Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit 9d916c77 authored by Wei Jia's avatar Wei Jia
Browse files

DO NOT MERGE - libstagefright: sanity check size before dereferencing pointer in Utils.cpp 

Also remove some CHECK's.

Bug: 23680780
Change-Id: I62d0941e203e40209fa6fbe3f923f3efdc5a6c23
(cherry picked from commit 7bb772e0)
parent d2605273

media/libstagefright/Utils.cpp

+16 −5
Original line number Diff line number Diff line
@@ -160,8 +160,10 @@ status_t convertMetaDataToMessage( 


        const uint8_t *ptr = (const uint8_t *)data;



        CHECK(size >= 7);

        CHECK_EQ((unsigned)ptr[0], 1u);  // configurationVersion == 1

        if (size < 7 || ptr[0] != 1) {  // configurationVersion == 1

            ALOGE("b/23680780");

            return BAD_VALUE;

        }

        uint8_t profile = ptr[1];

        uint8_t level = ptr[3];
@@ -187,7 +189,10 @@ status_t convertMetaDataToMessage( 
        buffer->setRange(0, 0);



        for (size_t i = 0; i < numSeqParameterSets; ++i) {

            CHECK(size >= 2);

            if (size < 2) {

                ALOGE("b/23680780");

                return BAD_VALUE;

            }

            size_t length = U16_AT(ptr);



            ptr += 2;
@@ -216,13 +221,19 @@ status_t convertMetaDataToMessage( 
        }

        buffer->setRange(0, 0);



        CHECK(size >= 1);

        if (size < 1) {

            ALOGE("b/23680780");

            return BAD_VALUE;

        }

        size_t numPictureParameterSets = *ptr;

        ++ptr;

        --size;



        for (size_t i = 0; i < numPictureParameterSets; ++i) {

            CHECK(size >= 2);

            if (size < 2) {

                ALOGE("b/23680780");

                return BAD_VALUE;

            }

            size_t length = U16_AT(ptr);



            ptr += 2;