Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit 665f8cd6 authored by Ray Essick's avatar Ray Essick
Browse files

Sanity checking when parsing 'trun' box. 

Check for unreasonable sampleCounts, unreasonable sampleDurations,
especially when mapped as same duration for all samples.

Bug: 124389881
Test: poc
Change-Id: Ic1afecc42c1ec5c63b8dee1743ee0e473e82ba8b
parent 32ebca36

media/extractors/mp4/MPEG4Extractor.cpp

+24 −2
Original line number Diff line number Diff line
@@ -5239,9 +5239,31 @@ status_t MPEG4Source::parseTrackFragmentRun(off64_t offset, off64_t size) { 
        sampleCtsOffset = 0;

    }



    if (bytesPerSample != 0) {

        if (size < (off64_t)sampleCount * bytesPerSample) {

            return -EINVAL;

        }

    } else {

        if (sampleDuration == 0) {

            ALOGW("b/123389881 sampleDuration == 0");

            android_errorWriteLog(0x534e4554, "124389881 zero");

            return -EINVAL;

        }



        // apply some sanity (vs strict legality) checks

        //

        // clamp the count of entries in the trun box, to avoid spending forever parsing

        // this box. Clamping (vs error) lets us play *something*.

        // 1 million is about 400 msecs on a Pixel3, should be no more than a couple seconds

        // on the slowest devices.

        static constexpr uint32_t kMaxTrunSampleCount = 1000000;

        if (sampleCount > kMaxTrunSampleCount) {

            ALOGW("b/123389881 clamp sampleCount(%u) @ kMaxTrunSampleCount(%u)",

                  sampleCount, kMaxTrunSampleCount);

            android_errorWriteLog(0x534e4554, "124389881 count");



        }

    }



    Sample tmp;

    for (uint32_t i = 0; i < sampleCount; ++i) {