Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit 49a2379d authored by Shivaprasad Hongal's avatar Shivaprasad Hongal Committed by Steve Kondik
Browse files

libstagefright: Fix crash in convertMetaDataToMessage 

- The ABuffer used for the Message has a preset value of 1024, if
  flattening the meta data exceeds this value, a check fails hence
  the crash.
- This change creates a new ABuffer if the buffer size would exceed
  the buffer capacity.

CRs-Fixed: 857850

Change-Id: Iaa7374a4734a49db257a3f102a88412fde672260
parent a588850e

media/libstagefright/Utils.cpp

+7 −0
Original line number Diff line number Diff line
@@ -315,6 +315,13 @@ status_t convertMetaDataToMessage( 


                CHECK(size >= length);



                if ((buffer->size() + 4 + length) > buffer->capacity()) {

                    sp<ABuffer> tmpBuffer = new ABuffer(buffer->capacity() + 1024);

                    memcpy(tmpBuffer->data(), buffer->data(), buffer->size());

                    tmpBuffer->setRange(0, buffer->size());

                    buffer = tmpBuffer;

                }



                memcpy(buffer->data() + buffer->size(), "\x00\x00\x00\x01", 4);

                memcpy(buffer->data() + buffer->size() + 4, ptr, length);

                buffer->setRange(0, buffer->size() + 4 + length);