Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit 6e47c8dd authored by Byeongjo Park's avatar Byeongjo Park Committed by Kim Sungyeon
Browse files

VT: Wrong size buffer allocation of vps/sps/pps. 



[Problem] H.265 stream can not be decoded due to
  an invalid header provided.
[Cause] vps/sps/pps buffers are allocated with smaller
  size than required.
[Solution] Correct a size to allocate buffers.

* Some expressions used in this H.265 vps/sps/pps parser
  copied on the same function part of H.264 for consistency.

bug: 192326376

Signed-off-by: default avatarByeongjo Park <bjo.park@samsung.com>
Change-Id: Ia07090468e382b3a4bf62e3ca5659e292e7ee3a5
Signed-off-by: default avatarKim Sungyeon <sy85.kim@samsung.com>
parent 086eb84e

media/libstagefright/rtsp/ARTPWriter.cpp

+7 −6
Original line number Diff line number Diff line
@@ -327,16 +327,17 @@ static void SpsPpsParser(MediaBufferBase *buffer, 


    while (buffer->range_length() > 0) {

        const uint8_t *NALPtr = (const uint8_t *)buffer->data() + buffer->range_offset();

        uint8_t nalType = (*NALPtr) & H264_NALU_MASK;



        MediaBufferBase **targetPtr = NULL;

        if ((*NALPtr & H264_NALU_MASK) == H264_NALU_SPS) {

        if (nalType == H264_NALU_SPS) {

            targetPtr = spsBuffer;

        } else if ((*NALPtr & H264_NALU_MASK) == H264_NALU_PPS) {

        } else if (nalType == H264_NALU_PPS) {

            targetPtr = ppsBuffer;

        } else {

            return;

        }

        ALOGV("SPS(7) or PPS(8) found. Type %d", *NALPtr & H264_NALU_MASK);

        ALOGV("SPS(7) or PPS(8) found. Type %d", nalType);



        uint32_t bufferSize = buffer->range_length();

        MediaBufferBase *&target = *targetPtr;
@@ -417,18 +418,18 @@ static void VpsSpsPpsParser(MediaBufferBase *buffer, 
            }

        }



        uint32_t targetSize;

        if (target != NULL) {

            target->release();

        }

        uint32_t targetSize;

        // note that targetSize is never 0 as the first byte is never part

        // of a start prefix

        if (isBoundFound) {

            targetSize = i - SPCSize + 1;

            target = MediaBufferBase::Create(j);

            target = MediaBufferBase::Create(targetSize);

            memcpy(target->data(),

                   (const uint8_t *)buffer->data() + buffer->range_offset(),

                   j);

                   targetSize);

            buffer->set_range(buffer->range_offset() + targetSize + SPCSize,

                              buffer->range_length() - targetSize - SPCSize);

        } else {