ESQueue: add frame length checking in validation of ADTS header. (4d23645c) · Commits · e / os / android_frameworks_av

media/libstagefright/mpeg2ts/ESQueue.cpp

+19 −4

Original line number	Original line	Diff line number	Diff line
	@@ -173,8 +173,9 @@ static bool IsSeeminglyValidAC3Header(const uint8_t *ptr, size_t size) {
	return parseAC3SyncFrame(ptr, size, NULL) > 0;		return parseAC3SyncFrame(ptr, size, NULL) > 0;
	}		}

	static bool IsSeeminglyValidADTSHeader(const uint8_t *ptr, size_t size) {		static bool IsSeeminglyValidADTSHeader(
	if (size < 3) {		const uint8_t ptr, size_t size, size_t frameLength) {
			if (size < 7) {
	// Not enough data to verify header.		// Not enough data to verify header.
	return false;		return false;
	}		}
	@@ -197,6 +198,13 @@ static bool IsSeeminglyValidADTSHeader(const uint8_t *ptr, size_t size) {
	return false;		return false;
	}		}

			size_t frameLengthInHeader =
			((ptr[3] & 3) << 11) + (ptr[4] << 3) + ((ptr[5] >> 5) & 7);
			if (frameLengthInHeader > size) {
			return false;
			}

			*frameLength = frameLengthInHeader;
	return true;		return true;
	}		}

	@@ -318,8 +326,10 @@ status_t ElementaryStreamQueue::appendData(
	}		}
	#else		#else
	ssize_t startOffset = -1;		ssize_t startOffset = -1;
			size_t frameLength;
	for (size_t i = 0; i < size; ++i) {		for (size_t i = 0; i < size; ++i) {
	if (IsSeeminglyValidADTSHeader(&ptr[i], size - i)) {		if (IsSeeminglyValidADTSHeader(
			&ptr[i], size - i, &frameLength)) {
	startOffset = i;		startOffset = i;
	break;		break;
	}		}
	@@ -335,8 +345,13 @@ status_t ElementaryStreamQueue::appendData(
	startOffset);		startOffset);
	}		}

			if (frameLength != size - startOffset) {
			ALOGW("got ADTS AAC frame length %zd instead of %zd",
			frameLength, size - startOffset);
			}

	data = &ptr[startOffset];		data = &ptr[startOffset];
	size -= startOffset;		size = frameLength;
	#endif		#endif
	break;		break;
	}		}