Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Skip to content
Commit 2ad4439c authored by Rob McConnell's avatar Rob McConnell Committed by Chong Zhang
Browse files

cas: fix crash with partially scrambled audio content 



This patch addresses a situation when MPEG-2 TS level
scrambled audio/video content has some of the audio
content scrambled.  This can cause the MPEG-2 TS
extractor to crash due to it trying to perform an
"out-of-bound" index operation in to the sync points
keyed vector.

The sequence of events to cause this crash are as
follows:

1) The MPEG-2 TS extractor is first initialised and
   begins to search through the content until it finds
   both audio and video scrambled ES.  In the test
   stream, the video ES is found before the audio so
   the "mSourceImpls" Vector contains video as the
   first entry and then audio.

2) The client application makes a call to set mediacas.
   This makes another call to the "init()" method which
   in turn causes the extractor to continue to parses
   the scrambled A/V content.  With the particular test
   stream the audio has predominantly unscrambled PES
   packets and the audio format is readily detected as
   "unscrambled" along with a sync event.  This causes
   the "mSyncPoints" keyed vector to have its first
   entry set for the audio track.

3) When the call to "addSyncPoint_l()" is made this
   method iterates over the "mSourceImpls" vector until
   it finds a match with the event.  In this case it
   finds the audio sync event at the second index
   position.

4) The code makes the assumption that the indexing in
   to "mSourceImpls" and "mSyncPoints" are both tied
   to the same source (i.e. the same track).  This is
   not the case as "mSourceImpls[1]" contains the
   audio source but "mSyncPoints[0]" contains the
   audio sync event.

5) When "addSyncPoint_l()" tries to index in to
   "mSyncPoints[1]", we receive a crash due to an
   "out-of-bound" index operation.

The patch ensures that the "mSourceImpls" and "mSyncPoints"
indexing are identical for the different sources (tracks).
This prevents an "out-of-bound" index access to occur.

bug: 123013446
test:
atest android.media.cts.MediaDrmClearkeyTest#testClearKeyPlaybackMpeg2ts
atest android.media.cts.MediaDrmClearkeyTest#testPlaybackMpeg2ts

Change-Id: I75f5b24eb6a958796add737677f28178243095a4
Signed-off-by: default avatarRob McConnell <robert.mcconnell@broadcom.com>
parent 6ead2c34
Hide whitespace changes
Inline Side-by-side
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment