Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit 86aa1534 authored by Joshua J. Drake's avatar Joshua J. Drake Committed by Jon Larimer
Browse files

Fix null-pointer-dereferences accessing the SampleTable 

While processing various sample table related FourCC values, methods are called
on a NULL mLastTrack or sampleTable object. This leads to undefined behavior
which typically results in a crash (denial of service condition).

Bug: 20139950
Change-Id: Ie2dd8222e702d8bf95faf7d2bd44e6303cd21f68
parent 2c184d8b

media/libstagefright/MPEG4Extractor.cpp

+18 −0
Original line number Diff line number Diff line
@@ -1398,6 +1398,9 @@ status_t MPEG4Extractor::parseChunk(off64_t *offset, int depth) { 
        case FOURCC('s', 't', 'c', 'o'):

        case FOURCC('c', 'o', '6', '4'):

        {

            if ((mLastTrack == NULL) || (mLastTrack->sampleTable == NULL))

                return ERROR_MALFORMED;



            status_t err =

                mLastTrack->sampleTable->setChunkOffsetParams(

                        chunk_type, data_offset, chunk_data_size);
@@ -1413,6 +1416,9 @@ status_t MPEG4Extractor::parseChunk(off64_t *offset, int depth) { 


        case FOURCC('s', 't', 's', 'c'):

        {

            if ((mLastTrack == NULL) || (mLastTrack->sampleTable == NULL))

                return ERROR_MALFORMED;



            status_t err =

                mLastTrack->sampleTable->setSampleToChunkParams(

                        data_offset, chunk_data_size);
@@ -1429,6 +1435,9 @@ status_t MPEG4Extractor::parseChunk(off64_t *offset, int depth) { 
        case FOURCC('s', 't', 's', 'z'):

        case FOURCC('s', 't', 'z', '2'):

        {

            if ((mLastTrack == NULL) || (mLastTrack->sampleTable == NULL))

                return ERROR_MALFORMED;



            status_t err =

                mLastTrack->sampleTable->setSampleSizeParams(

                        chunk_type, data_offset, chunk_data_size);
@@ -1498,6 +1507,9 @@ status_t MPEG4Extractor::parseChunk(off64_t *offset, int depth) { 


        case FOURCC('s', 't', 't', 's'):

        {

            if ((mLastTrack == NULL) || (mLastTrack->sampleTable == NULL))

                return ERROR_MALFORMED;



            *offset += chunk_size;



            status_t err =
@@ -1513,6 +1525,9 @@ status_t MPEG4Extractor::parseChunk(off64_t *offset, int depth) { 


        case FOURCC('c', 't', 't', 's'):

        {

            if ((mLastTrack == NULL) || (mLastTrack->sampleTable == NULL))

                return ERROR_MALFORMED;



            *offset += chunk_size;



            status_t err =
@@ -1528,6 +1543,9 @@ status_t MPEG4Extractor::parseChunk(off64_t *offset, int depth) { 


        case FOURCC('s', 't', 's', 's'):

        {

            if ((mLastTrack == NULL) || (mLastTrack->sampleTable == NULL))

                return ERROR_MALFORMED;



            *offset += chunk_size;



            status_t err =