORMED;



            status_t err =

                mLastTrack->sampleTable->setChunkOffsetParams(

                        chunk_type, data_offset, chunk_data_size);
@@ -1424,6 +1427,9 @@ status_t MPEG4Extractor::parseChunk(off64_t *offset, int depth) { 


        case FOURCC('s', 't', 's', 'c'):

        {

            if ((mLastTrack == NULL) || (mLastTrack->sampleTable == NULL))

                return ERROR_MALFORMED;



            status_t err =

                mLastTrack->sampleTable->setSampleToChunkParams(

                        data_offset, chunk_data_size);
@@ -1440,6 +1446,9 @@ status_t MPEG4Extractor::parseChunk(off64_t *offset, int depth) { 
        case FOURCC('s', 't', 's', 'z'):

        case FOURCC('s', 't', 'z', '2'):

        {

            if ((mLastTrack == NULL) || (mLastTrack->sampleTable == NULL))

                return ERROR_MALFORMED;



            status_t err =

                mLastTrack->sampleTable->setSampleSizeParams(

                        chunk_type, data_offset, chunk_data_size);
@@ -1509,6 +1518,9 @@ status_t MPEG4Extractor::parseChunk(off64_t *offset, int depth) { 


        case FOURCC('s', 't', 't', 's'):

        {

            if ((mLastTrack == NULL) || (mLastTrack->sampleTable == NULL))

                return ERROR_MALFORMED;



            *offset += chunk_size;



            status_t err =
@@ -1524,6 +1536,9 @@ status_t MPEG4Extractor::parseChunk(off64_t *offset, int depth) { 


        case FOURCC('c', 't', 't', 's'):

        {

            if ((mLastTrack == NULL) || (mLastTrack->sampleTable == NULL))

                return ERROR_MALFORMED;



            *offset += chunk_size;



            status_t err =
@@ -1539,6 +1554,9 @@ status_t MPEG4Extractor::parseChunk(off64_t *offset, int depth) { 


        case FOURCC('s', 't', 's', 's'):

        {

            if ((mLastTrack == NULL) || (mLastTrack->sampleTable == NULL))

                return ERROR_MALFORMED;



            *offset += chunk_size;



            status_t err =