Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit 4d88d40f authored by Marco Nelissen's avatar Marco Nelissen Committed by The Android Automerger
Browse files

Extra sanity checks on sample size and resolution 

Instead of rejecting the samples later when they don't fit in the
buffer, reject the entire file early.

Bug: 22882938
Change-Id: I748153b0e9e827e3f2526468756295b4b5000de6
(cherry picked from commit beef7e58)
parent bd5a03e1

media/libstagefright/MPEG4Extractor.cpp

+15 −3
Original line number Diff line number Diff line
@@ -1446,15 +1446,27 @@ status_t MPEG4Extractor::parseChunk(off64_t *offset, int depth) { 
                // each chunk originally prefixed with a 2 byte length will

                // have a 4 byte header (0x00 0x00 0x00 0x01) after conversion,

                // and thus will grow by 2 bytes per chunk.

                if (max_size > SIZE_MAX - 10 * 2) {

                    ALOGE("max sample size too big: %zu", max_size);

                    return ERROR_MALFORMED;

                }

                mLastTrack->meta->setInt32(kKeyMaxInputSize, max_size + 10 * 2);

            } else {

                // No size was specified. Pick a conservatively large size.

                int32_t width, height;

                if (!mLastTrack->meta->findInt32(kKeyWidth, &width) ||

                    !mLastTrack->meta->findInt32(kKeyHeight, &height)) {

                uint32_t width, height;

                if (!mLastTrack->meta->findInt32(kKeyWidth, (int32_t*)&width) ||

                    !mLastTrack->meta->findInt32(kKeyHeight,(int32_t*) &height)) {

                    ALOGE("No width or height, assuming worst case 1080p");

                    width = 1920;

                    height = 1080;

                } else {

                    // A resolution was specified, check that it's not too big. The values below

                    // were chosen so that the calculations below don't cause overflows, they're

                    // not indicating that resolutions up to 32kx32k are actually supported.

                    if (width > 32768 || height > 32768) {

                        ALOGE("can't support %u x %u video", width, height);

                        return ERROR_MALFORMED;

                    }

                }



                const char *mime;