Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit 8e0cc331 authored by Marco Nelissen's avatar Marco Nelissen
Browse files

Check that we have enough bits to read 

ABitReader doesn't like running out of bits.

Bug: 23010169
Change-Id: I11fc82834eec19617e63fc7817388391ed7a0634
parent 7db79489

media/libstagefright/MPEG4Extractor.cpp

+22 −4
Original line number Diff line number Diff line
@@ -3017,12 +3017,11 @@ status_t MPEG4Extractor::updateAudioTrackInfoFromESDS_MPEG4Audio( 
    int32_t sampleRate = 0;

    int32_t numChannels = 0;

    if (freqIndex == 15) {

        if (csd_size < 5) {

            return ERROR_MALFORMED;

        }

        if (br.numBitsLeft() < 28) return ERROR_MALFORMED;

        sampleRate = br.getBits(24);

        numChannels = br.getBits(4);

    } else {

        if (br.numBitsLeft() < 4) return ERROR_MALFORMED;

        numChannels = br.getBits(4);



        if (freqIndex == 13 || freqIndex == 14) {
@@ -3033,12 +3032,14 @@ status_t MPEG4Extractor::updateAudioTrackInfoFromESDS_MPEG4Audio( 
    }



    if (objectType == AOT_SBR || objectType == AOT_PS) {//SBR specific config per 14496-3 table 1.13

        if (br.numBitsLeft() < 4) return ERROR_MALFORMED;

        uint32_t extFreqIndex = br.getBits(4);

        int32_t extSampleRate __unused;

        if (extFreqIndex == 15) {

            if (csd_size < 8) {

                return ERROR_MALFORMED;

            }

            if (br.numBitsLeft() < 24) return ERROR_MALFORMED;

            extSampleRate = br.getBits(24);

        } else {

            if (extFreqIndex == 13 || extFreqIndex == 14) {
@@ -3075,20 +3076,24 @@ status_t MPEG4Extractor::updateAudioTrackInfoFromESDS_MPEG4Audio( 


    {

        if (objectType == AOT_SBR || objectType == AOT_PS) {

            if (br.numBitsLeft() < 5) return ERROR_MALFORMED;

            objectType = br.getBits(5);



            if (objectType == AOT_ESCAPE) {

                if (br.numBitsLeft() < 6) return ERROR_MALFORMED;

                objectType = 32 + br.getBits(6);

            }

        }

        if (objectType == AOT_AAC_LC || objectType == AOT_ER_AAC_LC ||

                objectType == AOT_ER_AAC_LD || objectType == AOT_ER_AAC_SCAL ||

                objectType == AOT_ER_BSAC) {

            if (br.numBitsLeft() < 2) return ERROR_MALFORMED;

            const int32_t frameLengthFlag __unused = br.getBits(1);



            const int32_t dependsOnCoreCoder = br.getBits(1);



            if (dependsOnCoreCoder ) {

                if (br.numBitsLeft() < 14) return ERROR_MALFORMED;

                const int32_t coreCoderDelay __unused = br.getBits(14);

            }
@@ -3108,7 +3113,7 @@ status_t MPEG4Extractor::updateAudioTrackInfoFromESDS_MPEG4Audio( 
                    extensionFlag = 1;

                    break;

                default:

                    TRESPASS();

                    return ERROR_MALFORMED;

                    break;

                }

                ALOGW("csd missing extension flag; assuming %d for object type %u.",
@@ -3118,6 +3123,9 @@ status_t MPEG4Extractor::updateAudioTrackInfoFromESDS_MPEG4Audio( 
            if (numChannels == 0) {

                int32_t channelsEffectiveNum = 0;

                int32_t channelsNum = 0;

                if (br.numBitsLeft() < 32) {

                    return ERROR_MALFORMED;

                }

                const int32_t ElementInstanceTag __unused = br.getBits(4);

                const int32_t Profile __unused = br.getBits(2);

                const int32_t SamplingFrequencyIndex __unused = br.getBits(4);
@@ -3129,35 +3137,44 @@ status_t MPEG4Extractor::updateAudioTrackInfoFromESDS_MPEG4Audio( 
                const int32_t NumValidCcElements __unused = br.getBits(4);



                const int32_t MonoMixdownPresent = br.getBits(1);



                if (MonoMixdownPresent != 0) {

                    if (br.numBitsLeft() < 4) return ERROR_MALFORMED;

                    const int32_t MonoMixdownElementNumber __unused = br.getBits(4);

                }



                if (br.numBitsLeft() < 1) return ERROR_MALFORMED;

                const int32_t StereoMixdownPresent = br.getBits(1);

                if (StereoMixdownPresent != 0) {

                    if (br.numBitsLeft() < 4) return ERROR_MALFORMED;

                    const int32_t StereoMixdownElementNumber __unused = br.getBits(4);

                }



                if (br.numBitsLeft() < 1) return ERROR_MALFORMED;

                const int32_t MatrixMixdownIndexPresent = br.getBits(1);

                if (MatrixMixdownIndexPresent != 0) {

                    if (br.numBitsLeft() < 3) return ERROR_MALFORMED;

                    const int32_t MatrixMixdownIndex __unused = br.getBits(2);

                    const int32_t PseudoSurroundEnable __unused = br.getBits(1);

                }



                int i;

                for (i=0; i < NumFrontChannelElements; i++) {

                    if (br.numBitsLeft() < 5) return ERROR_MALFORMED;

                    const int32_t FrontElementIsCpe = br.getBits(1);

                    const int32_t FrontElementTagSelect __unused = br.getBits(4);

                    channelsNum += FrontElementIsCpe ? 2 : 1;

                }



                for (i=0; i < NumSideChannelElements; i++) {

                    if (br.numBitsLeft() < 5) return ERROR_MALFORMED;

                    const int32_t SideElementIsCpe = br.getBits(1);

                    const int32_t SideElementTagSelect __unused = br.getBits(4);

                    channelsNum += SideElementIsCpe ? 2 : 1;

                }



                for (i=0; i < NumBackChannelElements; i++) {

                    if (br.numBitsLeft() < 5) return ERROR_MALFORMED;

                    const int32_t BackElementIsCpe = br.getBits(1);

                    const int32_t BackElementTagSelect __unused = br.getBits(4);

                    channelsNum += BackElementIsCpe ? 2 : 1;
@@ -3165,6 +3182,7 @@ status_t MPEG4Extractor::updateAudioTrackInfoFromESDS_MPEG4Audio( 
                channelsEffectiveNum = channelsNum;



                for (i=0; i < NumLfeChannelElements; i++) {

                    if (br.numBitsLeft() < 4) return ERROR_MALFORMED;

                    const int32_t LfeElementTagSelect __unused = br.getBits(4);

                    channelsNum += 1;

                }